Log collector for FortiGate units
MBM-Log allows to look deeply in collected logs. (not only Top 10). All charts are generated on demand. You can easily filter data. MBM-Log can help you with FortiGate diagnostics via SSH (built in commands)
Download from sf.net here
1. Install ubuntu 10.04 server
2. Give you server static IP address and install ssh server
3. Copy and unpack rewriter on server
4. As root run install.sh
This will install
- Postgresql 8.4
- Pl-pgsql lang
- Postgres password
- Rewriter password (this is new user)
5. Configure Postgresql database
5.1. Edit /etc/postgresql/8.4/main/postgres.conf
Change: #listen_addresses = 'localhost'
To: listen_addresses = '0.0.0.0'
5.2. Edit /etc/postgresql/8.4/main/pg_hba.conf
Add line: host all all 192.168.1.1/24 md5
6. Restart database
7. Go to MBM root directory cd /opt/mbm/rewriter/
8. Edit MBM.conf
Change DB configuration.
9. Run MBM-Log
java -jar MBMRewriter.jar &
You should see something like this:
MBM-log Rewriter v 1.06 start ...
Initializing ... OK
Creating event log ... OK - New log file
Reading configuration ... OK
Creating store ... OK
Connecting do DB ... OK
Checking DB integrity ... OK
Opening port 5514... OK
Opening port 514... OK
Waiting for data ...
Done, raporting turned off.
More info in mbm.rew.log
You something goes wrong program will exit and give you hint what is wrong.
10. Edit /etc/rc.local
java -jar MBMRewriter.jar &
(This will start log collector on reboot)
11. Log into FortiGate unit. Go to Log&Report; -> Log Config -> Log Settings.
IP/FQDN - You server with rewriter module
Port - 514 (default)
Minimul log level - Information
Facility - Local Server
Enable CSV Format - NO ! ! !
Disable logging DNS events.
Refer to FortiGate log manual to see how to enable loggin on FG.
If you have problem ask on forum.
12. On you computer run MBMReader_ENG.
Go to Setting tab and edit Database and Manager settings.
In few seconds you should be see some logs on reader.
Go to status tab and hit refresh button (two blue arrors in the bottom)
1. Go to tab that you are intrested in.
2. Choose diagram (combox on top)
3. Fill Filters
4. Hit Execute button
5. Chart is presented
6. Hit Details button
1. Go to Obiects -> IP Address (f.e.)
2. In new window enter Domain Controller | 192.168.1.10
3. Hit enter and then save button
4. On Src IP Address filter right click and in contex menu there will be you Domain Controller.
5. Choose obiect and filter will be automaticly filled.
Filter use used in like '' expressions so you can use %
1. Go to Obiects -> Labels
2. In new window enter Admin | 192.168.1.11
3. Generate new diagram
4. If there will be result 192.168.1.11 it will be changed to Admin on chart and on detail windows
You can change this behavior in Settings -> Data -> Labels on charts
Labels are perl expressions.
1. Go to Settings Tab. Edit FG settings. (You do not have to fill username and password)
2. Go to CLI tab, and chosse diagnostics windows.
3. In new Windows hit start.