Imperva Cyber Community

 View Only
  • 1.  Gateway Log - Security Event - System Log to different syslog servers

    Posted 19 days ago
    Hi all,

    We have gateways deployed in different sites, e.g. site A & site B. Also, there are local syslog serves in both sites. For the same policy rule, how can we tell the gateway in site A to send log to syslog server in site A only, while gateway in site B to send log to syslog server in site B only?

    Thank you.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------


  • 2.  RE: Gateway Log - Security Event - System Log to different syslog servers

    Posted 19 days ago
    Where is your policy defined - on the same MX for both gateways, in a SOM?

    If the gateways are in separate gateway groups, then configure the gateway group external logger section for the different syslog servers.
    And in the policy check the "Enable using gateway configuration if exists" checkbox

    Another option may be to set up a load balancer to direct the traffic to the correct syslog server by the ip of the sending gateway.


    ------------------------------
    Robert Miller
    Senior Cybersecurity Engineer
    Bank of the West
    Omaha NE
    ------------------------------



  • 3.  RE: Gateway Log - Security Event - System Log to different syslog servers

    Posted 18 days ago
    Hi Robert,

    Yes, the policy is defined on the same MX.

    In the policy, I don't find this "Enable using gateway configuration if exists" checkbox. Any idea that this feature is supported starting from which version?

    Thank you. 


    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------



  • 4.  RE: Gateway Log - Security Event - System Log to different syslog servers

    Posted 18 days ago
    Hi Ken,

    This policy option is available for Audit type policies.

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 5.  RE: Gateway Log - Security Event - System Log to different syslog servers

    Posted 18 days ago
    Sorry, I missed that you were talking about Security Events and WAF. 
    The "Enable using gateway configuration if exists"  is for Audit policies. 

    And the external logger section in the gateway group is not available for WAF-only deployments.

    Do the syslog events get generated from each gateway directly to the syslog server, or are they sent from the MX.
    If they are generated from each gateway, then maybe a load balancer in front of the syslog servers would work.

    ------------------------------
    Robert Miller
    Senior Cybersecurity Engineer
    Bank of the West
    Omaha NE
    ------------------------------



  • 6.  RE: Gateway Log - Security Event - System Log to different syslog servers

    Posted 14 days ago
    So , I'm kind of have the same use case going on. So from the above Q&A I take it as the the log events are being sent directly from the gateway. From what I understand, is that the gateway can only send audit policy logs directly from the gateway which is configurable, all other events ( i.e. system, security) must be sent from gateway >> to MX>> Ext- Logger.

    Martell Thyman
    Lead Cyber Security Engineer
    Visa Inc.

    ------------------------------
    Martell Thyman
    Cyber Security Engineering Engineer
    Ashburn VA
    ------------------------------



  • 7.  RE: Gateway Log - Security Event - System Log to different syslog servers

    Posted 12 days ago
    But, I find that the logs from gateway have more details than the ones from MX. So, we prefer to have the gateway directly sending logs to syslog servers.

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------



  • 8.  RE: Gateway Log - Security Event - System Log to different syslog servers

    Posted 12 days ago
    Yes, we want to have the logs directly generated from the gateway.

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------