What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Monitoring UBNT USG-Pro-4

Votes:

0

Hello,

thank you for reading this. I am currently evaluating PRTG Network Monitor and happy how straight forward the application works, e.g. monitoring websites.

But one important requirement is the monitoring of several Ubiquiti USG-Pro-4 Firewalls I manage for several customers where I need to monitor especially the communication on the WAN Port.

The USG supports syslog, and in the past I used Splunk to analyze the logs, that worked quiet well, but I was missing a dedicated syslog server. How can I achive this with PRTG?

E.g.: with the following query I can get the number of "attacks" on the USG (the time period can be defined via the Splunk UI): source="/Volumes/Backup/messages" kernel "WAN_LOCAL-4000" | iplocation SRC | stats count as Total

I would really appreciate if someone can give me a hint in which way I have to go. Thanks, Florian

firewall syslog usg-pro-4

Created on Feb 15, 2018 8:52:13 AM



Best Answer

Accepted Answer

Votes:

0

Florian, you can certainly have multiple Syslog Sensors listening to the same messages. The difference between having one with a very complex filter vs. several with each simple filters should not be that high.

Created on Mar 8, 2018 11:28:05 AM by Torsten Lindner [Paessler Support]



7 Replies

Votes:

0

Hi Florian,

Happy to hear that you like PRTG that far :) Check out the Syslog Receiver Sensor, which acts as a Syslog server within PRTG :) Although, it's not as fully featured as splunk may be.

Kind regards
Stephan Linke, Tech Support Team

Created on Feb 15, 2018 11:23:22 AM by Stephan Linke [Paessler Support]

Last change on Feb 15, 2018 11:23:38 AM by Stephan Linke [Paessler Support]



Votes:

0

Thank you, I already noticed the syslog receiver sender and this is already working, I already collect the information from the USG. I have the problem that I do not know how to analyse the syslog entries and to create an alarm if certain things are happening.

Florian

Created on Feb 15, 2018 1:40:48 PM



Votes:

0

Did you already check the warning/error filters? You can configure them to interpret certain received messages as such. In order to build a proper filter string, click Show Filters in the top right corner of the table. Then enter the values you want to alert upon in the fields. At the far left, there's Filter with a little gear next to it. It will show you the complete filter string you can use for the warning/error filter definition :)

Kind regards
Stephan Linke, Tech Support Team

Created on Feb 15, 2018 2:35:00 PM by Stephan Linke [Paessler Support]

Last change on Feb 15, 2018 2:35:07 PM by Stephan Linke [Paessler Support]



Votes:

0

Thank you for your help, but currently I do not know how to handle this.

For example: I want to get all syslog entries of port scanning attacks run against the USG. Each port scanning attack produces the following syslog entry:

[WAN_LOCAL-4000-D]IN=eth2 OUT= MAC=f0:9f:c2:10:6e:60:d0:6f:82:5e:92:45:08:00 SRC=178.199.26.36 DST=10.0.0.2 LEN=129 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=57809 DPT=6889 LEN=109
  • Every port scanning attack syslog entry starts with [WAN_LOCAL-4000-D]
  • SRC defines the source of the attack
  • DST the destination
  • PROTO the protocol
  • SPT the source port
  • DPT the destination port

The first goal I want to achieve is to get an alarm if for example in one minute more than 100 [WAN_LOCAL-4000-D] syslog entries are sent by the USG. And it would be also great that that I can create my own live graph which counts the number of these syslog entries.

Currently I have a graph for drops, error, warnings and messages, for monitoring a firewall these are few information.

Edit:

In the meantime I was able to create the first syslog sensor which only collects the WAN_LOCAL-4000-D syslog entries, and if the number of entries per second exceeds a certain number a warning is created and later on an error. My problem was, that I have to think a different than I am used from Splunk.

But I have one question according to this topic:

Is it okay to create multiple syslog sensors or will this lead to performance issues. I have more than the USG which communicates via syslog.

Thanks, Florian

Created on Mar 7, 2018 9:55:40 AM

Last change on Mar 8, 2018 11:04:00 AM by Luciano Lingnau [Paessler]



Accepted Answer

Votes:

0

Florian, you can certainly have multiple Syslog Sensors listening to the same messages. The difference between having one with a very complex filter vs. several with each simple filters should not be that high.

Created on Mar 8, 2018 11:28:05 AM by Torsten Lindner [Paessler Support]



Votes:

0

Thank you for this information, therefore I have not to worry about creating multiple syslog receivers.

One last question and then I should be fine with the syslog topic in prtg: Is there a possiblity to access an external syslog server from PRTG? As far as I read in the knowledge base (https://kb.paessler.com/en/topic/59970-export-syslog) there is no real possibility to analyse the syslog entries created by prtg with an external analyzing tool, like splunk because the syslog data are not accessable. But I I could use an external syslog server and prtg only reads the entries from there, this problem would be solved.

Thanks, Florian

Created on Mar 8, 2018 1:11:45 PM



Votes:

0

Florian, I'm afraid though PRTG cannot read syslog messages from another syslog server.

Created on Mar 9, 2018 9:06:30 AM by Torsten Lindner [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.