Overview
We are providing you with the steps to integrate your RV320 and RV325 VPN Router Series with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log forwarding.
Applicable Devices
RV320 Dual WAN VPN Router
RV325 Gigabit Dual WAN VPN Router
System Log Configuration
Step1-To access the System Log
Log in to the Web Configuration Utility and navigate to Log > System Log. This will open the System Log page:
Step2: Configure System Logs on System Log Servers
Check the "Enable" option in the Syslog1 field.
Enter the hostname or IP address of the system log server in the "Syslog Server 1" field.
(Optional) To send logs to another system log server, check "Enable" in the Syslog2 field.
If the "Enable" box is checked in the Syslog2 field, enter the hostname or IP address of the second system log server in the "Syslog Server 2" field.
Click "Save" to complete the configuration of sending system logs through system log servers."
Step3: Log Settings
1. Check the check boxes of the events that will trigger a log entry.
Alert Logs: These logs are created when an attack or attempted attack has occurred, such as:
Syn Flooding: when SYN requests are received faster than the router can process them.
IP Spoofing: when the router receives IP packets with forged source IP addresses.
Unauthorized Login Attempt: when a rejected attempt to log on to the network has failed.
Ping of Death: when a ping of abnormal size has been sent to an interface in an attempt to crash the target device.
Win Nuke: when the remote Distributed Denial of Service Attack (DDOS) known as WinNuke, has been sent to an interface in an attempt to crash the target device.
General Logs: These logs are created when general network actions occur, such as:
Deny Policies: when access has been denied to a user based on the configured policies of the router.
Authorized Login: when a user has been authorized to access the network.
System Error Messages: when a system error has occurred.
Allow Policies: when access has been granted to a user based on the configured policies of the router.
Kernel: when all kernel messages in the log are included. The kernel is the first part of the operating system that loads into memory at boot up. Kernel messages are logs that are associated with the kernel.
Configuration Changes: when the router configuration has been modified.
IPSEC & PPTP VPN: when an IPSEC & PPTP VPN negotiation, connection, or disconnection has occurred.
SSL VPN: when an SSL VPN negotiation, connection, or disconnection has occurred.
Network: when a physical connection has been made or lost on the WAN or DMZ interfaces.
2. Click "Save" to complete the configuration of the Log Settings.
Note: To clear the current log, click "Clear Log
Verification of configuration
Verification of configuration can be done in two ways:
From the Collector-Syslog Server (CCE): This can involve logging into the CCE and checking the configuration settings, testing connectivity and functionality of the various components, and comparing the actual results against the expected or desired outcomes.
From the UI: This can involve logging into the user interface and checking the configuration settings, monitoring the logs and flows, and comparing the actual results against the expected or desired outcomes.
Both methods can be used to ensure that the system is properly configured and working as intended.
Using UI
STEP 1:Log in to UI >> SYSTEM
STEP 2: >> Logs and flows collection status
STEP 3: >>To verify the source device IP from the UI:
Log in to the user interface
Navigate to the "SYSTEM" section
Look for the "SOURCE DEVICE IP"
Check the IP address that is displayed
Compare the IP address displayed against the expected source device IP
This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address..
