MBM-Log

Log collector for FortiGate units

MBM-Log allows to look deeply in collected logs. (not only Top 10). All charts are generated on demand. You can easily filter data. MBM-Log can help you with FortiGate diagnostics via SSH (built in commands)


Download

Download from sf.net here


Install

1. Install ubuntu 10.04 server
2. Give you server static IP address and install ssh server
3. Copy and unpack rewriter on server
4. As root run install.sh

This will install
- Postgresql 8.4
- Pl-pgsql lang
- OpenJava
- MBM-Log

Configure:
- Postgres password
- Rewriter password (this is new user)

5. Configure Postgresql database

5.1. Edit /etc/postgresql/8.4/main/postgres.conf
Change: #listen_addresses = 'localhost'
To: listen_addresses = '0.0.0.0'

5.2. Edit /etc/postgresql/8.4/main/pg_hba.conf
Add line: host all all 192.168.1.1/24 md5
(your network)

6. Restart database
/etc/init/postgresql-8.4 restart

7. Go to MBM root directory cd /opt/mbm/rewriter/

8. Edit MBM.conf
Change DB configuration.

9. Run MBM-Log
java -jar MBMRewriter.jar &
You should see something like this:

MBM-log Rewriter v 1.06 start ...
Initializing ... OK
Creating event log ... OK - New log file
Reading configuration ... OK
Creating store ... OK
Connecting do DB ... OK
Checking DB integrity ... OK
Opening port 5514... OK
Opening port 514... OK
Waiting for data ...

Done, raporting turned off.
More info in mbm.rew.log

You something goes wrong program will exit and give you hint what is wrong.

10. Edit /etc/rc.local

Add lines:
cd /opt/mbm/rewriter
java -jar MBMRewriter.jar &

(This will start log collector on reboot)

11. Log into FortiGate unit. Go to Log&Report; -> Log Config -> Log Settings.

Configure syslog:
IP/FQDN - You server with rewriter module
Port - 514 (default)
Minimul log level - Information
Facility - Local Server

Enable CSV Format - NO ! ! !
Disable logging DNS events.

Refer to FortiGate log manual to see how to enable loggin on FG.
If you have problem ask on forum.

12. On you computer run MBMReader_ENG.

Go to Setting tab and edit Database and Manager settings.
In few seconds you should be see some logs on reader.
Go to status tab and hit refresh button (two blue arrors in the bottom)


Usage

Getting info:
1. Go to tab that you are intrested in.
2. Choose diagram (combox on top)
3. Fill Filters
4. Hit Execute button
5. Chart is presented
6. Hit Details button

Using obiects:
1. Go to Obiects -> IP Address (f.e.)
2. In new window enter Domain Controller | 192.168.1.10
3. Hit enter and then save button
4. On Src IP Address filter right click and in contex menu there will be you Domain Controller.
5. Choose obiect and filter will be automaticly filled.

Filter use used in like '' expressions so you can use %

Using labels:
1. Go to Obiects -> Labels
2. In new window enter Admin | 192.168.1.11
3. Generate new diagram
4. If there will be result 192.168.1.11 it will be changed to Admin on chart and on detail windows

You can change this behavior in Settings -> Data -> Labels on charts

Labels are perl expressions.

Using SSH
1. Go to Settings Tab. Edit FG settings. (You do not have to fill username and password)
2. Go to CLI tab, and chosse diagnostics windows.
3. In new Windows hit start.

Screenshots