• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Norton Core & Syslog

I looks like the community has been asking for syslog for almost a year.  The last update was about 6 months ago.  Has any progress been made to allow syslog out of the Norton Core?

It is desperately needed because you have almost zero logging to begin with.  The tool works great when it is working but when it fails, it fails and you have no ability to troubleshoot.

Replies

Kudos1 Stats

Re: Norton Core & Syslog

Hello Eppie. I will PM the Admin for Core and ask if this is being considered for a future firmware release and report when they respond. Given all the threats out in the wild I don't seriously believe access to the internals of Core would be on the table for those reasons. I will repost here when I have a reply.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.112 / NSBU 22.14.2.13 / Norton Core v.237 / Norton BETA tester
Kudos0

Re: Norton Core & Syslog

Eppie. This feature is on the development team list to look at for a future inclusion. However, myself and admins are in agreement it is seriously doubtful it will ever happen. The obvious reasons for that are the internal security of Core itself. As well as opening avenues for outside intrusion.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.112 / NSBU 22.14.2.13 / Norton Core v.237 / Norton BETA tester
Kudos0

Re: Norton Core & Syslog

If you are running a flavor of Unix on your appliance, you are most likely already running syslog. To allow someone to receive a syslog feed is an outbound flow from the device which you control. I'm struggling to understand why that would open any additional risk to the appliance. The benefits to opening syslog are huge for customers that want to aggregate their security data. I have a current problem that the device is quarantining my nucleus intercom devices. Because you have no logging and no ability to look at the logs, I'm stuck with support telling me to reset all the devices including the router to solve the problem. Since you don't give us logs, how are we supposed to troubleshoot this issue effectively?
Kudos1 Stats

Re: Norton Core & Syslog

Eppie, have you shaken your phone and sent us logs? If you shake your phone it will automatically send us logs from your router and we can take a look. What is the message from the app when it quarantines your nucleus intercom devices?

In the note when you shake the phone, you can reference your forum name and the fact that you are having a quarantine issue.

Kudos0

Re: Norton Core & Syslog

All: This is just one example of vulnerabilities using a syslog within an OS /syslog server presents. And directly suggests the reasoning for non-browser support for access to Core. Isolation from the OS appears to be the mitigating factor in that design feature.  https://www.cvedetails.com/cve/CVE-2018-1000140/

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.112 / NSBU 22.14.2.13 / Norton Core v.237 / Norton BETA tester
Kudos0

Re: Norton Core & Syslog

If you have an access list or firewall rule that only allows outbound syslog, I'm not sure you have an attack vector exposed.  I've been in Security for a very long time and I'm struggling to understand the risk here.

I can pull up any service ever created and point you at a CVE for it.  Syslog is not a risky service to expose outbound generally speaking.

The fact that you give us no logging, no real information around the attacks, and no capability to export the logs from the device (except to you); limits capability people (like myself) from troubleshooting our own issues.  This puts your support into the reboot the device model which is highly ineffective.  Now I'm stuck in the worst cycle of trying to get an answer from your support team.  It is absolutely horrible.

Just give me my logs.  They are *MY* logs.  Not *YOUR* logs.  Why do you get them but I can't have them?  It's because you don't know how to patch your device from vulnerabilities?

This product is not ready for market.  I have it kicking off devices from the network that aren't infected, and I can only get around 100Mbps out of the device for my gigabit service.  Oh..  And...  NO LOGS...

Kudos3 Stats

Re: Norton Core & Syslog

Eppie.  I think Core is not the right router for you.   I myself have no need to see the syslogs and I don't think many people that bought the Core have that need or would know what to do with it.  I have over 30 years of IT experience as a programmer and it is not of interest to me to play with them.  I think the Core is market ready for the market it was design for and not for somebody like you.

Kudos0

Re: Norton Core & Syslog

MannyT.. Unfortunately, I'm stuck in troubleshooting hell with support. I purchased a $200 device haven't been able to connect to my network for over a month. The router can't do above 100Mbps out the switch port. The Core is quarantining my 3 Nucleus Intercom. So basically, I'm hoping that my post highlights some issues with this device. I have an open case and it is moving at a snails pace. I could probably resolve this issue much quicker with the logs. When you have poor support and no logs, my frustration grows. The "Core is not right for you". I Agree. Unfortunately, that doesn't get my money back for me. Finally, I am also a long term member of the IT Security area. I'm always extremely skeptical of totally closed devices. This normally is hiding issues that would otherwise be fixed. If you want to get a product out the door with issues, just don't allow anyone to look under the covers.
Kudos0

Re: Norton Core & Syslog

@Eppie As posted earlier this CVE is applicable and is a current CVE. It specifically states syslog and UNIX: https://www.cvedetails.com/cve/CVE-2018-1000140/

 A Norton employee Matt_Boucher has suggested sending logs to be analyzed. My suggestion is to start there to determine why and what is isolating devices from your network. Although Core notifications should be telling you what those isolations are.  

WHY internal logs are not visible to the end user. It's simply the internal security design of Core. If you can see logs via a web browser, OS explorer, or third party software there most certainly at some point will be an avenue for outside access. Thus again, isolation and accessiblity ONLY through verified apps created by Norton. Concerning routers. The list of router vendors who have on device access is very long, so are the vulnerabilities that are associated with that. To date Norton Core has NOT appeared on any CVE that I have checked, and I do so frequently.

Cheers!!!

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.112 / NSBU 22.14.2.13 / Norton Core v.237 / Norton BETA tester
Kudos0

Re: Norton Core & Syslog

First, I have an open case with Norton support for about a month now. I'm frustrated because I have to babysit the case. They should have escalated over a week ago and it didn't happen. I went back into reboot, reconfigure, etc with a new support person. Just Fail. Unfortunately, the logs are available for download from the Norton Core. This whole thing about vulnerabilities just isn't real. Vulnerabilities can happen in a closed or open system. If you go to http://norton.core/logs.php, then you can get the logs. My logs. You get a debug log tarball and an encryption key. However, it looks like Norton has encrypted the encryption key, so the owner of the logs can't see them. I'm no lawyer, but their might be potential GDPR issues with this device and practice...
Kudos0

Re: Norton Core & Syslog

The URL you linked to isn't HTTPS encrypted and downloads "partner.js" which totally knocked my internet service completely offline when testing. No logs but the download was masked under a compressed tz file.

However, it looks like Norton has encrypted the encryption key, so the owner of the logs can't see them.

Not having a clue where this link is derived from and knowing its most likely not a legit Norton link I WILL refer it to Admins for review.  @Gayathri_R

Edited: A second download did pull logs from Core. All files ARE encrypted. Please note: The Core app screenshot shows Core was NOT accessible during this download.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.112 / NSBU 22.14.2.13 / Norton Core v.237 / Norton BETA tester