Sangfor monitoring with ManageEngine Log360

Overview

ManageEngine Log360 offers a comprehensive solution for collecting, analyzing, and reporting on logs generated by Sangfor security and network devices, such as next-generation firewalls (NGFWs), web application firewalls (WAFs), and other security products.

By centralizing log data from Sangfor devices, Log360 provides deep visibility into network security events, user activities, and potential threats, enabling security teams to proactively defend against cyberattacks and ensure compliance with various regulations.

How Log360 collects and analyzes Sangfor logs

Log360 collects logs from Sangfor devices primarily using the standard syslog protocol.

• Log collection: Log360 collects logs from Sangfor devices using the standard syslog protocol.
• Log forwarding: Sangfor devices can be configured to forward their syslog messages directly to the Log360 server.
• Log parsing : Log360's powerful parsing engine uses predefined rules to extract key details from Sangfor logs.
• Extracted details: Key information extracted includes:
  • Source and destination IP addresses
  • Port numbers
  • Security policy hits
  • Detected threats
  • User accounts
  • Application usage
  • Severity levels
• Data enrichment and analysis: The extracted data is then:
  • Normalized and enriched with contextual information (threat intelligence, geolocation, user identity).
  • Structured into categorized reports and dashboards for streamlined analysis.
• Flexibility: Log360 also supports custom log parsing, so it can ingest and analyze any human-readable log format from Sangfor devices.

Monitoring and analytics capabilities

Once Sangfor logs are ingested, Log360 delivers the following monitoring and analytical functions:

• Real -time threat detection: Monitors for anomalies and security incidents reported by Sangfor devices, such as malicious traffic, intrusion attempts, malware detection, and web attacks (e.g., SQL injection ), triggering alerts.
• User and entity behavior analytics (UEBA): Analyzes user activity logs from Sangfor devices to detect suspicious login patterns, unauthorized access attempts, and other anomalous behaviors that might indicate compromised accounts or insider threats.
• Network performance and health: Monitors system-level events, resource utilization (CPU, memory), and operational status of Sangfor devices, helping identify performance bottlenecks or potential hardware issues.
• Application usage and control: Provides visibility into which applications are being used on the network and by whom, as detected and controlled by Sangfor NGAFs , helping enforce application-level policies.
• Threat intelligence integration: Correlates Sangfor security events with global threat intelligence feeds to identify known malicious IPs, URLs, and attack patterns, enhancing threat detection accuracy.

Critical Sangfor events monitored

• Security policy violations: Captures logs when traffic is blocked or allowed based on firewall rules, identifying sources, destinations, and applications involved.
• Intrusion prevention system (IPS) detections: Monitors alerts from Sangfor's IPS, detailing detected attack signatures, affected hosts, and severity levels.
• Anti-malware detections: Records instances of malware, viruses, and ransomware detected by Sangfor's security engines (e.g., Engine Zero), including file names, types, and quarantine actions.
• Web attack firewall ( WAF ): Logs events related to web application attacks, such as SQL injection, cross-site scripting, and anti-malware detections to web servers protected by Sangfor WAF.
• VPN and remote access activity: Tracks VPN connections, user logins and logouts, and data transfer volumes through Sangfor VPN gateways.
• URL filtering and content blocking: Reports on websites accessed , categories blocked, and user attempts to bypass content filters, ensuring adherence to acceptable use policies (created as a custom report).
• System and device health: Logs reboots, firmware updates, hardware warnings, and other operational events impacting Sangfor device stability and availability.
• Configuration changes: Audits administrative access and configuration modifications made to Sangfor devices, providing a trail of "who did what, when, and from where."

Key benefits

• Centralized security visibility: Aggregates and analyzes logs from all Sangfor security products such as Sangfor NGAF and Sangfor IAM within a unified SIEM console, offering a holistic view of your network's security posture.
• Proactive threat detection: Detects and alerts on emerging threats and sophisticated attacks identified by Sangfor devices in real time, enabling rapid incident response.
• Simplified compliance and auditing: Generates out-of-the-box and customizable reports for various compliance mandates (e.g., the GDPR, HIPAA, the PCI DSS) based on Sangfor security logs, easing audit readiness.
• Enhanced incident response: Provides rich contextual information and correlation capabilities to accelerate the investigation of security incidents originating from or involving Sangfor devices.
• Improved operational efficiency: Automates log collection, parsing, and analysis, reducing the manual effort required for monitoring Sangfor devices and freeing up security analysts for more strategic tasks.
• Optimized security posture: Helps identify misconfigurations, policy gaps, and areas of vulnerability within your Sangfor deployment by providing deep analytical insights into device behavior and traffic patterns.

Addressing key Sangfor security challenges