No syslog servers are configured-f5-False

warn
health-checks
false
f5
No syslog servers are configured-f5-False
0

#1

No syslog servers are configured-f5-False

Vendor: f5

OS: False

Description:
Ιndeni will alert if no syslog servers are configured for a specific device.

Remediation Steps:
Add syslog servers.

How does this work?
This alert logs into the F5 device through SSH, parses the output of the command “tmsh list sys syslog” to verify that a syslog server has been configured

Why is this important?
In case of an successful intrusion attempt it is imperative to be able to trust the log files. In order to be able to do that it is good to have a remote syslog server configured. That way the attacker would have a harder time to hide the tracks. Also, in case of an outage or hardware failure a remote syslog server could be critical in order to find the root cause.

Without Indeni how would you find this?
An administrator could could periodically log into the device through SSH, enter TMSH and execute the command “list sys syslog” in order to identify the configured syslog servers.

f5-tmsh-list-sys-syslog

#! META
name: f5-tmsh-list-sys-syslog
description: Check if a syslog server has been configured
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: "f5"
    product: "load-balancer"
    linux-based: "true"
    shell: "bash"

#! COMMENTS
syslog-servers:
    why: |
        In case of an successful intrusion attempt it is imperative to be able to trust the log files. In order to be able to do that it is good to have a remote syslog server configured. That way the attacker would have a harder time to hide the tracks. Also, in case of an outage or hardware failure a remote syslog server could be critical in order to find the root cause.
    how: |
        This alert logs into the F5 device through SSH, parses the output of the command "tmsh list sys syslog" to verify that a syslog server has been configured
    without-indeni: |
        An administrator could could periodically log into the device through SSH, enter TMSH and execute the command "list sys syslog" in order to identify the configured syslog servers.
    can-with-snmp: false
    can-with-syslog: false
    
#! REMOTE::SSH

#!/bin/bash
tmsh -q -c "list sys syslog" | grep -P "(include|host)" | grep -Po "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"

#! PARSER::AWK

BEGIN {
    iSyslog = 0
}

#192.168.1.3
/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/{
    iSyslog++
    syslogArray[iSyslog, "ip"] = $1
}

END {
    writeComplexMetricObjectArray("syslog-servers", null, syslogArray)
}

cross_vendor_syslog_servers_empty

package com.indeni.server.rules.library.crossvendor

import com.indeni.ruleengine.expressions.conditions.Equals
import com.indeni.ruleengine.expressions.data.SnapshotExpression
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, MultiSnapshotValueCheckTemplateRule, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class cross_vendor_syslog_servers_empty(context: RuleContext) extends MultiSnapshotValueCheckTemplateRule(context,
  severity = AlertSeverity.WARN,
  ruleName = "cross_vendor_syslog_servers_empty",
  ruleFriendlyName = "All Devices: No syslog servers are configured",
  ruleDescription = "Ιndeni will alert if no syslog servers are configured for a specific device.",
  metricName = "syslog-servers",
  alertDescription = "No syslog servers are configured on the device. It is critical to have at least one syslog server to collect device events on an external server. The logging information can be used to detect events and troubleshoot and analyze failures.",
  baseRemediationText = "Add syslog servers.",
  complexCondition = Equals(RuleHelper.createEmptyComplexArrayConstantExpression(), SnapshotExpression("syslog-servers").asMulti().mostRecent().value().noneable)
)(ConditionalRemediationSteps.OS_NXOS ->
  """|
    |1. Configure at least one syslog server using the "logging server <ip address> <severity> [facility <facility>] [use-vrf <vrf-name>]" NX-OS command
    |2. It is recommended to set the severity value to 6 (informational).
    |NOTE: The default syslog facility used by Nexus switches is "local7" . The default VRF is "management".  If you want syslog messages to be sent over the in-band global routing, use "default".
    |3. For more information please review the next configuration guide:
    |https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_5syslog.html""".stripMargin)