Configure log client

When a device is configured to export syslogs to an external syslog server, we call it syslog client. mbox can function as both log server/collector (model: LOG-500, LOG-1000, LOG-2000), and log client (model: CMG and HSG series).

Different vendor products have their own syntax in configuring syslog client, please consult respective product guide. This section covers mbox CMG/HSG only.

Typically, there are three types of logging we can enable on mbox CMG & HSG:

  1. Firewall logging. When mbox is used as a gateway (CMG/HSG), we may need to track firewall access logs, to trace each access session details (times-stamp, MAC address, source IP, destination IP, protocols, port number, etc).
  2. URL logging by proxy (web proxy logging). When mbox is also running as a web proxy (either on CMG or HSG), we may also need to track URL access logging, to trace the exact URLs accessed.
  3. URL logging by DNS. mbox can be configured as DNS sever for users, it will help to resolve resolve destination names/URLs on behalf of user device and at the same time logs every DNS requests. Since most of the DNS requests are for URL accesses, we can broadly conclude DNS logging as URL logging (although there're minor exceptions such as ftp or VPN accesses etc).

Configuration steps for a log client:

  1. Enable logging (CMG, HSG)
  2. Configure log-out rules to export out logs

1. ENABLE LOGGING

Because CMG and HSG work differently on inspecting traffic, particularly HSG maintains a separate set of firewall rules for each hotspot instance, so the configuration on CMG and HSG are different.

2. CONFIGURE LOGGING OUTPUT RULES

Similar to syslog server filtering rules, we can also configure what type of logs to export out and to which servers etc (log-output xx). And there're multiple log-output rules, they work in top-down sequence too.

log-output <acl> host <collector-ip> <filter>

  • <ACL Number> defines sequence of output rules. It is like firewall rules, processed from top-down, once a log is matched with an upper rule, it will not be processed by lower rules. So it's important to plan the rules sequence when we have many rules.
  • <collector-ip> specifies the IP address of external syslog collector (eg. LOG-500). Note if there's firewall in between, firewall needs to open UDP/514 for the traffic to pass through.
  • <filter> defines filtering rules based on syslog fields to determine the matched logs to export. below is a list of available options:
    • msg <text> filter by messages containing configured text
    • fac <facility> filter by facility (eg. local1, local2, local3, local4...up to local7)
    • prio filter by log priority/severity (eg. ALERT, NOTICE, INFO, etc), containing the configured priority.
    • tag filter by syslogtag, containing the configured text.
    • all send all logs

In real practice, if we are unsure which filter options to use, we use "all" first, then mbox will export out all the logs, then we study the logs from syslog collector GUI and decide what field to use for filtering, and using which text etc.

Example 1: Enable firewall logging on CMG

For CMG, If we want to log the access details (packets passing/denied through mbox firewall), we need to use the "permit-log/deny-log" action option.

Below is an example for CMG.

!

firewall-access 1 permit-log outbound eth0 remark "permit and log all accesses out from eth0"

!

log-output 10 host 49.128.58.68 msg mboxfw <---send mbox firewall logs only (change server IP here)

!

LOGGER-PRI# show security logging

Logging service: NOT running

Log-server: running

Log-output: running

Example 1: Enable firewall logging on HSG

For HSG, because each hotspot context maintains its own set of firewall rules, we need to enable "permit-log" within hotspot context.

!

security hotspot eth1

.....

hotspot-access 1 permit-log remark "permit and log all accesses for authenticated users"

.....

!

log-output 10 host 49.128.58.68 msg mboxfw <---send mbox firewall logs only (change server IP here)

!

Example 2: Enable Command Line Interface (CLI) commans logging

It's possible to log commands issued by engineers, and send to external log collector for audit reference purposes.

!

log-output 20 host 49.128.58.68 tag klish <---sends out CLI command logs

!

Example 3. Enable URL logging by web proxy

Please refer to this link for details.

Example 4. Enable URL logging by DNS

Please refer to this link for details.