Syslog Servers In Use-paloaltonetworks-panos

Syslog Servers In Use-paloaltonetworks-panos

Syslog Servers In Use-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Indeni will verify that certain syslog servers are configured on a monitored device.

Remediation Steps:
Modify the device’s configuration as required.

How does this work?
This script pulls the Palo Alto Networks firewall’s active configuration and extracts the configured Syslog servers from there.

Why is this important?
Tracking the currently configured Syslog servers on all devices is important to ensure consistent logging.

Without Indeni how would you find this?
An administrator may write a script to pull this data from devices and compare against a gold configuration.


Failed to fetch the data:


package com.indeni.server.rules.library.core

import com.indeni.ruleengine.Scope.{Scope, ScopeValueHelper}
import com.indeni.ruleengine.expressions.core._
import com.indeni.ruleengine.expressions.scope.ScopableExpression
import com.indeni.ruleengine.expressions.utility.IsEmptyExpression.IsEmptyExpressionHelper
import com.indeni.ruleengine.expressions.utility.SeqDiffWithoutOrderExpression
import com.indeni.ruleengine.expressions.{Expression, conditions}
import com.indeni.server.common.AlertNotificationSettings
import com.indeni.server.common.AlertNotificationSettings._
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules.config.expressions.DynamicParameterExpression
import com.indeni.server.rules.library.{ConditionalRemediationSteps, PerDeviceRule, RuleHelper}
import com.indeni.server.rules.{RuleMetadata, _}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

  * Created by amir on 19/02/2017.
case class SyslogServersInUseComplianceCheckRule() extends PerDeviceRule with RuleHelper {

  private val linesParameterName = "syslog_config_lines"
  private val linesParameter = new ParameterDefinition(
    "Syslog servers config needed (multi-line, <ip-address>, <min-severity>)",
    "List the syslog servers need to be configured, and their minimal severity.\ne.g., info.",

  override def expressionTree(context: RuleContext): StatusTreeExpression = {
    val linesExpected = DynamicParameterExpression.withConstantDefault(linesParameter.getName, Seq[Seq[String]]()).withLazy
    val snapshotKey = "syslog-servers"
    val missings =
        MultiSnapshotExtractVectorExpression(SnapshotExpression(snapshotKey).asMulti().mostRecent().value(), "host", "severity"),

    val missingLineHeadline = new ScopableExpression[String] {
      override protected def evalWithScope(time: Long, scope: Scope): String = scope.getVisible("syslogConfig").get.asInstanceOf[Seq[String]].mkString(", ")
      override def args: Set[Expression[_]] = Set()

      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),

      // What constitutes an issue
        // The snapshot we check the test condition against:
        SelectSnapshotsExpression(context.snapshotsDao, Set(snapshotKey)).multi(),

        // The condition which, if true, we have an issue. Checked against the snapshots we've collected
        multiInformers = Set(
            "Missing configuration"

        // Details of the alert itself
        ConstantExpression("Indeni has found that some syslog servers are missing or misconfigured. Check the list below."),
        ConditionalRemediationSteps("Modify the device's configuration as required.",
          RemediationStepCondition.VENDOR_CISCO ->
            """|1. Check if the IP address of the syslog server is accessible. Use theVRF management option if the Mangement VRF is configured to access the syslog servers. In this case use the "ping <dest-ip> vrf management" command to ping the server otherwise ping the server without the vrf option.
               |2. Check that the appropriate logging level is enabled to send logging messages. Use the "show logging info" NX-OS command. If the logging level is not appropriate, then set the appropriate level by using the "logging level <feature> <log-level>" NX-OS command.
               |3. It is a best practice to have at least one and no more than three, syslog servers configured.
               |4. For more information please review: <a target="_blank" href="">Cisco NX-OS configuration guide</a>.""".stripMargin,
          RemediationStepCondition.VENDOR_JUNIPER ->
            """|1. On the device command line interface execute "show system syslog" command to review system log configuration.
               |2. Check if the syslog server is accessible.
               |3. Check if the severity level is set properly to ensure that the traffic log messages are captured.
               |4. Consider specifying two remote syslog servers to which system logs are sent.
               |5. Review the following article on Juniper TechLibrary for more information: <a target="_blank" href="">SRX Getting Started - Configure System Logging</a>.""".stripMargin

    * @return The rule's metadata.
  override def metadata: RuleMetadata =
      "Syslog Servers In Use",
      "Indeni will verify that certain syslog servers are configured on a monitored device.",
      categories = Set(RuleCategory.VendorBestPractices),
      deviceCategory = DeviceCategory.ComplianceCheck)