Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Squid Proxy for Log Configuration

Overview

 

We are providing you the steps to integrate your Squid Proxy with Seceon SIEM so that you can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log forwarding.

For this, port 514 needs to be allowed from firewall.

Steps of Configuration

  •  Login as root user on the server 

 

  • cd /etc should be the first command ran on server , (to get  inside /etc directory)

  • ls to check the list  , ( similar list will appear)

  • vi rsyslog.conf  command need to be ran next  and enter

  • Scan and  find the red marked line :

  • Once done type the command 

              (Note: Press i and then insert the following changes , to save the changes press Esc then write :wq! and enter .)

                 *.* @CCE_IP:514

  • .

  • Run the command  : service rsyslog restart.(Restart rsyslog service .)

  • To check  the status type the command  service rsyslog status

 

 

Note

Squid proxy is of 2 formats, Native Log Format and  Common Log Format.

We support only native . Please check the  below URL ,

Feature: Customizable Log Formats

VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Login to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE SERVER

sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check whether or not we are getting logs .

Seceon Inc. All rights reserved. https://www.seceon.com