I need to get the logs from our MX and need to take a deeper look what IPs are blocked from the firewall.
Therefor I would like to set up a log server. Is Elasticsearch still state of the art or do you have other recommendations?
I could also use AWS native services, but couldn't find anything that fits right out of the box.
Solved! Go to Solution.
@Fabian1 : Have a look
As @KarstenI states Graylog is pretty useful. Spin up the free version and see how much data your MX is spitting out as per the 5Gb limit for the free version.
I fiddled around with Graylog as well as Splunk and found the latter to be way more performant. The free license offers up to 500MB per day, which is a lot for small environments.
I used Splunk some time ago (and just now I am wearing a Splunk T-Shirt 😀). I really liked it but the free version didn't have any Access-Control. Is that still the case now?
Probably not really important as either are typically operated behind a reverse-proxy. I normally use NGINX on the same VM for this.
True, you still don't get their "native" access control with the free version. That reminds me that I always wanted to try to comine Authelia with it.
Aprt from that, their shirts are still way cool 😄
I installed Graylog, thanks for your help!
The installation is pretty straight forward and has a very nice gui.
I'm just wondering that there are no logs where I can see which traffic was blocked or allowed through the MX.
On other firewalls I can see which rule traffic passes or blocks...
Am I missing something here?
I guess you're missing something here. Here's how it should like (see also https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...😞
Inbound Flow: 192.168.10.1 1 948077334.886213117 MX60 flows src=39.41.X.X dst=114.18.X.X protocol=udp sport=13943 dport=16329 pattern: 1 all Outbound Flow: 192.168.10.1 1 948136486.721741837 MX60 flows src=192.168.10.254 dst=126.96.36.199 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all Summary: The inbound flow example shows a blocked UDP flow from 39.41.X.X to the WAN IP of the MX. The outbound flow shows an allowed outbound flow for a DNS request.
How does your Syslog configuration look like?
Oh Yeah I found some of these, unfortunately just a few
<134>1 1636619339.383779076 DE_WASTE_BIO_SCHKO_01_MX001 flows src=10.X.X.X dst=10.X.X.X mac=X:X:X:X protocol=tcp sport=54082 dport=13000 pattern: 0 all
But most look like this:
<134>1 1636619576.273300189 DE_WASTE_WSM_BERNB_01_MX001 ip_flow_start src=172.X.X.X dst=188.8.131.52 protocol=udp sport=33014 dport=53 translated_src_ip=192.X.X.X translated_port=33014
Maybe because most of the logs are stateless and not firewall relevant?
Do you have logging/syslog enabled for the firewall rules? There is a check box on the firewall rules that needs to be checked to enable Syslog generation by the rule.
I use Visual Syslog Server for Windows (maxbelkov.github.io) [which is free] installed on an on-prem PC/server and does not have any bandwidth restrictions.