McAfee Sidewinder not sending logs to syslog server

Hi Does anyone have issues similar to us where McAfee firewall not sending any logs to syslog server.

We have set it up exactly as below;

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24937/en_US/McAfee_Firewall_Enterprise.pdf

other devices including routers, switches and other firewalls no issue sending logs . So obviously something to do with McAfee setting , Is there anyway we could troubleshoot on Kiwi syslog.
Deepak MuralidharanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Can try the conf (/secureos/etc/server.conf ) file but note that SEF is actually Sidewinder Export Format
(SEF), can try ascii - https://kc.mcafee.com/corporate/index?page=content&id=KB64704
By default, auditd sends all audit data to a binary file called /var/log/audit.raw, you can try on box to see any log generated first too -  These are binary formatted files that can be viewed in
ASCII format using the Admin Console or command line. Otherwise, to view audit records on GUI, select Monitor > Audit Viewing
To use the on-box reporting service (cf reports), you must first enable the following components by
entering the following commands:
cf daemond enable agent=auditsql
cf daemond enable agent=auditdbd
Note: The auditsql agent must be enabled before the auditbdb agent.
If you are not using the McAfee Firewall Enterprise on-box reporting tool, leave these agents disabled

Audit output can be configured to trigger alerts using these tools:
• IPS Attack Responses (Monitor > IPS Attack Responses)
• System Responses (Monitor > System Responses)
(see section 13 Auditing) https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/21000/PD21680/en_US/fe_70102_ag_7002122A00_en-us.pdf

Can also check errors in kiwilog ( InstallPath\Errorlog.txt ), any other errors that are encountered by Kiwi Syslog Server are also recorded in this file. Should also be available via the View | View Error log file menu in the Main Syslog Server display. For info on port
Kiwi Syslog Server uses the following ports:
 
UDP Input - UDP 0.0.0.0:514 (default) (plus one Ephemeral port)
TCP Input - TCP 0.0.0.0:1468 (default)
SNMP Input - UDP 0.0.0.0:162 (default) for IPv4 and 163 (default) for IPv6
Secure TCP Input - TCP 0.0.0.0:6514 (default)
 
Syslog Service <-> Syslog Manager internal comms port - TCP 0.0.0.0:3300 (plus one Ephemeral port).
 
Web Access - TCP 0.0.0.0:8088 (default)
See the "Troubleshooting" section for the kiwisyslog
If no messages are being displayed to the screen or being logged:
 
•      Check network connectivity by pinging from the sending device to the Syslog Server machine
•      Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list)
•      Disable any personal firewall software such as ZoneAlarm or BlackIce
•      Check DNS resolution is working as expected by pinging a hostname from the Command Prompt
•      Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on.
•      Send a test message to yourself by pressing Ctrl+T
•      Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads
•      Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host).
•      If you see messages appearing, the problem is with the router, switch or Unix box sending the Syslog messages.
•      Try sending messages with SyslogGen from another machine to the host running the Syslog Server
•      The device that is sending messages to you may not be including a priority code in its message. You can set a default priority to use from the Modifiers option of the Kiwi Syslog Server Setup window. To open the setup window use the File | Setup menu option from the main Kiwi Syslog Server window.
•      If you are running a Cisco router and are not receiving messages, use the Logging source-interface command to specify an interface to log from. There is a bug in the Cisco IOS that causes invalid UDP checksums unless this command is specified.
 
http://www.kiwisyslog.com/help/syslog/index.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Deepak MuralidharanAuthor Commented:
Hi Btan,

Its been issue on the firewall. Strangely same rule one syslog IP on the same subnet is passing through. The other one (new syslog) its blocking. Not sure why in audit its showing the " current policy does not support". I have observed similar kind of issue in various Sidewinder before also.

so I have tried to delete the original rule and created another rule for this purpose. But the audit still shows no logs for that rule. But when search through IP its denied showing "current policy does not support" . No idea why its behaving this way.
btanExec ConsultantCommented:
Also better to restart the syslogd..though not sure if the interface used for sending syslog is in conflict..minimally FW only support one transparent bridged interface but do not suppose that is being used so far..
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Deepak MuralidharanAuthor Commented:
The issue is that the rule itself  not recognized in the audit log.
btanExec ConsultantCommented:
there is similar "reporting" though not specific to syslog though but it stated it is more towards a service that the current policy does not support for all existing policies. E.g. in the link, it is due to a netprobe for a service that is to allow but does not have an active rule that references the service.
https://kc.mcafee.com/corporate/index?page=content&id=KB63252

So would it be that even syslog is not enabled or allowed by FW at the first place, may be good to have support to advice. It may be a easy kill to them
Deepak MuralidharanAuthor Commented:
I am trying a way to SSH in, not able to do so even though remote access setting does  not show anything wrong
btanExec ConsultantCommented:
looks like the image is blocking services or there are some binding for rules running -
The default configuration allows the SSH server to listen on any burb where it is enabled without having to configure what addresses it should listen on. However, since Firewall Enterprise proxies, by definition, MUST perform a wildcard bind, the server and proxy cannot coexist in this state.
https://kc.mcafee.com/corporate/index?page=content&id=KB63061

I suggest you create another question track to solicit more inputs to further the findings and checks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.