Configure log collector
When mbox is configured as a syslog collector, it can receive and store logs sent from any external devices which support standard syslog protocols. The syslogs are parsed and stored in mbox local MySQL database, accessible by GUI for analysis and exportable to external csv files etc.
Configuration steps for a log collector:
- Enable MySQL service
- Enable log server
- Configure log-input rules to determine what types of logs to receive
- mbox local firewall rules (firewall-input) must permit incoming UDP/514 protocol
- We can configure extremely granular filtering rules (log-input xx) to determine which hosts to accept logs from, or what type of logs we want to accept, or only accept logs containing particular text patterns etc etc. We can configure multiple filter rules for complex scenarios. The filter rules work like firewall rules, and matches from top down. Once a condition is matched the same log will not be examined/matched by next rule.
firewall-input 10 permit inbound eth0 udp dport 514 remark "permits incoming syslogs"
firewall-input 11 permit inbound eth0 tcp dport 80 remark "permits Logviewer GUI via http"
firewall-input 12 permit inbound eth0 tcp dport 443 remark "permits Logviewer GUI via https"
data-path /data <-- stores log data on a mounted drive
!can specify multiple filtering rules here, use different rule ID.
log-input 10 accept msg mboxfw <--collects firewall logs (created with permit-log)
log-input 20 accept tag unbound <--collects DNS query logs. see more details
log-input 30 accept tag klish <--collects CLI command logs
data-lifetime 365 ftp admin Letmein99 172.16.1.2 /Public/data
<-- keep latest 365 days of data online. older data is purged from local drive
<-- daily backup data to external ftp server (172.16.1.2)
LOGGER-PRI# show security logging
Logging service: running
Log-output: NOT running
INFO: refer to attached complete sample config files for a primary syslog collector (with HA configured).