Logging Tab
Administration > General Settings > Setup > Logging
The Logging tab summarizes the following configured logging parameters:
-
Log Settings refers to local logging.
-
Log Facilities Configuration refers to remote logging.
The logs keep track of alarms, events, and any other issues involving your appliances.
The following table provides more details.
Field | Description |
---|---|
Appliance | Name of the appliance associated with the recorded logs. |
Minimum Severity | Minimum severity level the issue is recorded as. For descriptions of levels, see Severity Levels. |
Log File Size Threshold | Set threshold configured for the log size limit. |
Number of Logs to Keep | Maximum number of logs to keep for the appliance. |
System | Assigned log facility for System. |
Audit | Assigned log facility for Audit. |
Firewall | Assigned log facility for Firewall. |
Ids | Assigned log facility for IDS. |
Log Stateful WAN Drops | Enable log information for discarded inbound packets, even at high traffic rates, for WAN-side interfaces running in stateful, stateful+SNAT, or hardened modes. Drops are logged to the firewall log, with the description of Inbound drop on stateful wan interface . |
Anonymize IPs | True or false. Indicates if IP addresses are anonymized in log messages or not. |
Bit Masking | If Anonymize IPs is enabled, this indicates how bit masking is applied to IP addresses in log messages (options: Mask All, /8, /16, or /24). |
Jsonify | True or false. Indicates that log messages are converted to JSON format when exported. |
Remote Receiver | IP address of the remote receiver applicable to the log file. |
Remote Receiver Minimum Severity | Lowest level of severity logged for the remote log receiver. For details about severity levels, see the “Severity Levels” section below this table. |
Facility | Log facility used for the remote log receiver. |
To edit the logging configuration for one of the listed appliances, click the edit icon in the left column of the table. The Logging dialog box opens. For details, see Logging Dialog Box
Severity Levels
In order of decreasing severity, the levels are as follows:
Severity Level | Description |
---|---|
Emergency | System is unusable. |
Alert | Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and WARNING. |
Critical | Critical event. |
Error | An error. This is a non-urgent failure. |
Warning | A warning condition. Indicates an error will occur if action is not taken. |
Notice | A normal, but significant, condition. No immediate action required. |
Info | Informational. Used by Support for debugging. |
Debug | Used by Support for debugging. |
None | This indicates that no events are logged. |
These are related to event logging levels, not alarm severities, even though some naming conventions overlap. Events and alarms have different sources. Alarms, when they clear, list as the ALERT level in the Event Log.
Remote Logging
-
You can configure the appliance to forward all events, at and above a specified severity, to a remote syslog server.
-
A syslog server is independently configured for the minimum severity level that it will accept. Without reconfiguring, it might not accept as low a severity level as you are forwarding to it.
-
Each message/event type (System / Audit / Firewall / Ids) is assigned to a syslog facility level (local0 to local7).
Logging Dialog Box
Use this dialog box to configure log settings and log facilities. You can also add remote log receivers.
WARNING: Appliance logging levels should only be set to “Notice” unless TAC asks you to set it differently. This applies to both the Minimum severity level field in the Log Settings area of this dialog box and the Minimum Severity field in the Remote Log Receivers area. Be aware that setting this level to “Debug” will generate logs for all modules that are turned on, which causes the packet processing engine to spend excessive time logging instead of forwarding packets.
Log Settings
Setting | Description |
---|---|
Minimum severity level | Minimum severity level that the system will log. (See the WARNING note above.) For details about severity levels, see Severity Levels. |
Start new file when log reaches | Enter the maximum size (in MB) for a log file. Orchestrator generates a new file when this maximum size is reached. Specify a size from 1 to 50. |
Keep at most log files | Maximum number of log files to allow to be stored. Specify a value from 1 to 100. |
Log stateful wan-interface drops | Select to log information for discarded inbound packets, even at high-traffic rates. NOTE: Enabling this option may impact system performance. |
Anonymize IPs | Click the check box to anonymize IP addresses in log messages. |
Bit Masking | If Anonymize IPs is enabled, select how bit masking is applied to IP addresses in log messages (options: Mask All, /8, /16, or /24). |
Jsonify | Click the check box to convert log messages to JSON format when exported. NOTE: When you click the Anonymize IPs check box, the Jsonify check box is automatically selected. |
Log Facilities Configuration
Select the log facilities you want the System, Audit, Firewall, and IDS/IPS Events logs to use. You can choose between Local0 and Local7 for each.
NOTE: The log facilities you select for System, Audit, Firewall, and IDS/IPS Events must be uniquely assigned; they cannot overlap. For example, System can be assigned to local2 and Audit to local3, but both cannot be assigned to local2.
Remote Log Receivers
Follow these instructions to add a remote receiver for an appliance syslog server that uses an end entity certificate.
NOTE: To use an end entity certificate, you must first create an end entity certificate for use. To do this, see End Entity Certificates Tab.
-
Navigate to Administration > General Settings > Setup > Logging.
-
Click the edit icon next to the appliance for which you want to configure a receiver.
The Logging dialog box opens.
-
Under Remote Log Receivers, click Add and then configure the following information.
Field Description IP Address Enter the IP address for the remote receiver. Port Enter the port number of the remote syslog server. The default for TCP SSL is 6514. Protocol Select TCP SSL. Minimum Severity Select the minimum severity level of messages you want to log. (See the WARNING note above.) For details about severity levels, see Severity Levels. For Common Criteria mode, Debug should be used to ensure all logs are sent to the syslog receiver. Facility Select all, local1, local2, local3, local4, local5, local6, or local7. -
In the Client Certificate column, click Add.
The Add Remote Receiver SSL Certificate dialog box opens.
-
Click Use End Entity Certificate and then select the end entity certificate from the End Entity Certificate drop-down menu.
-
Click the cell in the Verify column to display a check box, and then click the check box to verify the server certificate.
-
Click Add.
-
Click Save.
For information about remote log receivers, including how to add and configure a receiver, see Remote Log Receivers.