Setting up logging and syslog forwarding for response policy zones - User Guide - Micetro

Setting up logging and syslog forwarding for response policy zones - User Guide - Micetro - 25.2.0

Micetro Admin Guide

ft:locale

en-US

Product name

Micetro

Version

25.2.0

You can obtain insights into how your response policies are working, e.g., which blocked domains users are attempting to access and/or where and when attempts are redirected to a different domain, by setting up response policy zone (RPZ) logging in Micetro.

When you set up RPZ logging, you can configure the logs to be forwarded to your syslog server. From there, you can utilize integrations with SIEM tools to visualize the data.

To set up RPZ logging:

Navigate to Admin > Service management.
In the left sidebar, select Appliance under DNS services.
In the data grid, locate the appliance and use the Row ... menu to select Edit server options.
Open the Raw configuration tab.
In the File dropdown, select conf/logging.

In the file, add the following channel to the configuration:

        channel rpz_log {
		file "/var/cache/bind/rpz.log" size 100m versions 4;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
	};

By default, RPZs are not logged. To configure how and where RPZs are logged, edit the category rpz in the raw configuration. You can configure RPZ logging in several ways:
- To log RPZs to their own file: create a new channel for the RPZ log and add { rpz_log;} to that category:
```
category rpz	{ rpz_log };
```
- To log RPZs to the default mmsuite.log file: specify the category as follows:
```
category rpz	{ mmsuite_log; };
```
- To forward RPZ logs to a configured syslog server: specify the category as follows:
```
category rpz	{ mmsuite_syslog; };
```
  Note: To use the syslog forwarding function, you need to configure a syslog server with DNS selected under Service types. If you already have a syslog server configured with these configuration changes, it will receive the RPZ log events.
- To log RPZs to multiple locations: specify the category with the locations separated by a semicolon, e.g.,:
```
category rpz	{ rpz_log; mmsuite_syslog; };
```
Select Save.

Once you've saved the configuration, you can check that response policies are functioning as expected by downloading the log file.