Splunk is awesome. Gl2 I haven't used yet. I should remedy that. On Dec 28, 2016 12:40 PM, "Josh Baird" <[email protected]> wrote:
> The simplest thing to do is to just run rsyslogd on Linux host somewhere > on your network and push all of your device's syslog to that host. It's > trivial to configure rsyslogd to write each device's logs to a separate > path/file, configure log rotation, etc. > > If you need something beyond that (with search/matching/alerting/visualization > capabilities) you could start looking at Graylog2, an ELK stack (with > Kibana) or Splunk. > > On Wed, Dec 28, 2016 at 1:36 PM, Adam Moffett <[email protected]> wrote: > >> Actually I'd love suggestions on that front too. >> I've looked at Splunk, Graylog, and Zabbix all pretty recently. None of >> them really excited me to be honest. >> >> Splunk had the interesting ability to automatically indicate messages >> that were statistically normal....it just seemed like there was a lot going >> on and a lot features I would never use. >> >> I don't really know what my criteria are for the perfect log >> collector/analyzer, I just don't think I've seen it yet :) >> >> >> ------ Original Message ------ >> From: "Faisal Imtiaz" <[email protected]> >> To: [email protected] >> Sent: 12/28/2016 12:28:20 PM >> Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >> >> yes... which leads back to a full circle on another aspect of >> ISP/NSP/WISP systems... >> >> Centralized Syslog >> with / easy access to retrieve info.. >> >> Lots of desired functionality, Monitoring, DDOS, logging etc etc would >> lead back to a centralized logging system. >> >> >> :) >> >> Faisal Imtiaz >> Snappy Internet & Telecom >> 7266 SW 48 Street >> Miami, FL 33155 >> Tel: 305 663 5518 x 232 <(305)%20663-5518> >> >> Help-desk: (305)663-5518 <(305)%20663-5518> Option 2 or Email: >> [email protected] >> >> ------------------------------ >> >> *From: *[email protected] >> *To: *[email protected] >> *Sent: *Wednesday, December 28, 2016 11:26:39 AM >> *Subject: *Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >> >> Yeah, DHCP lease info is the thing to save. >> >> *From:* Adam Moffett >> *Sent:* Wednesday, December 28, 2016 9:21 AM >> *To:* [email protected] >> *Subject:* Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >> >> I think Eric is saying if you're going to the effort of logging NAT >> translations then you also should log DHCP assignments. Which is true. >> >> >> ------ Original Message ------ >> From: "Dennis Burgess" <[email protected]> >> To: "[email protected]" <[email protected]> >> Sent: 12/28/2016 5:50:22 AM >> Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >> >> >> But this is not required.. Something of course, you can do. >> >> >> >> Dennis Burgess >> >> www.linktechs.net – 314-735-0270 x103 <(314)%20735-0270> – >> [email protected] >> >> >> >> *From:* Af [mailto:[email protected]] *On Behalf Of *Eric Kuhnke >> *Sent:* Tuesday, December 27, 2016 8:01 PM >> *To:* [email protected] >> *Subject:* Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >> >> >> >> Assuming you have a NAT and dhcp pools of IPs defined inside the NAT, >> unique pool per POP, if you do not have log files from your dhcp daemon, >> you are taking a terrible risk... Log files are small relative to the cost >> of disk space. In setups I have built in the past with the ISC dhcpd we >> kept logs going back 24 months for which CPE at which MAC address had which >> IP address (whether internal or an ARIN IP) at any given point in time, >> including the lease/assignment handshake. >> >> >> >> >> >> >> >> On Tue, Dec 27, 2016 at 5:58 PM, Mathew Howard <[email protected]> >> wrote: >> >> The problem I see with that though, is the subpoenas we've gotten are >> generally just an IP address, and a time period... if this is coming from >> something like, say, a facebook post, is there typically going to be any >> log of that sort of thing? >> >> Assigning port blocks would work fine for things like bittorrent DMCA >> takedown notices, where they give you port information, but I'm not sure >> how you would use it to track down a specific customer when all they give >> you is the IP address... >> >> >> >> On Tue, Dec 27, 2016 at 6:51 PM, Josh Reynolds <[email protected]> >> wrote: >> >> If you assign a port block per customer (PBA NAT in Juniper), you >> don't really need to log anything... do you? >> >> >> On Tue, Dec 27, 2016 at 3:45 PM, Adam Moffett <[email protected]> >> wrote: >> > A recent thread about a subpoena made me wonder. Historically this >> hasn't >> > been an issue for me because I've had access to enough public >> IP's...but it >> > might become an issue soon. >> > >> > Has anybody set up CGN with appropriate logging on Mikrotik? >> > I'm thinking you would have to log every set of src-ip, dst-ip, >> src-port, >> > and dst-port for each connection that a customer opens. Does simply >> > checking the "log" checkbox on the srcnat rule generate enough data or >> is >> > there more to it? >> > >> > Has anybody tried the method on the wiki >> > (http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrie >> r-Grade_NAT_.28CGNAT.29_or_NAT444) >> > where you assign a range of port numbers to each private IP? The idea >> is >> > you don't have to log everything at that point because you know that a >> > connection from port x corresponds to private ip y. Then you just need >> to >> > keep track of who has which private IP. It seems like this would have a >> > side effect of limiting the number of simultaneous connections a single >> > customer could open....maybe not a bad thing. >> > >> > Thanks, >> > Adam >> >> >> >> >> >> >> >
