How to send all website logs on a remote log server

Milos · September 2018

I have an USG 110 device and willing to monitor the websites accessed through the device.

For this, I am forwarding the logs to a Graylog server which seems to work well.

The problem is that not all websites are logged. I can see a few of them, like:

push.bitdefender.net : Computers and Technology, Rule_id=9, SSI=N (Content Filter)

URL: push.bitdefender.net/poll?push_id=edb061ac-f2ce-4276-a5c3-a9bc1d3230d1

00=10 01=push.bitdefender.net 02=9 03=forward

But many of them are just missing. How is this possible? Has this something to do with the categories I selected in the Content Filter? In there, I have a couple of categories selected and the option for those is set to block.

Looking forward to hearing from you. Which option for LOG should be enabled in the log settings for website tracking?

Ian31 · September 2018

Hi @Milos,
First, you need to enable "Log all web pages" in content filter profile

Image: https://us.v-cdn.net/6029482/uploads/editor/3a/ms4f1nvd9txe.jpg

Then, select the log categories in Log settings to send to remote syslog server.
About the log categories of Content Filter. It's not that straight forward.
When I were a ZyWALL newbie. I also only select the "Content Filter" category. But it just include the configuration change logs. Not the web access logs.

Here the right categories that your need for all web access logging,
"Warning web sites" "Blocked web sites" "Forward web sites"

Image: https://us.v-cdn.net/6029482/uploads/editor/6y/wbyvqg4772uk.jpg

Ian

Milos · September 2018

Thank you @Ian31 , I was finally able to solve this out. None of the https websites were logged as I first had to enable: "Enable HTTPS Domain Filter for HTTPS traffic" in the content Filter settings under UTM Profile, it then worked.

Ian31 · September 2018

Hi @Milos,
First, you need to enable "Log all web pages" in content filter profile

Then, select the log categories in Log settings to send to remote syslog server.
About the log categories of Content Filter. It's not that straight forward.
When I were a ZyWALL newbie. I also only select the "Content Filter" category. But it just include the configuration change logs. Not the web access logs.

Here the right categories that your need for all web access logging,
"Warning web sites" "Blocked web sites" "Forward web sites"

Ian

Milos · September 2018

Thanks @Ian31, this is exactly what I have, but not all logs are sent on the Graylog server side.

I am opening a few web pages, and only some of those are shown.

The only difference we have is that on my side, Action for managed web pages is set to Block and I only have a few categories there like: Nudity, Pornography, Weapons etc. Any idea?

Ian31 · September 2018

Hi @Milos,
That's weird.
Since that's what I configured and got all the web sites access logs.
The categories selected or not is not matter.
The key is enable "Log all web pages" in content filter profile.

Ian

Milos · September 2018

Thank you @Ian31 , I was finally able to solve this out. None of the https websites were logged as I first had to enable: "Enable HTTPS Domain Filter for HTTPS traffic" in the content Filter settings under UTM Profile, it then worked.

How to send all website logs on a remote log server

Best Answers

All Replies

Categories

Security Highlight

Security Help Center