We have been using syslog-ng with older version of php-syslogng now know as logzilla.
In my next in-carnation I would probably install graylog It is my personal opinion, that the best system is one what allows for easy access (search, categorize, etc) of syslog messages via a GUI interface so that getting access to information by folks with lesser CLI skills is possible. Additionally the ability to be able to run the messages thru a 'filter' and take actions / trigger actions is getting to me much desired. :) Faisal Imtiaz Snappy Internet & Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net > From: "Adam Moffett" <dmmoff...@gmail.com> > To: af@afmug.com > Sent: Wednesday, December 28, 2016 1:36:20 PM > Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods > Actually I'd love suggestions on that front too. > I've looked at Splunk, Graylog, and Zabbix all pretty recently. None of them > really excited me to be honest. > Splunk had the interesting ability to automatically indicate messages that > were > statistically normal....it just seemed like there was a lot going on and a lot > features I would never use. > I don't really know what my criteria are for the perfect log > collector/analyzer, > I just don't think I've seen it yet :) > ------ Original Message ------ > From: "Faisal Imtiaz" < fai...@snappytelecom.net > > To: af@afmug.com > Sent: 12/28/2016 12:28:20 PM > Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >> yes... which leads back to a full circle on another aspect of ISP/NSP/WISP >> systems... >> Centralized Syslog >> with / easy access to retrieve info.. >> Lots of desired functionality, Monitoring, DDOS, logging etc etc would lead >> back >> to a centralized logging system. >> :) >> Faisal Imtiaz >> Snappy Internet & Telecom >> 7266 SW 48 Street >> Miami, FL 33155 >> Tel: 305 663 5518 x 232 >> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net >>> From: ch...@wbmfg.com >>> To: af@afmug.com >>> Sent: Wednesday, December 28, 2016 11:26:39 AM >>> Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >>> Yeah, DHCP lease info is the thing to save. >>> From: Adam Moffett >>> Sent: Wednesday, December 28, 2016 9:21 AM >>> To: af@afmug.com >>> Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >>> I think Eric is saying if you're going to the effort of logging NAT >>> translations >>> then you also should log DHCP assignments. Which is true. >>> ------ Original Message ------ >>> From: "Dennis Burgess" < dmburg...@linktechs.net > >>> To: " af@afmug.com " < af@afmug.com > >>> Sent: 12/28/2016 5:50:22 AM >>> Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >>>> But this is not required.. Something of course, you can do. >>>> Dennis Burgess >>>> www.linktechs.net – 314-735-0270 x103 – dmburg...@linktechs.net >>>> From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Eric Kuhnke >>>> Sent: Tuesday, December 27, 2016 8:01 PM >>>> To: af@afmug.com >>>> Subject: Re: [AFMUG] Mikrotik - Carrier Grade NAT methods >>>> Assuming you have a NAT and dhcp pools of IPs defined inside the NAT, >>>> unique >>>> pool per POP, if you do not have log files from your dhcp daemon, you are >>>> taking a terrible risk... Log files are small relative to the cost of disk >>>> space. In setups I have built in the past with the ISC dhcpd we kept logs >>>> going >>>> back 24 months for which CPE at which MAC address had which IP address >>>> (whether >>>> internal or an ARIN IP) at any given point in time, including the >>>> lease/assignment handshake. >>>> On Tue, Dec 27, 2016 at 5:58 PM, Mathew Howard < mhoward...@gmail.com > >>>> wrote: >>>>> The problem I see with that though, is the subpoenas we've gotten are >>>>> generally >>>>> just an IP address, and a time period... if this is coming from something >>>>> like, >>>>> say, a facebook post, is there typically going to be any log of that sort >>>>> of >>>>> thing? >>>>> Assigning port blocks would work fine for things like bittorrent DMCA >>>>> takedown >>>>> notices, where they give you port information, but I'm not sure how you >>>>> would >>>>> use it to track down a specific customer when all they give you is the IP >>>>> address... >>>>> On Tue, Dec 27, 2016 at 6:51 PM, Josh Reynolds < j...@kyneticwifi.com > >>>>> wrote: >>>>>> If you assign a port block per customer (PBA NAT in Juniper), you >>>>>> don't really need to log anything... do you? >>>>>> On Tue, Dec 27, 2016 at 3:45 PM, Adam Moffett < dmmoff...@gmail.com > >>>>>> wrote: >>>>>> > A recent thread about a subpoena made me wonder. Historically this >>>>>> > hasn't >>>>>> > been an issue for me because I've had access to enough public >>>>>> > IP's...but it >>>>>> > might become an issue soon. >>>>>> > Has anybody set up CGN with appropriate logging on Mikrotik? >>>>>> > I'm thinking you would have to log every set of src-ip, dst-ip, >>>>>> > src-port, >>>>>> > and dst-port for each connection that a customer opens. Does simply >>>>>> > checking the "log" checkbox on the srcnat rule generate enough data or >>>>>> > is >>>>>> > there more to it? >>>>>> > Has anybody tried the method on the wiki >>>>>>> ( >>>>>>> http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444 >>>>>> > ) >>>>>> > where you assign a range of port numbers to each private IP? The idea >>>>>> > is >>>>>> > you don't have to log everything at that point because you know that a >>>>>> > connection from port x corresponds to private ip y. Then you just need >>>>>> > to >>>>>> > keep track of who has which private IP. It seems like this would have a >>>>>> > side effect of limiting the number of simultaneous connections a single >>>>>> > customer could open....maybe not a bad thing. >>>>>> > Thanks, >>>>>> > Adam