Configure log client
When a device is configured to export syslogs to an external syslog server, we call it syslog client. HSG can function as both log server/collector and log client. CMG and HSA work as log clients only.
Different vendor products have their own syntax in tracking firewall access logs and enabling syslog exports, please consult respective product guide. This section covers CMG/HSG/HSA only.
Typically, there are three types of logging we can enable on CMG/HSG/HSA:
- Firewall logging. When mbox is used as a gateway, we need to track firewall access logs, to trace each connection details (times-stamp, MAC address, source IP, destination IP, protocols, port number, etc).
- URL logging by proxy (web proxy logging). When mbox is also running as a web proxy, we can potentially track full URL access logging. It works well for http only.
- URL logging by DNS (DNS logging). mbox can be configured as proxy DNS sever for internal users. It intercepts user DNS requests, works with external name-server to resolve destination names/URLs on behalf of users, and at the same time logs every DNS requests. Since most of the DNS requests are for web accesses, we can broadly conclude DNS logging as URL logging. It works well for both http and https sites.
Configuration steps for a log client:
- Enable logging (CMG, HSG, HSA)
- Configure log-out rules to export out logs
1. ENABLE LOGGING
We use firewall-access rules to log each packet passing through mbox, eg.
firewall-access xx permit-log .......orfirewall-access xx deny-log .......
It is important to know that HSG/HSA maintain a separate set of firewall rules for each hotspot instance, so we enable logging using hotspot-access rules under each hotspot instance.
hotspot-access xx permit-log orhotspot-access xx deny-log
2. CONFIGURE LOGGING OUTPUT RULES
Similar to syslog server log-input filtering rules, we can also configure what type of logs to export out and to which servers (using log-output xx command). If there're multiple log-output rules, they work in top-down sequences.
log-output <acl> host <collector-ip> <filter>
- <ACL Number> defines sequence of output rules. It is like firewall rules, processed from top-down, once a log is matched with an upper rule, it will not be processed by lower rules. So it's important to plan the rules sequence when we have many rules.
- <collector-ip> specifies the IP address of external syslog collector (eg. LOG-500). Note if there's firewall in between, firewall needs to open UDP/514 for the traffic to pass through.
- <filter> defines filtering rules based on syslog fields to determine the matched logs to export. below is a list of available options:
- msg <text> filter by messages containing configured text
- fac <facility> filter by facility (eg. local1, local2, local3, local4...up to local7)
- prio filter by log priority/severity (eg. ALERT, NOTICE, INFO, etc), containing the configured priority.
- tag filter by syslogtag, containing the configured text.
- all send all logs
In real practice, if we are unsure which filter options to use, we use "all" first, then mbox will export out all the logs. After we study the logs from syslog collector GUI and decide what field to use for filtering, we will tune the log-out rules for better control.
- once you configure mbox as log client, the matched logs will be sent out and not locally available any more (can't even see from CLI also).
- If you're keeping local logs for HSG, do NOT configure log-out rules for HSG. Just enable logging and configure local log-server.
Example 1: Enable firewall logging on CMG
For CMG, If we want to log the access details (packets passing/denied through mbox firewall), we need to use the "permit-log/deny-log" action option.
Below is an example for CMG.!firewall-access 1 permit-log outbound eth0 remark "permit and log all accesses out from eth0"!log-output 10 host 18.104.22.168 msg mboxfw <---send mbox firewall logs (change server IP here)log-output 11 host 22.214.171.124 tag unbound <---send mbox DNS logs (change server IP here)!LOGGER-PRI# show security loggingLogging service: NOT runningLog-server: runningLog-output: running
Example 2: Enable firewall logging on HSG
For HSG, because each hotspot context maintains its own set of firewall rules, we need to enable "permit-log" within hotspot context.!security hotspot eth1 ..... hotspot-access 1 permit-log remark "permit and log all accesses for authenticated users" .....!log-output 10 host 126.96.36.199 msg mboxfw <---export out firewall logs (change server IP here)log-output 11 host 188.8.131.52 tag unbound <---export out DNS logs (change server IP here)!
Example 3: Enable CLI commands logging
It's possible to log CLI commands typed by engineers, and send to external log collector for audit reference purposes.!log-output 20 host 184.108.40.206 tag klish <---sends out CLI command logs!
Example 4: Enable firewall logging on HSA
For HSA, If we want to log the access details (packets passing/denied through mbox firewall), we use the "permit-log/deny-log" action option.!firewall-access 10 permit-log outbound eth0 remark "permit and log all accesses out from eth0"!security hotspot br-vlan10 ..... hotspot-access 10 permit-log remark "permit and log all accesses for authenticated users" .....!
log-output 220.127.116.11 level 6 <--- export as level 6 logs to collector!