Configuring log forwarding on Data Nodes - Adaptive Applications - BlueCat Gateway - 23.2.3

BlueCat Distributed DDNS Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.2.3
Log forwarding leverages the syslog-ng capabilities on the BDDS to forward database logs to a remote ArcSight server. By default, log messages of all services running on the Distributed DDNS Data Node are forwarded.
Note: Logs are sent remotely using UDP on port 514.
Prerequisites
  • The BDDS must be able to communicate with the ArcSight logging server. Ensure that the firewall rules allow for the communication with the ArcSight server and that the BDDS can route traffic to the server.

  • The ArcSight logging server must be configured to receive messages from the BDDS.

To configure log forwarding on Data Nodes:
  1. Log in to the console of the BDDS with the Data Node configured as the root user.

  2. Create a new directory for syslog-ng using the following command:

    mkdir /etc/syslog-ng/scl/distributed_ddns/
  3. Click here to download the dddns_db.conf configuration file and place the file within the newly created directory.

    Tip: If the BDDS runs multiple containers, you can configure it to forward logs from all of them. To do so, simply store corresponding configuration files for each container in this directory, renaming the file if necessary.
  4. Log in to the Address Manager UI that controls the BDDS.

  5. Select the Servers tab.

  6. Under Servers, click the name of the BDDS with the Data Node deployed that contains the configuration file and newly created directory. The Details tab for the server opens.

  7. Click the server name menu and select Service Configuration.

  8. From the Service Type drop-down menu, select Syslog.

  9. Under SIEM Settings, set the following parameters:

    • Enable ArcSight Forwarding: select the check box and enter the IP address of the ArcSight server.
  10. Click Update.

For more information on the format of the log messages sent to the remote server, see Reference: CEF message format.

Important: If you're using BlueCat DNS/DHCP Servers (BDDS) versions 9.3.3, 9.4.1 or 9.5.0, you might need to reconfigure the logging driver used by the Docker container. For more details, see Configuring Docker services on BDDS 9.3.3, 9.4.1 or 9.5.0 to allow for log forwarding.