MBMLog Files

17.02.2013 - Rewriter Update. 
		Rewriter exited with error during maintenance task - fixed



MBM-Log

Log collector for FortiGate units (v4 MR3 latest path)


Licence:
1. You can use it software freely at your company (home) to collect data.
2. You can modyfiy code for your own needs.
3. You can NOT gain commercial profit by selling or joining this code to another commerial product


Modules:
1. Rewriter - syslog parser nad DB writer (must run on server)
2. Reader - reads data from DB (run on your PC)


Install guide:

1. Install ubuntu 10.04 server
2. Give you server static IP address and install ssh server
3. Copy and unpack rewriter on server
4. As root run install.sh

This will install
- Postgresql 8.4
- Pl-pgsql lang
- OpenJava
- MBM-Log

Configure:
- Postgres password
- Rewriter password (this is new user)


5. Configure Postgresql database

5.1. Edit /etc/postgresql/8.4/main/postgres.conf

Change: #listen_addresses = 'localhost'
To: listen_addresses = '0.0.0.0'

5.2. Edit /etc/postgresql/8.4/main/pg_hba.conf

Add line: host	all	all 	192.168.1.1/24 	md5
			       (your network)

6. Restart database
/etc/init/postgresql-8.4 restart

7. Go to MBM root directory cd /opt/mbm/rewriter/

8. Edit MBM.conf 

Change DB configuration.

9. Run MBM-Log 

java -jar MBMRewriter.jar &

You should see something like this:

MBM-log Rewriter v 1.06 start ...
Initializing ...     			OK
Creating event log ... 			OK - New log file
Reading configuration  ...   		OK
Creating store ...  			OK
Connecting do DB ...      		OK
Checking DB integrity ...	        OK
Opening port 5514...			OK
Opening port 514... 			OK

Waiting for data ...

Done, raporting turned off.
More info in mbm.rew.log




You something goes wrong program will exit and give you hint what is wrong.



10. Edit /etc/rc.local 

Add lines:
cd /opt/mbm/rewriter
java -jar MBMRewriter.jar &

(This will start log collector on reboot)




11. Log into FortiGate unit. Go to Log&Report -> Log Config -> Log Settings.

Configure syslog:
IP/FQDN - You server with rewriter module
Port - 514 (default)
Minimul log level - Information 
Facility - Local Server

Enable CSV Format - NO ! ! !


Disable logging DNS events.


Refer to FortiGate log manual to see how to enable loggin on FG.
If you have problem ask on forum. 



12. On you computer run MBMReader_ENG.

Go to Setting tab and edit Database and Manager settings.

In few seconds you should be see some logs on reader.
Go to status tab and hit refresh button (two blue arrors in the bottom)







How to use:
Getting info:

1. Go to tab that you are intrested in.
2. Choose diagram (combox on top)
3. Fill Filters
4. Hit Execute button
5. Chart is presented
6. Hit Details button


Using obiects:
1. Go to Obiects -> IP Address (f.e.)
2. In new window enter     Domain Controller | 192.168.1.10
3. Hit enter and then save button
4. On Src IP Address filter right click and in contex menu there will be you Domain Controller.
5. Choose obiect and filter will be automaticly filled.

Filter use used in like '' expressions so you can use %


Using labels:

1. Go to Obiects -> Labels
2. In new window enter 	Admin | 192.168.1.11
3. Generate new diagram
4. If there will be result 192.168.1.11 it will be changed to Admin on chart and on detail windows

You can change this behavior in Settings -> Data -> Labels on charts

Labels are perl expressions. 


Using SSH.
1. Go to Settings Tab. Edit FG settings. (You do not have to fill username and password)
2. Go to CLI tab, and chosse diagnostics windows.
3. In new Windows hit start.



Known bugs:
1. Sometime part of chart dissaper when another windows was on top of it.
	Run mouse on the chart - it will be regenereted


2. On some Windows some SSH diagnostics give no output - probably font is not installed (New courier)


3. When chart is genering very long it could report only one lint with 98 % of overall hits. There ary two sql queries runned (top 100 and overall) - new log was inserted when quering.
	Run query again