Hello,
what is the best way to send to a syslog server the NAT translations log, including ONLY the privateIP:srcPORT -> publicIP:srcPORT ?
The country laws allow us to log only the src IP and PORT but Mikrotik log by default also the destination IP and PORT.
Re: Logging only src on NAT traslations
I can't see the usefulness of storing only the src-address and port if it cannot be cross-related to a dst-address... if you just want that info, use radacct.
Otherwise, you'll need to process the data at syslog receiving stage.
Otherwise, you'll need to process the data at syslog receiving stage.
Re: Logging only src on NAT traslations
In the radacct there aren't the nat traslations.
The purpose of storing only the src IP and PORT is that if I have the public IP 1.1.1.1 and 10 users use it, when the autority need to know who, for example, dossed a webserver, they have in the log of victim the source IP and port so we can give the name of the customer that used that specific port in that moment.
The purpose of storing only the src IP and PORT is that if I have the public IP 1.1.1.1 and 10 users use it, when the autority need to know who, for example, dossed a webserver, they have in the log of victim the source IP and port so we can give the name of the customer that used that specific port in that moment.
Re: Logging only src on NAT traslations
TCP and UDP connections are identified by a combination of 4 values: source IP, source port, destination IP and destination port. Symmetric NAT is allowed to use the same external IP/port pair for two different internal IPs at the same time, provided they connect to different destination IPs. I have no idea if RouterOS may ever do that or not, but in any case logging only source IPs and ports does not make any sense to me.
Re: Logging only src on NAT traslations
In this example:
I only need to know this part: NAT (100.64.50.90:35400->2.2.2.2:35400)
Because if I receive a request from authority, they already know that my public IP and port 2.2.2.2:35400 has attacked for example a webserver, so I only have to tell them who was using that port on my public IP.
Code: Select all
Oct 6 12:26:35 10.10.0.1 firewall,info forward: in:<pppoe-test> out:sfp1, proto TCP (SYN), 100.64.50.90:35400->1.1.1.1:443, NAT (100.64.50.90:35400->2.2.2.2:35400)->1.1.1.1:443, len 60Because if I receive a request from authority, they already know that my public IP and port 2.2.2.2:35400 has attacked for example a webserver, so I only have to tell them who was using that port on my public IP.
Re: Logging only src on NAT traslations
That was completely clear from your original post already. I just wanted to point out that this information may theoretically be ambiguous.I only need to know this part: NAT (100.64.50.90:35400->2.2.2.2:35400)
Anyways, if I was to implement such logging, I'd think about using NetFlow, and configuring the collector to only partially store/log the information it receives.
Re: Logging only src on NAT traslations
So Mikrotik should tell us if the use the same external IP/port pair for two different internal IPs at the same time may occur.
In any case netflow is a complex solution, we use that only to monitor for statistic purpose, we would let the syslog machine stupid.
In any case netflow is a complex solution, we use that only to monitor for statistic purpose, we would let the syslog machine stupid.
Who is online
Users browsing this forum: GoogleOther [Bot] and 165 guests