documentation for workaround for UFW software firewall for Malcolm ISO should automatically open ports for syslog cisagov#560)

Author: mmguero

docs/malcolm-config.md

@@ -43,6 +43,7 @@ Although the configuration script automates many of the following configuration
     - The following variables configure Malcolm's ability to [accept syslog](https://www.elastic.co/guide/en/beats/filebeat/current/syslog.html) messages:
         + `FILEBEAT_SYSLOG_TCP_LISTEN` and `FILEBEAT_SYSLOG_UDP_LISTEN` - if set to `true`, Malcolm will accept syslog messages over TCP and/or UDP, respectively
         + `FILEBEAT_SYSLOG_TCP_PORT` and `FILEBEAT_SYSLOG_UDP_PORT` - the port on which Malcolm will accept syslog messages over TCP and/or UDP, respectively
+            * If Malcolm is running in an instance installed via the [Malcolm installer ISO](malcolm-iso.md#ISO), please see also [ISO-installed Desktop Environment Firewall](third-party-logs.md#SyslogISOFirewall).
         + `FILEBEAT_SYSLOG_TCP_FORMAT` and `FILEBEAT_SYSLOG_UDP_FORMAT` - one of `auto`, `rfc3164`, or `rfc5424`, to specify the allowed format for syslog messages over TCP and/or UDP, respectively (default `auto`)
         + `FILEBEAT_SYSLOG_TCP_MAX_MESSAGE_SIZE` and `FILEBEAT_SYSLOG_UDP_MAX_MESSAGE_SIZE` - defines the maximum message size of the message received over TCP and/or UDP, respectively (default: `10KiB` for UDP, `20MiB` for TCP)
         + `FILEBEAT_SYSLOG_TCP_MAX_CONNECTIONS` - specifies the maximum current number of TCP connections for syslog messages

docs/malcolm-hedgehog-e2e-iso-install.md

@@ -241,6 +241,7 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest
         + Answer **Y** for Malcolm to accept syslog messages according to the RFC3164 and RFC5424 standards over TCP or UDP.
             * **Enter port for syslog over TCP (e.g., 514) or 0 to disable** and **Enter port for syslog over UDP (e.g., 514) or 0 to disable**
                 - Specify the port numbers on which to accept syslog messages for TCP or UDP, respectively. Other options for configuring how Malcolm accepts and processes syslog messages can be configured via environment variables in [`filebeat.env`](malcolm-config.md#MalcolmConfigEnvVars).
+                - If Malcolm is running in an instance installed via the [Malcolm installer ISO](malcolm-iso.md#ISO), please see also [ISO-installed Desktop Environment Firewall](third-party-logs.md#SyslogISOFirewall).
 * **Enable file extraction with Zeek?**
     - Answer **Y** to indicate that Zeek should [extract files](file-scanning.md#ZeekFileExtraction) transfered in observed network traffic.
     - **Select file extraction behavior**

docs/third-party-logs.md

@@ -23,6 +23,7 @@ The types of third-party logs and metrics discussed in this document are *not* t
     - [Convenience Script for Windows](#FluentBitPowerShell)
 * [Beats](#Beats)
 * [Syslog](#Syslog)
+    - [ISO-installed Desktop Environment Firewall](#SyslogISOFirewall)
 * [Uploading Third-Party Logs](#ThirdPartyUpload)
 * [Data Format and Visualization](#Data)
 * [Document Indices](#Indices)
@@ -324,6 +325,18 @@ Malcolm can accept [syslog](https://en.wikipedia.org/wiki/Syslog) messages direc
 
 Other options for configuring how Malcolm accepts and processes syslog messages can be configured via environment variables in [`filebeat.env`](malcolm-config.md#MalcolmConfigEnvVars).
 
+
+### <a name="SyslogISOFirewall"></a>ISO-installed Desktop Environment Firewall
+
+If Malcolm is running in an instance installed via the [Malcolm installer ISO](malcolm-iso.md#ISO), the system's software firewall needs to be manually updated to open the port(s) for Syslog messages. This can be performed via the command line inside a terminal on the Malcolm system, using the port(s) specified during the configuration mentioned above. For example:
+
+```bash
+$ sudo ufw allow 514/tcp
+Rule added
+$ sudo ufw allow 514/udp
+Rule added
+```
+
 ## <a name="ThirdPartyUpload"></a>Uploading Third-Party Logs
 
 ### Microsoft Windows Event Logs