Skip to main content

BlastShield Documentation

Enable Extended Access Logging

Extended access logging gives you enhanced visibility of the user behaviour in your BlastShield™ network. When enabled, the enhanced access logging feature provides detailed logs of connections being made inside the protected network which can be exported to a third party syslog for viewing.

The extended access logging feature works by logging every connection event which matches a given BlastShield™ Policy so that you can monitor behavior at the granular policy level. Each connection log is date and time stamped and provides source + destination address and port information, along with the type of connection event, the user information and the data volume transferred.

Extended access logging is enabled in the Orchestrator at an individual policy level. To view the logs you must export them to a syslog server.

Prerequisite

Extended access logging messages are sent using syslog. You must have your Orchestrator configured to send its log output to a remote syslog server. The extended access logs may then be viewed in the syslog server.

Summary of the configuration process

  1. Enable syslog export.

  2. Enable connection logging on each policy which you want to monitor. 

Extended Access logging is configured in the Orchestrator. To learn how to configure it, watch the following video or read the steps below.

Configure Extended Access Logging
Enable syslog export

Tip

BlastShield™ supports exporting the system event log and extended access logs in syslog format to an external collector.  When enabled, the Orchestrator will export the syslog to the nominated external server.

Syslog UDP packets will be sent to port 514 (514 is the default port) of the receiving server and the format may be configured as human readable, comma separated, or both. the syslog UDP port may be changed if required. All syslog packets are sent from the Orchestrator.  

The receiving server may be external to the BlastShield™ Network or inside the protected overlay network, which is recommended if the syslog server is hosted in the cloud.  In the latter case you can install a Host Agent on the syslog server and an implicit Policy will be automatically created in the Orchestrator for the syslog packets.

  1. Log in to the Orchestrator as the Administrator user.

  2. Go to the Settings menu on the left hand side and choose Network.

  3. Go to the Syslog Settings window.

    1. In the Remote Syslog Server box, enter the IP address of the remote syslog server.

    2. In the Format box, select the syslog export format. For Extended Access Logging, the format must either be Comma Separated or Both.

    3. Click Save Changes.

  4. If your syslog application requires the address that is sending the syslog messages, then use the IP address of the BlastShield™ Orchestrator. If your syslog application is in the BlastShield protected network, then use the Orchestrator overlay IP address.

Enable connection logging on each policy which you want to monitor.

  1. Select the Policy for which you want to enable the access logging

    1. From the Access Control menu on the left, click on Policies

    2. Click on the Policy for which you want to enable the access logging.

    3. Tick the checkbox marked Log matching connections to syslog.

    4. Click Save Changes.

    5. Repeat for all the Policies for which you want to enable access logging.

  2. Logs of matching connections will now be generated by the Orchestrator and sent to your configured remote access server, where you can view and analyse them.

In this section: