Security logging overview

mbox series (HSG, CMG, HSA, mlog) have extensive support for user access and system audit logging, via syslogs. Syslogs are classified into different severity (Emegency, Alert, Critical, Error, Warning, Notice, Informational, debugging) and facilities etc.

Many regulations, such as the Sarbanes-Oxley Act, PCI DSS, HIPAA, etc, require organizations to implement comprehensive security measures, which often include collecting and analyzing logs from many different sources. Syslog has long become a industry standard to collect logs from different sources. More details on syslog can be searched online.

Security logging typically include below types of logs:

  • firewall access logs. (most widely used, eg. logs tracking permitted/denied user accesses through firewall rules)
  • application access logs (eg. DNS logs, URL logs, web server access logs)
  • user authentication logs (eg. PAM logs, RADIUS logs)
  • system status logs

This document focuses on mbox's support for security logging, either as a syslog collector (eg. HSG/mlog) or syslog client. Depending on the deployment requirements, mbox can run in either (or both) of two modes:

  • syslog collector. Syslog collector receives either self-originated or incoming logs from external hosts (log clients) via standard syslog protocol, then collector parses the received logs and inserts into SQL database, making the binary logs reachable from intuitive GUI and ready for archival etc.
    • HSG by default has the ability to store user access logs locally, but with limited storage space, usually no more than 10GB available for storing logs, which is usually enough to store archived user access logs for up to 90 days.
    • We also have dedicated collector appliances to function as syslog collector (mlog series: LOG-500, LOG-1000, LOG-2000). mlog appliances are special variants of mbox models with additional SSD/HDD storage capacity. mlog series are typically deployed as central logging warehouse to consolidate logs from all devices within customer networks. Any devices supporting standard syslog protocol can potentially export their logs to mlog collector. NOTE, there're 3rd-party opensource software converters to convert Windows Event Log into syslog to export to mlog as well.
    • HSG/mlog also come with a nice built-in loganalyzer/GUI to display live incoming logs, with sophisticated searching functions for investigation and compliance reporting purposes. NOTE: CMG & HSA can not function as a log collector.
  • syslog client. Syslog clients are basically devices generating message in syslog format and export the logs to external syslog server/collector.
    • NOTE: all mbox product families (CMG, HSG, HSA) can be configured as syslog client, track network packets, generate user access logs and export as syslog messages to local (in the case of HSG) or external syslog server (mlog or other 3rd-party syslog server).
    • More details of CMG/HSG/HSA supported access logs are explained here.