Setting Up Automatic Upload of Log Files

Learn how to set up automatic, ongoing uploading of log files from your firewall to Oracle CASB Cloud Service — Discovery.

Objective: Setting up ongoing, automatic upload of log files from your firewall ensures that use of applications or plug-ins that do not have explicit organizational approval is monitored continuously.

Prerequisites:

1. Oracle CASB Cloud Service — Discovery must be enabled on your Oracle CASB Cloud Service tenant.

   If the Discovery option does not appear on the Navigation menu, Oracle CASB Cloud Service — Discovery is not enabled. To enable it, see Subscribing to Oracle CASB Cloud Service — Discovery.

2. Your firewall must be one of those listed in the Upload log file for analysis dialog box, opened from the Discovery page by clicking the Import from Logs button.

   To enable your firewall in the list, see About Discovering Shadow Applications.

3. It is strongly recommended that you perform a test on a sample firewall log file before attempting to set up automatic uploading of log files from that firewall. See Manually Uploading a Log File.

To set up automatic upload of log files:

Note:

The maximum volume of log file data that can be automatically uploaded in a single day is 10 GB. Once that limit is reached, automatic uploading stops for that day, then resumes the next day.

1. Request a syslog-ng.conf file that is customized to forward logs from your firewall to Oracle CASB Cloud Service — Discovery.

   Contact Oracle Support (http://support.oracle.com).  If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets.  As an alternative, you can also contact your Oracle CASB Customer Success Manager.

   You must provide a sample log file from your firewall to Oracle Support.

   The sample log file should contain a representative sample of the traffic through your firewall that involves applications or plug-ins that do not have explicit organizational approval. For a list of the fields that are required for processing by Oracle CASB Cloud Service — Discovery, see Required Log Fields.

2. Configure your firewall to push log files to your syslog server.

   See the documentation for your firewall for instructions.

   Note:

   Ensure that when configuring the program that will push data to Oracle CASB Cloud Service — Discovery, you specify the IP address for the endpoint that is specific to your Oracle CASB Cloud Service tenant:

   • OCI US uses 147.154.109.206

   • OCI EU uses 138.1.40.53

3. When you receive the syslog-ng.conf file, copy it to the /etc/syslog-ng directory on your syslog server, replacing the syslog-ng.conf file at that location.
4. Download the log collector certificate.
   1. Click the App Discovery Settings icon to the right of the Import from Logs button.
   2. In the App Discovery Settings dialog box, click the Download button at the bottom, to the right of “Oracle CASB Cloud Service log collector certificate.”
   3. In the Opening logs-dev.palerra.net.zip dialog box, select Save File.

      The file is automatically saved to your Downloads directory.

   4. Unzip the logs-dev.palerra.net.zip file and copy the .crt files to the /etc/syslog-ng/cs/ directory on your syslog-ng server:

      • On Windows, copy the files from the top level of the .zip file.

      • On Mac OS X, copy the files from the __MACOSX folder in the .zip file.

5. Restart the syslog-ng service.
6. In the Oracle CASB Cloud Service console, select Discovery from the Navigation menu.

   Within 2-3 hours, you should start to see information about stealth applications or plug-ins.

   • Before that happens, there are no visible changes on the Discovery page.

   • You can check the System Audit Trail report to see how the auto-upload is progressing. Look for entries where the EVENT is PushAutoLogStatus and DESCRIPTION is Auto log status updated. See Log File Processing Stages.