What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Syslog sensor and Draytek

Votes:

0

Hi folks,

I've been trying to setup some Draytek 3900s to send their Syslogs to the PRTG Syslog Sensor. I can get most of the logs through, but it seems to be completely omitting the firewall logs for some reason.

I've tried both with the Syslog sensor setup on the probe device as a sort of catch-all, as well as directly on one of the router devices. I've also changed the Syslog port on one router to 515, mostly to isolate it from other traffic. I have also tried setting the Syslog settings on the Draytek to remote only and "both" (Remote and local), tried changing which entries are sent, but no matter what my PRTG server doesn't show the Firewall syslog entries.

The sensor itself is setup with just default settings, which to me seems to accept all syslogs so I'm at a bit of a loss. Has anyone managed to pickup Firewall syslogs from Drayteks using the PRTG syslog sensor?

Cheers! Sean

draytek prtg syslog

Created on Dec 23, 2020 4:56:35 PM



4 Replies

Votes:

1

That's weird - is it actually sending out firewall stuff from the draytek? Like, is there something you could configure to have it omit certain log files?

Created on Dec 28, 2020 12:47:24 PM by Stephan Linke [Paessler Support]



Votes:

0

Apologies, having to reply from a different account as apparently I'm not remembering my password correctly and the password reset seems to just loop sending me an email, can't actually reset the password.

Yeah, the Draytek is actually sending out firewall stuff.
Our default Draytek Syslog configuration is as follows
https://i.imgur.com/65yuXHY.jpg
To verify the firewall entries were being sent, I changed the listening port of PRTG's Syslog to 515 and then loaded up Draytek's Syslog Utility on the same server, monitoring on port 514, as well as enabling the "User" and "Other" syslogs on the Draytek in order to generate more Syslog traffic. All Syslog entries on the Firewall also display in the Draytek Syslog Utility
Draytek - https://i.imgur.com/1iligJV.jpg
Syslog Util - https://i.imgur.com/OFkNNit.jpg

Then I closed the Syslog Util and reset PRTG back to port 514
PRTG Syslog Config - https://i.imgur.com/RtnVFFy.jpg
Draytek - https://i.imgur.com/uMgNT2U.jpg
PRTG - https://i.imgur.com/OREdTcp.jpg
As can be seen in the images, it almost looks as though PRTG is receiving the Firewall Syslogs, just in completely different format, but these are actually the "User" logs. The Draytek appears to omit these User entries if a corresponding Firewall entry is present. Perhaps part of the problem.

If I disable the "User" and "Other" logs, it becomes clear the Firewall entries aren't making their way through
Draytek - https://i.imgur.com/o0ZQbyC.jpg
PRTG - https://i.imgur.com/JkaEsmP.jpg

However PRTG will still receive entries for the WAN log and VPN log (when I have it enabled) just fine, only the Firewall ones that have problems...

Created on Dec 28, 2020 2:30:04 PM

Last change on Dec 28, 2020 3:29:42 PM by Birk Guttmann [Paessler Support]



Votes:

1

Hello there,

Since this seems to be a rather complex issue here, I would ask you to open a support ticket, so we can take a closer look at this.

Of course you can still discuss this with other customers here in the KB.

Kind regards,
Birk Guttmann, Tech Support Team

Created on Jan 4, 2021 2:19:49 PM by Birk Guttmann [Paessler Support]



Votes:

0

Argh, now I feel silly. Issue was a result of human assumption. The syslog sensor's "Include" filter has a default value of "severity[0-6]" when the sensor is created. I assumed this default value would include everything and then allow me to filter out as required. No. Draytek Firewall syslog entries come through as severity level 7, so were simply excluded.

As advised by the support team, I removed the "include" rule all-together, so is now just blank, and everything is coming through, firewall logs and all!

Created on Jan 6, 2021 12:01:30 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.