Summary: In just a few steps, setup your Huntress Agent to receive syslog data from your firewall.
Configure the Huntress Agent
1. From the Host Details page, confirm that the Agent has the syslog collection field set to Enabled.
Note that after enabling syslog collection, there may be a delay before the portal reflects the change. If you do not see it enabled after 30 minutes, please review the below.
- If this is not enabled, please enable it following the Configure Log Sources (Generic Syslog - Local) guide.
- Alternatively, you can also verify this from the command line.
-
- You could use netstat to confirm on the endpoint. Elevate your command prompt and run netstat -naob. The output shows process information that looks like this:
- Powershell gives you more filtering options and you can control the output. To do this, elevate to administrator privileges and run:
(netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t[" | findstr “Rio.exe”
Now we know it’s listening.....
2. Make sure that only the Huntress Agent is listening on port 514. If something else is listening on that port, the Agent won’t be able to bind properly and won’t get any data. You can do this by using this query:
(netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t[" | findstr “:514”
Configure Windows Firewall
If you have Windows Firewall enabled, you will need to make sure that the Huntress Agent can receive syslog messages over the correct port. To do this, create a new rule and scope it to just the Huntress Agent.
Pro-tip: you can also use Powershell to create the rule. There are a variety of ways to accomplish this, but here’s an example:
New-NetFirewallRule -DisplayName "Allow Huntress Syslog Collection" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 514 -Program "%ProgramFiles%\Huntress\Rio\Rio.exe"
- From the Windows Defender Firewall app go to Advanced Settings.
- Select Inbound Rules and in the Actions pane, create a New Rule.
- Choose Custom Rule and enter the path for the program. The path should be something like %ProgramFiles%\Huntress\Rio\Rio.exe.
- Select Allow the Connection.
- For Protocol and Ports, select UDP and then specify port 514.
- Optionally, you can scope this to a single device if you’d like, just be aware that the next time you want to point another endpoint’s syslog messages to the Huntress Agent, you will need to update this rule. We do not need remote IP addresses, all we need is local IPs allowed to connect inbound. However, you must always Allow the connection because UDP isn’t secure.
- Apply the rule to all three profiles - Domain, Private, and Public.
- Give the rule a name, like Huntress Syslog Listener.
The Windows Firewall is now configured to allow Huntress Agent to listen on port 514.
Configure the Edge Firewall
Now that the Windows Firewall is no longer blocking us, you can configure your edge firewall to send syslog messages over to the Huntress Agent. As configured, UDP Port 514 is what we are listening on, and you’ve confirmed that only the Huntress Agent is listening on that port. Please consult your firewall vendor documentation for sending syslog messages in the proper message formats.
Log / Message Formats
Huntress can currently parse these specific formats. This is often not the default format and must be changed. Using any other format will result in logs not sending to us properly.
Device Type | Message Format |
SonicWall | Prefer Enhanced Format |
Fortinet | CEF |
Meraki | Security Logs only |
WatchGuard | LEEF |
Palo Alto Network | CEF |
The links above may not apply to your device firmware version, but should point you in the right direction. If you are unsure how to configure your device for sending syslog messages in specific formats, please consult your hardware vendor for more support.
If you have a device that you don’t see in this list, you can find other requested formats to vote on or create your own on our feedback page here.
Confirm Data Flow
After the firewall has been configured, you can verify that the service has started receiving data. To confirm data is being sent from your firewall, open the correct Agent folder (C:\Program Files\Huntress\Rio\tmp) and look for a file with the prefix wbs_.
Troubleshooting
If you think syslog is arriving at the Huntress Agent, but you don’t see this file being created, you can use Wireshark to confirm that the data is flowing to your machine. To do that, install Wireshark and select the appropriate interface, begin capturing data, and then apply this filter:
_ws.col.protocol == "Syslog"
The logs in Wireshark will only display syslog messages, so you can verify the port and protocol being used.
Comments
0 comments
Article is closed for comments.