1 Reply Latest reply on Oct 18, 2011 2:18 AM by asabban

    SYSLOG / Real-time monitoring

      Hi,

       

      Can someone tell me a way to monitor client access through the gateway and identify access from source ip 'x.x.x.x' to url 'whatever.com' was blocked by rule 'xyz' in real-time?

       

      I am told by support this is not possible on the MWG v7 and instead I have to run 'httpwatch' a free third party app to see what's going on from the client perspective.

      The problem here is that it's cumbersome and doesn't tell me what the gateway's doing, only everything the client is connecting too.  It also means you can't analyse filtering results on a test group of users / ip's which to me would be a basic essential.

       

      In a Linux system I regularly use 'tail -f' to monitor what's going on on any given access.log / syslog, specifically using 'grep' to filter based on ip, time date etc - it's a very simple, powerful way to troubleshoot issues with web connectivity / filtering.  Surely as MWG is essentially a linux build there must be a way to throw the realtime logs from the gateway to a remote syslog server for analysis?

       

      Thanks,

      Michael.

        • 1. Re: SYSLOG / Real-time monitoring
          asabban

          Hello Michael,

           

          you can use the same tools for the Log files that MWG is writing to the disk. All logs go to /opt/mwg/log. The access.log should be the place to start at, it will be written to /opt/mwg/log/user-defined/access.log/access.log (current log file) or /opt/mwg/log/user-defined/access.log/access20111010.log (rotated log).

           

          You can use "tail -f access.log", or "cat access.log | grep 192.168.0.1" to see what is happening. You will see all accesses made by clients. By default you may find out that not all information you are looking for is logged, but the log files can be modified to contain any available property to extend the logging, but maybe you want to start looking at what is existing first, and then we may discuss about adding more information to the logs or adding more user-defined logs.

           

          Theroretically it is possible to dump all log files into syslog, but we have found out that this becomes a huge bottleneck when there is a log of traffic going through. Web Gateway starts waiting for syslog to send the lines, but syslog does not seem to be capable to send the huge amount of logs, which causes Web Gateway to slow down and/or become unresponsive. Therefore I recommend to not push all log lines to syslog. An example may be a seperate user-defined log in the log handler which only writes a line when MWG has blocked something - and send this through syslog (there is an Event which can do this). For archiving and later review Web Reporter may be helpful, or pushing the log files to an FTP server, to have them stored.

           

          I hope this helps to get started.

           

          best,

          Andre