Configure log collector

When mbox is configured as a syslog collector, it can receive and store logs sent from any external devices which support standard syslog protocols. The syslogs are parsed and stored in mbox local MySQL database, accessible by GUI for analysis and exportable to external csv files etc.

Configuration steps for a log collector:

  1. Enable MySQL service
  2. Enable log server
  3. Configure log-input rules to determine what types of logs to receive

NOTES:

  • mbox local firewall rules (firewall-input) must permit incoming UDP/514 protocol
  • We can configure extremely granular filtering rules (log-input xx) to determine which hosts to accept logs from, or what type of logs we want to accept, or only accept logs containing particular text patterns etc etc. We can configure multiple filter rules for complex scenarios. The filter rules work like firewall rules, and matches from top down. Once a condition is matched the same log will not be examined/matched by next rule.

Configuration EXAMPLES:

!

firewall-input 10 permit inbound eth0 udp dport 514 remark "permits incoming syslogs"

firewall-input 11 permit inbound eth0 tcp dport 80 remark "permits Logviewer GUI via http"

firewall-input 12 permit inbound eth0 tcp dport 443 remark "permits Logviewer GUI via https"

!

mfusion mysql-server

data-path /data <-- stores log data on a mounted drive

max-conn 1000

start

!

security log-server

!can specify multiple filtering rules here, use different rule ID.

log-input 10 accept msg mboxfw <--collects firewall logs (created with permit-log)

log-input 20 accept tag unbound <--collects DNS query logs. see more details

log-input 30 accept tag klish <--collects CLI command logs

data-lifetime 365 ftp admin Letmein99 172.16.1.2 /Public/data

start

!

<-- keep latest 365 days of data online. older data is purged from local drive

<-- daily backup data to external ftp server (172.16.1.2)

LOGGER-PRI# show security logging

Logging service: running

Log-server: running

Log-output: NOT running

INFO: refer to attached complete sample config files for a primary syslog collector (with HA configured).