Under Consideration Firewall SYSLOG
From what I understand the remote syslog functionality of the Omada SDN controller is only sending syslog messages regarding the controller only. It is not enabling syslog at a device level.
This is one feature that I like about Ubiquiti Unifi is when you enable syslog, all devices send their syslogs to the syslog server specified.
This remote syslog for devices will be greatly beneficial for firewall logging in to SIEMs and better monitor real-time firewall activity.
I believe the syslog functionality already exists on the end devices but if just not exposed in the Omada SDN controller.
I would very much like to see this feature as to me it's one of very few that will have a huge benifit to the cyber security community.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @AshleyT
Thanks for posting in our business forum.
Can you be specific about what you expect to see? As you have mentioned the UBNT, what does their firewall syslog look like?
Would be great if you could show me a picture of that so I can include it in the request report.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A,
Sure. Sorry if this is a ramble but please do ask me to clarify anything further.
The goal of this is to be able to see detailed firewall logs from the routers.
UBNT Unifi Approach
Currently in Unifi there is a single Syslog option much like TPLink, however this option in Unifi enables and disables the syslogs on the devices controlled by the controller rather than syslogs from the controller itself.
This gives really detailed logs from all devices currently in the controller, however, this can be over whelming with the amount of logs being sent.
There is also an option in the Unifi controller to allow logs from certain firewall entries as to whether you would like to collect logs or not from a firewall rule
The Proposed TP-Link Solution
I propose the following to allow for specific syslog events to be fired.
1. Add the logging option to the Gateway, Switch and EAP ACL page
2. Syslog settings are to be pushed down to managed devices
3. For an additional option under each Site to have "ACL logging only". This would then only fire syslog events for the specified ACL rules that have been selected.
An example syslog event would like something like this:
ER605 [WAN] IN DESCR="no rule description" IN=br10 OUT= MAC=e4:38:83:62:7f:c9:e8:d8:d1:58:57:b8:08:00 SRC=10.6.0.34 DST=10.6.0.1 LEN=65 TOS=00 PREC=0x00 TTL=128 ID=13349 PROTO=UDP SPT=64651 DPT=53 LEN=45 MARK=0
Lets break this down
- The first part is the device name
- Next is the traffic direction. For instance this on is a [WAN] IN direction but it could also be LAN->WAN or LAN->LAN
- DESCR, this is the description of the rule from the input of the controller.
- IN is the interface the traffic arrived at
- OUT is the interface the traffic left the device
- MAC... not sure what Unifi have done for this as that is certainly not a MAC address but this should be the source MAC address from the packet
- SRC is the source IP address of the packet
- DST is the destination IP of the packet
- LEN - again not sure what the length is referring to, i would assume the header length of the packet but could be the data length
- TOS - is basically the QoS
- PREC - relating to DSCP
- TTL - Packet time to live
- ID - Packet reference
- Proto - Packet protocol
- SPT - source port of the packet
- DPT - destination port
- LEN - again as stated at point 9 this is either header or data length of the packet
- MARK - and no idea for this
There are a couple of other packet types that also are fired by unifi and i have listed examples of thios below:
ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:f4:e2:c6:f1:9b:b3:08:00 SRC=10.0.0.123 DST=10.0.0.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DPT=32800 SEQ=440557490 ACK=3157500235 WINDOW=28960 ACK SYN URGP=0 UID=0 GID=0 MARK=1c0000
ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:60:e9:aa:18:4a:95:08:00 SRC=10.0.0.23 DST=10.0.0.1 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=34011 DF PROTO=TCP SPT=52512 DPT=53 SEQ=658760599 ACK=3861139809 WINDOW=512 ACK URGP=0 MARK=0
I hope this all makes sense but just to wrap up.
1. Tick box to be added to ACL entries to log events of the rule
2. Tick box to be added to General settings under Syslog for "ACL Events Only"
3. Push syslog settings down to managed routers, switches and access points.
Many thanks
Ashley
- Copy Link
- Report Inappropriate Content
Hi @AshleyT
AshleyT wrote
Hi @Clive_A,
Sure. Sorry if this is a ramble but please do ask me to clarify anything further.
The goal of this is to be able to see detailed firewall logs from the routers.
UBNT Unifi Approach
Currently in Unifi there is a single Syslog option much like TPLink, however this option in Unifi enables and disables the syslogs on the devices controlled by the controller rather than syslogs from the controller itself.
This gives really detailed logs from all devices currently in the controller, however, this can be over whelming with the amount of logs being sent.
There is also an option in the Unifi controller to allow logs from certain firewall entries as to whether you would like to collect logs or not from a firewall rule
The Proposed TP-Link Solution
I propose the following to allow for specific syslog events to be fired.
1. Add the logging option to the Gateway, Switch and EAP ACL page
2. Syslog settings are to be pushed down to managed devices
3. For an additional option under each Site to have "ACL logging only". This would then only fire syslog events for the specified ACL rules that have been selected.
An example syslog event would like something like this:
ER605 [WAN] IN DESCR="no rule description" IN=br10 OUT= MAC=e4:38:83:62:7f:c9:e8:d8:d1:58:57:b8:08:00 SRC=10.6.0.34 DST=10.6.0.1 LEN=65 TOS=00 PREC=0x00 TTL=128 ID=13349 PROTO=UDP SPT=64651 DPT=53 LEN=45 MARK=0
Lets break this down
- The first part is the device name
- Next is the traffic direction. For instance this on is a [WAN] IN direction but it could also be LAN->WAN or LAN->LAN
- DESCR, this is the description of the rule from the input of the controller.
- IN is the interface the traffic arrived at
- OUT is the interface the traffic left the device
- MAC... not sure what Unifi have done for this as that is certainly not a MAC address but this should be the source MAC address from the packet
- SRC is the source IP address of the packet
- DST is the destination IP of the packet
- LEN - again not sure what the length is referring to, i would assume the header length of the packet but could be the data length
- TOS - is basically the QoS
- PREC - relating to DSCP
- TTL - Packet time to live
- ID - Packet reference
- Proto - Packet protocol
- SPT - source port of the packet
- DPT - destination port
- LEN - again as stated at point 9 this is either header or data length of the packet
- MARK - and no idea for this
There are a couple of other packet types that also are fired by unifi and i have listed examples of thios below:
ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:f4:e2:c6:f1:9b:b3:08:00 SRC=10.0.0.123 DST=10.0.0.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DPT=32800 SEQ=440557490 ACK=3157500235 WINDOW=28960 ACK SYN URGP=0 UID=0 GID=0 MARK=1c0000
ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:60:e9:aa:18:4a:95:08:00 SRC=10.0.0.23 DST=10.0.0.1 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=34011 DF PROTO=TCP SPT=52512 DPT=53 SEQ=658760599 ACK=3861139809 WINDOW=512 ACK URGP=0 MARK=0
I hope this all makes sense but just to wrap up.
1. Tick box to be added to ACL entries to log events of the rule
2. Tick box to be added to General settings under Syslog for "ACL Events Only"
3. Push syslog settings down to managed routers, switches and access points.
Many thanks
Ashley
Great explanation. I understand what you need. Will record what you suggested.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @AshleyT
Thanks for posting in our business forum.
AshleyT wrote
I hope this all makes sense but just to wrap up.
1. Tick box to be added to ACL entries to log events of the rule
2. Tick box to be added to General settings under Syslog for "ACL Events Only"
3. Push syslog settings down to managed routers, switches and access points.
Many thanks
Ashley
Regarding the requests
- ACL log will be added to the system in V5.15. ETA.
Note this log is not gonna be stored on the Omada Controller. You are required to set up the sys log server to store this ACL log.
- DPI does not support time stamps due to hardware limitations and performance concerns. @kogan
In the short term, we don't have plans to add it.
Please note that this will involve an adapted firmware, not just a controller update. Firmware development is a complex process, and timelines may change. Therefore, we cannot provide a specific release date at this time. Please stay tuned to future firmware release notes for updates.
When introducing a feature like this, we typically apply it uniformly across all models to ensure consistency and a seamless user experience.
However, it's essential to acknowledge that hardware limitations may exist, which might prevent us from adding the feature to certain models. In such cases, we cannot provide individual notifications explaining the reason. Please note that we cannot guarantee the fulfillment of all requests, and we must set clear expectations upfront.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A,
Just a followup question.
You mentioned that DPI doesn't have a time stamp. Does this mean there is still a log that will be fired without a timestamp or that dpi will not be part of this update?
Thanks
Ashley
- Copy Link
- Report Inappropriate Content
Hi @AshleyT
Thanks for posting in our business forum.
AshleyT wrote
Hi @Clive_A,
Just a followup question.
You mentioned that DPI doesn't have a time stamp. Does this mean there is still a log that will be fired without a timestamp or that dpi will not be part of this update?
Thanks
Ashley
It does not have a log but a chart to show what apps or services were used. It has been like this since it was added. No changes or planned update.
In the short term, there will not be a log to it or a time stamp for it due to the reason explained.
- Copy Link
- Report Inappropriate Content
+1 for improved logging. I use a centralised syslog (remote logging) server to help manage my Omada network (s/w controller, ER7412-M2 and several EAP 225's) as well as several synology NASs and some printers.
Currently the ER7412-M2 gateay does not send log entries for IDS or connectivity issues to the remote server. In fact, connecivity issues such as physical disconnection from WAN are not logged locally in Omada SDN either.
Refer seperate topic on this: https://community.tp-link.com/en/business/forum/topic/703550
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 13
Views: 802
Replies: 10