Configure log collector

When mbox is configured as a syslog collector/server (HSG or mlog), it can receive and store logs exported from local or any external devices, via standard syslog protocols. The syslogs are parsed and stored in local SQL database, accessible by GUI for analysis and exportable to external csv files etc.

Configuration steps for a log collector (log-server):

  1. Enable MySQL service
  2. Enable log server
  3. Configure log-input rules to determine what types of logs to receive

NOTES:

  • collector local firewall rules (firewall-input) must permit incoming UDP/514 protocol
  • We can configure extremely granular filtering rules (log-input xx) to accept logs from allowable hosts, or what type of logs we want to accept, or only accept logs containing particular text patterns etc etc.
  • We can configure log-input rules for complex scenarios. The log-input rules work like firewall rules, and match from top down.

Configuration EXAMPLES:

!firewall-input 10 permit inbound eth0 udp dport 514 remark "permits incoming syslogs"firewall-input 11 permit inbound eth0 tcp dport 80 remark "permits local GUI via http"firewall-input 12 permit inbound eth0 tcp dport 443 remark "permits local GUI via https"!mfusion mysql-server data-path /data <-- stores log data on a mounted drive (for mlog appliance, with additional HDD. see more details here.) max-conn 100 start!security log-server !can specify multiple filtering rules here, use different rule ID. log-input 10 accept msg mboxfw <--collects firewall logs (created with permit-log) log-input 20 accept tag unbound <--collects DNS query logs. see more details log-input 30 accept tag klish <--collects CLI command logs start!
LOGGER-PRI# show security loggingLogging service: runningLog-server: runningLog-output: NOT running

INFO: refer to attached complete sample config files for a primary syslog collector (with HA configured).