From 3b5b021e86b90c8383c13eec213b64d25b94e53b Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Fri, 17 Jan 2025 09:45:46 -0700
Subject: [PATCH] documentation for workaround for UFW software firewall for
 Malcolm ISO should automatically open ports for syslog cisagov/Malcolm#560)

---
 docs/malcolm-config.md                   |  1 +
 docs/malcolm-hedgehog-e2e-iso-install.md |  1 +
 docs/third-party-logs.md                 | 13 +++++++++++++
 3 files changed, 15 insertions(+)

diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
index e967e0194..aec109cd2 100644
--- a/docs/malcolm-config.md
+++ b/docs/malcolm-config.md
@@ -43,6 +43,7 @@ Although the configuration script automates many of the following configuration
     - The following variables configure Malcolm's ability to [accept syslog](https://www.elastic.co/guide/en/beats/filebeat/current/syslog.html) messages:
         + `FILEBEAT_SYSLOG_TCP_LISTEN` and `FILEBEAT_SYSLOG_UDP_LISTEN` - if set to `true`, Malcolm will accept syslog messages over TCP and/or UDP, respectively
         + `FILEBEAT_SYSLOG_TCP_PORT` and `FILEBEAT_SYSLOG_UDP_PORT` - the port on which Malcolm will accept syslog messages over TCP and/or UDP, respectively
+            * If Malcolm is running in an instance installed via the [Malcolm installer ISO](malcolm-iso.md#ISO), please see also [ISO-installed Desktop Environment Firewall](third-party-logs.md#SyslogISOFirewall).
         + `FILEBEAT_SYSLOG_TCP_FORMAT` and `FILEBEAT_SYSLOG_UDP_FORMAT` - one of `auto`, `rfc3164`, or `rfc5424`, to specify the allowed format for syslog messages over TCP and/or UDP, respectively (default `auto`)
         + `FILEBEAT_SYSLOG_TCP_MAX_MESSAGE_SIZE` and `FILEBEAT_SYSLOG_UDP_MAX_MESSAGE_SIZE` - defines the maximum message size of the message received over TCP and/or UDP, respectively (default: `10KiB` for UDP, `20MiB` for TCP)
         + `FILEBEAT_SYSLOG_TCP_MAX_CONNECTIONS` - specifies the maximum current number of TCP connections for syslog messages
diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md
index 8bd9e0e5e..99154858e 100644
--- a/docs/malcolm-hedgehog-e2e-iso-install.md
+++ b/docs/malcolm-hedgehog-e2e-iso-install.md
@@ -241,6 +241,7 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
         + Answer **Y** for Malcolm to accept syslog messages according to the RFC3164 and RFC5424 standards over TCP or UDP.
             * **Enter port for syslog over TCP (e.g., 514) or 0 to disable** and **Enter port for syslog over UDP (e.g., 514) or 0 to disable**
                 - Specify the port numbers on which to accept syslog messages for TCP or UDP, respectively. Other options for configuring how Malcolm accepts and processes syslog messages can be configured via environment variables in [`filebeat.env`](malcolm-config.md#MalcolmConfigEnvVars).
+                - If Malcolm is running in an instance installed via the [Malcolm installer ISO](malcolm-iso.md#ISO), please see also [ISO-installed Desktop Environment Firewall](third-party-logs.md#SyslogISOFirewall).
 * **Enable file extraction with Zeek?**
     - Answer **Y** to indicate that Zeek should [extract files](file-scanning.md#ZeekFileExtraction) transfered in observed network traffic.
     - **Select file extraction behavior**
diff --git a/docs/third-party-logs.md b/docs/third-party-logs.md
index f04a15567..86a125584 100644
--- a/docs/third-party-logs.md
+++ b/docs/third-party-logs.md
@@ -23,6 +23,7 @@ The types of third-party logs and metrics discussed in this document are *not* t
     - [Convenience Script for Windows](#FluentBitPowerShell)
 * [Beats](#Beats)
 * [Syslog](#Syslog)
+    - [ISO-installed Desktop Environment Firewall](#SyslogISOFirewall)
 * [Uploading Third-Party Logs](#ThirdPartyUpload)
 * [Data Format and Visualization](#Data)
 * [Document Indices](#Indices)
@@ -324,6 +325,18 @@ Malcolm can accept [syslog](https://en.wikipedia.org/wiki/Syslog) messages direc
 
 Other options for configuring how Malcolm accepts and processes syslog messages can be configured via environment variables in [`filebeat.env`](malcolm-config.md#MalcolmConfigEnvVars).
 
+
+### <a name="SyslogISOFirewall"></a>ISO-installed Desktop Environment Firewall
+
+If Malcolm is running in an instance installed via the [Malcolm installer ISO](malcolm-iso.md#ISO), the system's software firewall needs to be manually updated to open the port(s) for Syslog messages. This can be performed via the command line inside a terminal on the Malcolm system, using the port(s) specified during the configuration mentioned above. For example:
+
+```bash
+$ sudo ufw allow 514/tcp
+Rule added
+$ sudo ufw allow 514/udp
+Rule added
+```
+
 ## <a name="ThirdPartyUpload"></a>Uploading Third-Party Logs
 
 ### Microsoft Windows Event Logs