13
Votes

Firewall SYSLOG

 
13
Votes

Firewall SYSLOG

Firewall SYSLOG
Firewall SYSLOG
2024-06-14 18:50:23 - last edited 2024-06-26 02:20:57
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version:

From what I understand the remote syslog functionality of the Omada SDN controller is only sending syslog messages regarding the controller only. It is not enabling syslog at a device level.

 

This is one feature that I like about Ubiquiti Unifi is when you enable syslog, all devices send their syslogs to the syslog server specified.

 

This remote syslog for devices will be greatly beneficial for firewall logging in to SIEMs and better monitor real-time firewall activity.

 

I believe the syslog functionality already exists on the end devices but if just not exposed in the Omada SDN controller.

 

I would very much like to see this feature as to me it's one of very few that will have a huge benifit to the cyber security community.

#1
Options
10 Reply
Re:Firewall SYSLOG
2024-06-17 02:38:35

Hi @AshleyT 

Thanks for posting in our business forum.

Can you be specific about what you expect to see? As you have mentioned the UBNT, what does their firewall syslog look like?

Would be great if you could show me a picture of that so I can include it in the request report.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#2
Options
Re:Firewall SYSLOG
2024-06-17 12:18:18

 Hi @Clive_A,

 

Sure. Sorry if this is a ramble but please do ask me to clarify anything further.

 

The goal of this is to be able to see detailed firewall logs from the routers.

 

UBNT Unifi Approach

Currently in Unifi there is a single Syslog option much like TPLink, however this option in Unifi enables and disables the syslogs on the devices controlled by the controller rather than syslogs from the controller itself.

 

This gives really detailed logs from all devices currently in the controller, however, this can be over whelming with the amount of logs being sent.

 

There is also an option in the Unifi controller to allow logs from certain firewall entries as to whether you would like to collect logs or not from a firewall rule

 

 

 

The Proposed TP-Link Solution

I propose the following to allow for specific syslog events to be fired.

 

1. Add the logging option to the Gateway, Switch and EAP ACL page

 

 

2. Syslog settings are to be pushed down to managed devices

3. For an additional option under each Site to have "ACL logging only". This would then only fire syslog events for the specified ACL rules that have been selected.

 

An example syslog event would like something like this:

 

ER605 [WAN] IN DESCR="no rule description" IN=br10 OUT= MAC=e4:38:83:62:7f:c9:e8:d8:d1:58:57:b8:08:00 SRC=10.6.0.34 DST=10.6.0.1 LEN=65 TOS=00 PREC=0x00 TTL=128 ID=13349 PROTO=UDP SPT=64651 DPT=53 LEN=45 MARK=0

 

Lets break this down

  1. The first part is the device name
  2. Next is the traffic direction. For instance this on is a [WAN] IN direction but it could also be LAN->WAN or LAN->LAN
  3. DESCR, this is the description of the rule from the input of the controller.
  4. IN is the interface the traffic arrived at
  5. OUT is the interface the traffic left the device
  6. MAC... not sure what Unifi have done for this as that is certainly not a MAC address but this should be the source MAC address from the packet
  7. SRC is the source IP address of the packet
  8. DST is the destination IP of the packet
  9. LEN - again not sure what the length is referring to, i would assume the header length of the packet but could be the data length
  10. TOS - is basically the QoS
  11. PREC - relating to DSCP
  12. TTL - Packet time to live
  13. ID - Packet reference
  14. Proto - Packet protocol
  15. SPT - source port of the packet
  16. DPT - destination port
  17. LEN - again as stated at point 9 this is either header or data length of the packet
  18. MARK - and no idea for this

 

There are a couple of other packet types that also are fired by unifi and i have listed examples of thios below:

ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:f4:e2:c6:f1:9b:b3:08:00 SRC=10.0.0.123 DST=10.0.0.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DPT=32800 SEQ=440557490 ACK=3157500235 WINDOW=28960 ACK SYN URGP=0 UID=0 GID=0 MARK=1c0000

ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:60:e9:aa:18:4a:95:08:00 SRC=10.0.0.23 DST=10.0.0.1 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=34011 DF PROTO=TCP SPT=52512 DPT=53 SEQ=658760599 ACK=3861139809 WINDOW=512 ACK URGP=0 MARK=0

 

 

I hope this all makes sense but just to wrap up.

1. Tick box to be added to ACL entries to log events of the rule

2. Tick box to be added to General settings under Syslog for "ACL Events Only"

3. Push syslog settings down to managed routers, switches and access points.

 

Many thanks

 

Ashley

#3
Options
Re:Firewall SYSLOG
2024-06-18 06:11:43

Hi  @AshleyT 

AshleyT wrote

 Hi @Clive_A,

 

Sure. Sorry if this is a ramble but please do ask me to clarify anything further.

 

The goal of this is to be able to see detailed firewall logs from the routers.

 

UBNT Unifi Approach

Currently in Unifi there is a single Syslog option much like TPLink, however this option in Unifi enables and disables the syslogs on the devices controlled by the controller rather than syslogs from the controller itself.

 

This gives really detailed logs from all devices currently in the controller, however, this can be over whelming with the amount of logs being sent.

 

There is also an option in the Unifi controller to allow logs from certain firewall entries as to whether you would like to collect logs or not from a firewall rule

 

 

 

The Proposed TP-Link Solution

I propose the following to allow for specific syslog events to be fired.

 

1. Add the logging option to the Gateway, Switch and EAP ACL page

 

 

2. Syslog settings are to be pushed down to managed devices

3. For an additional option under each Site to have "ACL logging only". This would then only fire syslog events for the specified ACL rules that have been selected.

 

An example syslog event would like something like this:

 

ER605 [WAN] IN DESCR="no rule description" IN=br10 OUT= MAC=e4:38:83:62:7f:c9:e8:d8:d1:58:57:b8:08:00 SRC=10.6.0.34 DST=10.6.0.1 LEN=65 TOS=00 PREC=0x00 TTL=128 ID=13349 PROTO=UDP SPT=64651 DPT=53 LEN=45 MARK=0

 

Lets break this down

  1. The first part is the device name
  2. Next is the traffic direction. For instance this on is a [WAN] IN direction but it could also be LAN->WAN or LAN->LAN
  3. DESCR, this is the description of the rule from the input of the controller.
  4. IN is the interface the traffic arrived at
  5. OUT is the interface the traffic left the device
  6. MAC... not sure what Unifi have done for this as that is certainly not a MAC address but this should be the source MAC address from the packet
  7. SRC is the source IP address of the packet
  8. DST is the destination IP of the packet
  9. LEN - again not sure what the length is referring to, i would assume the header length of the packet but could be the data length
  10. TOS - is basically the QoS
  11. PREC - relating to DSCP
  12. TTL - Packet time to live
  13. ID - Packet reference
  14. Proto - Packet protocol
  15. SPT - source port of the packet
  16. DPT - destination port
  17. LEN - again as stated at point 9 this is either header or data length of the packet
  18. MARK - and no idea for this

 

There are a couple of other packet types that also are fired by unifi and i have listed examples of thios below:

ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:f4:e2:c6:f1:9b:b3:08:00 SRC=10.0.0.123 DST=10.0.0.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DPT=32800 SEQ=440557490 ACK=3157500235 WINDOW=28960 ACK SYN URGP=0 UID=0 GID=0 MARK=1c0000

ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:60:e9:aa:18:4a:95:08:00 SRC=10.0.0.23 DST=10.0.0.1 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=34011 DF PROTO=TCP SPT=52512 DPT=53 SEQ=658760599 ACK=3861139809 WINDOW=512 ACK URGP=0 MARK=0

 

 

I hope this all makes sense but just to wrap up.

1. Tick box to be added to ACL entries to log events of the rule

2. Tick box to be added to General settings under Syslog for "ACL Events Only"

3. Push syslog settings down to managed routers, switches and access points.

 

Many thanks

 

Ashley

Great explanation. I understand what you need. Will record what you suggested.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#4
Options
RE:Firewall SYSLOG
2024-06-25 08:06:35
I recommend this feature.
Alex Kota Kinabalu, Sabah Malaysia
#5
Options
Re:Firewall SYSLOG
2024-06-26 02:20:11 - last edited 2024-06-26 02:20:46

Hi @AshleyT 

Thanks for posting in our business forum.

AshleyT wrote

 

I hope this all makes sense but just to wrap up.

1. Tick box to be added to ACL entries to log events of the rule

2. Tick box to be added to General settings under Syslog for "ACL Events Only"

3. Push syslog settings down to managed routers, switches and access points.

 

Many thanks

 

Ashley

Regarding the requests

  • ACL log will be added to the system in V5.15. ETA.

Note this log is not gonna be stored on the Omada Controller. You are required to set up the sys log server to store this ACL log.

 

  • DPI does not support time stamps due to hardware limitations and performance concerns. @kogan 

In the short term, we don't have plans to add it.

 

Please note that this will involve an adapted firmware, not just a controller update. Firmware development is a complex process, and timelines may change. Therefore, we cannot provide a specific release date at this time. Please stay tuned to future firmware release notes for updates.

When introducing a feature like this, we typically apply it uniformly across all models to ensure consistency and a seamless user experience.

However, it's essential to acknowledge that hardware limitations may exist, which might prevent us from adding the feature to certain models. In such cases, we cannot provide individual notifications explaining the reason. Please note that we cannot guarantee the fulfillment of all requests, and we must set clear expectations upfront.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#6
Options
Re:Firewall SYSLOG
2024-06-26 08:47:13

  Hi @Clive_A,

 

Just a followup question.

 

You mentioned that DPI doesn't have a time stamp. Does this mean there is still a log that will be fired without a timestamp or that dpi will not be part of this update?

 

Thanks

 

Ashley

#7
Options
Re:Firewall SYSLOG
2024-06-26 08:49:33

Hi @AshleyT 

Thanks for posting in our business forum.

AshleyT wrote

  Hi @Clive_A,

 

Just a followup question.

 

You mentioned that DPI doesn't have a time stamp. Does this mean there is still a log that will be fired without a timestamp or that dpi will not be part of this update?

 

Thanks

 

Ashley

It does not have a log but a chart to show what apps or services were used. It has been like this since it was added. No changes or planned update.

In the short term, there will not be a log to it or a time stamp for it due to the reason explained.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
#8
Options
Re:Firewall SYSLOG
2024-09-18 21:06:55

+1 for improved logging.  I use a centralised syslog (remote logging) server to help manage my Omada network (s/w controller, ER7412-M2 and several EAP 225's) as well as several synology NASs and some printers.

 

Currently the ER7412-M2 gateay does not send log entries for IDS or connectivity issues to the remote server.  In fact, connecivity issues such as physical disconnection from WAN are not logged locally in Omada SDN either. 

 

Refer seperate topic on this: https://community.tp-link.com/en/business/forum/topic/703550

#9
Options
RE:Firewall SYSLOG
2024-09-19 14:57:30
definitely a nice feature for troubleshooting.
#10
Options
Re:Firewall SYSLOG
2024-11-08 13:11:51

  @AshleyT

 

I certainly want to have these more complete implementations on my OC200 V1.

#11
Options