ZyXEL USG Logs to remote server (especially AWS CloudWatch)

pista
pista Posts: 22  Freshman Member
edited April 14 in Security
Hi guys! 

I am wondering (or even browsing the web and ZyXEL KB), if there is a possibility to send logs from ZyXEL device to remote server? 

Hopefully, this is not all I can do(?):
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=011800&lang=EN

More important question is, is there possibility to send it to AWS CloudWatch? Does anybody did something like this? 

Thanks!

Accepted Solution

  • pista
    pista Posts: 22  Freshman Member
    edited July 2018 Accepted Answer
    Thanks for reply @Blabababa and @Ian31 !

    AWS CloudWatch uses their own CloudWatch agent, that's true.

    Yesterday I connected it to Logentries - there is possible to use 'Plain TCP/UDP Forwarding (Legacy)', for more info, read here.

    But it is crazy bad that ZyXEL doesn't have nothing better (secured), with security token or something! 

All Replies

  • Blabababa
    Blabababa Posts: 121  Ally Member
    I had tried to use syslog-ng on Raspberry Pi as my external log server and it works(using udp port 514).
    Not sure what protocol and port AWS CloudWatch will use. Is it using the standard syslog port to receive the log from outside, too?
  • Ian31
    Ian31 Posts: 149  Ally Member
    edited July 2018
    I don't think USG can direct connect to CloudWatch now. Since need built-in the CloudWatch agent
    into it.
    The alternative solution is to install a syslog server on-premise or on AWS EC2, then install the CloudWatch agent on it, as a middleware to CloudWatch.

    There also a lot of cloud hosting service for log management, which can save the effort to build your own.
  • Ian31
    Ian31 Posts: 149  Ally Member
    @pista
    Yes, it's trend to support secure logs transfer (ex. syslog over TLS) to cloud hosting service.
    Hope this feature could be consider be Zyxel.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 928  Zyxel Employee
    edited July 2018

    Hi @Ian31

    Thanks for your explanation.

    Currently USG does not support for AWS cloud watch.

    So I would like to move this topic to idea section.

  • warwickt
    warwickt Posts: 99  Ally Member
    Hi Pista, yes you can send the logging to one or more servers or desktops if you have them to capture the verbose logging from most ZYXEL appliances.

    No need to waste time with overrated cloud stuff.. simply provision it locally at your home or business.... 

    We do this with our clients with all zyxel USGxx's and also Zyxel L2 GS2210 managed switches to macOS servers.

    What you need:

    1. network host addressability and access to the logging servers
    2. a logging agent / task / daemon on the logging server the processes the logging from the USG i.e. ( use syslog-ng on macOS ) 
    3. optionally use another logging port other than the default port (UDP 514)
    4. a mechanism on the logger server(s) to "turnover' and remove older logs (/etc/newsyslog.conf)

    Steps:

    1. set u[p a remote logger on the remote servers (FreeBSD, Centos, macOS etc etc ). We use syslog-nd from the mac ports website. There are few versions else use the native syslogd  in the remote server.
    2. ensure the remote server permits access to port 514 (or the port you want to use) else set up another port to use in public end.
    3. allocate/configure remote directories to contain the syslog for each server. (i.e. path/to/usg60_002.log) and set the r/w access (ACL or chmod) 
    4. verify that the remote host accepts access on the port. Here, port 64514 is used from macOS, freebsd11.2 and unbuntu18
    5. macmini-02-server:~ warwick$ <b>sudo lsof -i :64514</b>
      COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
      <b>syslog-ng</b> 237 root   10u  IPv4 0x598b69fe9335fd05      0t0  UDP *:64514
      macpro:~ warwick$ <b>nc -vnzu 10.0.99.12 64514</b>
      found 0 associations
      found 1 connections:
           1:	flags=82<CONNECTED,PREFERRED>
      	outif (null)
      	src 10.0.99.9 port 65154
      	dst 10.0.99.12 port 64514
      	rank info not available
      
      Connection to 10.0.99.12 port 64514 [udp/*] succeeded!<br>
      [email protected]:/$ <b>nc -vnzu 10.0.99.9 64514;nc -vnzu 10.0.99.12 64514</b>
      Connection to 10.0.99.9 64514 port [udp/*] succeeded!
      Connection to 10.0.99.12 64514 port [udp/*] succeeded!<br>
      [email protected]:~ # <b>nmap -sU -p 64514 macpro-lacp;nmap -sU -p 64514 macmini-02-server</b>
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-15 17:51 HKT
      Nmap scan report for macpro-lacp (10.201.95.9)
      Host is up (-0.21s latency).
      rDNS record for 10.201.95.9: macpro-l95.nnnnnnn.studio
      
      PORT      STATE         SERVICE
      64514/udp open|filtered unknown
      MAC Address: xx:xx:xx:xx:xx:xx (Apple)
      
      Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-15 17:51 HKT
      Nmap scan report for macmini-02-server (10.0.99.12)
      Host is up (-0.21s latency).
      rDNS record for 10.0.99.12: macmini-02-server.nnnnnnnn.studio
      
      PORT      STATE         SERVICE
      64514/udp open|filtered unknown
      MAC Address: <span>xx:xx:xx:xx:xx:xx</span> (Apple)<br>
      Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
      [email protected]:~ #<br>
    6. configure /etc/newsyslog.conf to roll over the logs and delete the older log versions ... (do what you need for ms windows ,... what ever that is.. )
    7. Now on your ZYXEL USG appliance(s): Configure USG appliance Configure / Log & Report / Log Settings: (in the following example there are two (2x) servers the the router sends the logs to. These are archived for auditing.)
    8. Optional to use a specific UDP port instead of the default Port 514. You need to access the USG appliance with ssh to use the shell to set the port you want. Zyxel dont provide this in the USG UI. :s . Refer to the latest ZYXEl USG "CLI Reference Guide" .. get from 
    9. log into the USG appliance (via ssh ...) and issue the show logging status syslog command. In this example only the port 64514 is already set to the one we use.
      Router> <b>show logging status syslog
      remote server: 1
      </b>  enable: yes
        log format: vrpt, server address: macmini-02-server.nnnnnnn.studio, <b>server port: 64514</b>, log facility: Local_1
        category settings:
          content-filter    : no     , forward-web-sites : no     ,
          blocked-web-sites : no     , warning-web-sites : no     ,
          user              : normal , myZyXEL.com       : no     ,
          zysh              : no     , idp               : normal ,
          app-patrol        : no     , bwm               : normal ,
          ike               : no     , ipsec             : normal ,
          secure-policy     : normal , sessions-limit    : normal ,
          policy-route      : normal , built-in-service  : normal ,
          system            : normal , system-monitoring : no     ,
          connectivity-check: all    , routing-protocol  : all    ,
          nat               : all    , pki               : normal ,
          interface         : all    , interface-statistics: no     ,
          account           : normal , port-grouping     : normal ,
          l2tp-over-ipsec   : normal , anti-virus        : no     ,
          ssl-vpn           : no     , cnm               : normal ,
          traffic-log       : no     , file-manage       : no     ,
          adp               : normal , anti-spam         : no     ,
          forward-clear-mails: no     , cellular          : no     ,
          daily-report      : no     , ipmac-binding     : normal ,
          dhcp              : all    , auth-policy       : all    ,
          capwap            : no     , wlan-monitor      : no     ,
          wlan-rogueap      : no     , wlan-frame-capture: no     ,
          wlan-dcs          : no     , wlan-band-select  : no     ,
          wlan-load-balancing: no     , rtls              : normal ,
          inbound-lb        : normal , usb-storage       : normal ,
          web-authentication: no     , redirect-service  : normal ,
          capwap-dataforward: no     , authentication-server: normal ,
          wlan-station-info : no     , zymesh            : no     ,
          wlan-auto-healing : no     , default           : normal ,
          upnp              : normal , layer2-isolation  : no     ,
          sso               : normal , zon               : no     ,
          ap-firmware       : no     , geoip             : no     ,
          dfs               : no     , fqdn-object       : no     ,
          session-monitor   : no     ,
      <b>remote server: 2</b>
        enable: yes
        log format: vrpt, server address: macpro-l99.nnnnnnnnn.studio, <b>server port: 64514</b>, log facility: Local_1
        category settings:
          content-filter    : no     , forward-web-sites : no     ,
          blocked-web-sites : no     , warning-web-sites : no     ,
          user              : normal , myZyXEL.com       : no     ,
          zysh              : normal , idp               : normal ,
          app-patrol        : no     , bwm               : normal ,
          ike               : normal , ipsec             : normal ,
          secure-policy     : all    , sessions-limit    : all    ,
          policy-route      : normal , built-in-service  : normal ,
    10. now set the port you want use use instead of the default port 514 uses by syslog...... In this example 'syslog 2' is configured to use port 64514. The router will start logging to that server on that port:
      Router(config)# <b>logging syslog 2 port 64514</b>
      server '2' port:64514 
      Router(config)#
    11. Here's an example with specifics looking for the usual scumbags :/ trying to get in on the WAN ports at the active log at
      <b>tail -f  /Volumes/zfs_dataset_usg_routers/usg_60_router_logs/node09-usg60-01.log |  grep -i "abnormal TCP flag attack detected"</b>
      
      Aug 15 15:09:42 myrouter src="172.97.181.203: 50599" dst="xxx.xxx.xxx.xxx:65446" msg="abnormal TCP flag attack detected, DROP" note="ACCESS BLOCK" user="unknown" devID="aabbccddeeff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ANY" protoID=6 proto="others"
      Aug 15 16:55:27 myrouter src="172.97.181.203: 50658" dst="xxx.xxx.xxx.xxx:56512" msg="abnormal TCP flag attack detected, DROP" note="ACCESS BLOCK" user="unknown" devID="aabbccddeeff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ANY" protoID=6 proto="others"
      Aug 15 18:15:00 myrouter src="172.97.181.203: 50704" dst="xxx.xxx.xxx.xxx:62166" msg="abnormal TCP flag attack detected, DROP" note="ACCESS BLOCK" user="unknown" devID="aabbccddeeff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ANY" protoID=6 proto="others"

    Epilogue:

    you will need to research the specific settings to configure both the syslog rollover/cleanup (typically /etc/newsyslog) and the syslogd or replacement  and on the OS platform for the desktop(s) or server(s) you want to use. 

    This is very easy on FreeBSD and Linux. Use syslog-ng for macOS.

    Note to Zyxel_Stanley and  the team at Zyxel in lovely 台灣 

    ..... would you blokes add a PORT specification in the next firmware update of the USG range in syslog remote server settings?

    You did this in the firmware for the GS2210 firmware ...

    HTH

    Warwick
    Hong Kong
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 928  Zyxel Employee

    Hi @warwickt

    Thanks for your explanation on it.

    Currently syslog port is only able change by CLI command but without GUI.

    So I would like to move this topic to idea section.

  • Zyxel_Joshua
    Zyxel_Joshua Posts: 16  Zyxel Employee
    warwickt,
    ZLD 4.35 is released.
    You can setup the port of server on GUI now.

Security Highlight