Login
- Table of Contents
-
- 06-System
- 01-High availability group
- 02-VRRP
- 03-Track
- 04-BFD
- 05-NQA
- 06-Basic log settings
- 07-Session log settings
- 08-NAT log settings
- 09-AFT log settings
- 10-Threat log settings
- 11-Application audit log settings
- 12-URL filtering log settings
- 13-Bandwidth alarm logs
- 14-Attack defense log settings
- 15-NetShare log settings
- 16-Report settings
- 17-Session settings
- 18-Signature upgrade
- 19-Software upgrade
- 20-License management
- 21-Administrators
- 22-Date and time
- 23-Configuration management
- 24-Packet capture
- 25-Webpage Diagnosis
- 26-Packet trace
- 27-Fast Internet Access
- 28-SNMP
- 29-IRF
- 30-IRF advanced settings
- 30-IRF advanced settings(only for F50X0-D and F5000-AK5X5 firewalls)
- 31-Contexts
- 31-Contexts(only for F50X0-D and F5000-AK5X5 firewalls)
- 32-About
- 33-MAC address learning through a Layer 3 device
- 34-Bandwidth management logs
- 35-Configuration log settings
- 36-Context rate limit logging
- 37-Heartbeat log settings
- 38-Diagnostic Info
- 39-IP access logs
- 40-IP reputation log settings
- 41-IPsec diagnosis
- 42-Load balancing logging
- 43-Load balancing test
- 44-MAC authentication online users
- 45-Packet capture
- 45-Packet capture(only for F50X0-D and F5000-AK5X5 firewalls)
- 46-Ping
- 47-Reboot
- 48-Security policy log
- 49-Tracert
- 50-WAF log settings
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-Basic log settings | 153.13 KB |
Basic log settings
This help contains the following topics:
¡ Syslog
¡ Flow log
¡ Fast log
· Configure basic log settings
¡ Configure storage space settings
Introduction
The device generates various types of logs for service modules based on the packets processed by the service modules. These logs help network administrators monitor network performance, troubleshoot network problems, as well as track, record, analyze, and audit network access behaviors of users.
The device supports outputting logs by using the following methods:
· Syslog.
· Flow log.
· Fast log output.
· Email.
Syslog
Syslog entries are in ASCII format.
The information center on the device receives syslog messages generated by source modules and outputs the logs to the following destinations:
· Console.
· Monitor terminal.
· Log buffer.
· Log host.
· Log file.
Flow log
About flow log
Flow log records users' access to external networks based on flows. Each flow is identified by a 5-tuple of the source IP address, destination IP address, source port, destination port, and protocol number.
Flow log creates entries based on NAT sessions.
Flow log versions
Flow log has three versions: version 1.0, version 3.0, and version 5.0. Table 1, Table 2, and Table 3 show the fields available in the versions. The fields displayed on your device might differ from those listed in the tables depending the log analysis tool you have used.
|
Field |
Description |
|
SrcIP |
Source IP address before NAT. |
|
DestIP |
Destination IP address before NAT. |
|
SrcPort |
Source TCP/UDP port number before NAT. |
|
DestPort |
Destination TCP/UDP port number before NAT. |
|
StartTime |
Start time of the flow, in seconds. |
|
EndTime |
End time of the flow, in seconds. This field is 0 if the Operator field is 6 (regular connectivity check record for the active flow). |
|
Protocol |
Protocol number. |
|
Operator |
Reasons why a flow log entry was generated: · 0—Reserved. · 1—Flow was ended normally. · 2—Flow was aged out because of aging timer expiration. · 3—Flow was aged out because of configuration change or manual deletion. · 4—Flow was aged out because of insufficient resources. · 5—Reserved. · 6—Regular connectivity check record for the active flow. · 7—Flow was deleted because a new flow was created when the flow table was full. · 8—Flow was created. · FE—Other reasons. · 10-FE-1—Reserved for future use. |
|
Reserved |
Reserved for future use. |
Table 2 Flow log 3.0 fields
|
Field |
Description |
|
Protocol |
Protocol number. |
|
Operator |
Reasons why a flow log was generated: · 0—Reserved. · 1—Flow was ended normally. · 2—Flow was aged out because of aging timer expiration. · 3—Flow was aged out because of configuration change. · 4—Flow was aged out because of insufficient resources. · 5—Reserved. · 6—Regular connectivity check record for the active flow. · 7—Flow was deleted because a new flow was created when the flow table was full. · 8—Flow was created. · FE—Other reasons. · 10-FE-1—Reserved for future use. |
|
IPVersion |
IP packet version. |
|
TosIPv4 |
ToS field of the IPv4 packet. |
|
SourceIP |
Source IP address before NAT. |
|
SrcNatIP |
Source IP address after NAT. |
|
DestIP |
Destination IP address before NAT. |
|
DestNatIP |
Destination IP address after NAT. |
|
SrcPort |
Source TCP/UDP port number before NAT. |
|
SrcNatPort |
Source TCP/UDP port number after NAT. |
|
DestPort |
Destination TCP/UDP port number before NAT. |
|
DestNatPort |
Destination TCP/UDP port number after NAT. |
|
StartTime |
Start time of the flow, in seconds. |
|
EndTime |
End time of the flow, in seconds. This field is 0 when the Operator field is 6 (regular connectivity check record for the active flow). |
|
InTotalPkg |
Number of packets received for the session. |
|
InTotalByte |
Number of bytes received for the session. |
|
OutTotalPkg |
Number of packets sent for the session. |
|
OutTotalByte |
Number of bytes sent for the session. |
|
InVPNID |
ID of the source VPN instance. |
|
OutVPNID |
ID of the destination VPN instance. |
|
Reserved1 |
Reserved field. |
|
AppID |
Application protocol ID. |
|
Reserved3 |
Reserved field. |
|
Field |
Description |
|
Protocol |
Protocol number. |
|
Operator |
· Reasons why a flow log was generated: · 0—Reserved. · 1—Flow was ended normally. · 2—Flow was aged out because of aging timer expiration. · 3—Flow was aged out because of configuration change. · 4—Flow was aged out because of insufficient resources. · 5—Reserved. · 6—Regular connectivity check record for the active flow. · 7—Flow was deleted because a new flow was created when the flow table was full. · 8—Flow was created. · FE—Other reasons. · 10-FE-1—Reserved for future use. |
|
IPVersion |
IP packet version. |
|
TosIPv4 |
ToS field of the IPv4 packet. |
|
SourceIP |
Source IP address before NAT. |
|
SrcNatIP |
Source IP address after NAT. |
|
DestIP |
Destination IP address before NAT. |
|
DestNatIP |
Destination IP address after NAT. |
|
SrcPort |
Source TCP/UDP port number before NAT. |
|
SrcNatPort |
Source TCP/UDP port number after NAT. |
|
DestPort |
Destination TCP/UDP port number before NAT. |
|
DestNatPort |
Destination TCP/UDP port number after NAT. |
|
StartTime |
Start time of the flow, in seconds. |
|
EndTime |
End time of the flow, in seconds. This field is 0 when the Operator field is 6 (regular connectivity check record for the active flow). |
|
InTotalPkg |
Number of packets received for the session. |
|
InTotalByte |
Number of bytes received for the session. |
|
OutTotalPkg |
Number of packets sent for the session. |
|
OutTotalByte |
Number of bytes sent for the session. |
|
InVPNID |
ID of the source VPN instance. |
|
OutVPNID |
ID of the destination VPN instance. |
|
AppID |
Application protocol ID. |
|
UserName |
Username. |
|
Reserved1 Reserved2 Reserved3 |
Reserved fields. |
Fast log
The fast log output feature enables fast output of logs to log hosts.
Typically, logs generated by a service module are first sent to the information center, which then outputs the logs to the specified destination (such as to log hosts). When fast log output is configured, logs of service modules are sent directly to log hosts instead of to the information center. Compared to outputting logs to the information center, fast log output saves system resources.
Email server
To enable output of logs through emails, you must configure the email server.
Storage space settings
The device collects log data from the following service modules for central analysis and reporting:
· Traffic service.
· DPI services, including the audit service, threat service, URL filtering service, and file filtering service.
The collected log data are preferably stored in a hard disk. If a hard disk is not present, the data are stored in a U disk. If a U disk is not present either, the data are stored in the memory. Support for storing the log data in a U disk depends on the device model.
The storage space settings feature allows you to set the storage time limit, storage space limit, and the storage limit-violated action for the traffic service and DPI services.
Support for storage space settings depends on the device model.
Storage time limit
The storage time limit specifies the maximum number of days that the log data can be kept.
Processing of expired log data varies by the specified action:
· If the action is Delete, the system will delete the expired log data and generate a log message to record the event.
· If the action is Log-only, the system will generate a log message, but it does not delete the expired data.
Storage space limit
The storage space limit specifies the percentage of the total storage space the log data of a service can occupy.
Processing of the log data for a service whose storage space limit is exceeded varies by the specified action:
· If the action is Delete, the system will delete the oldest log data to save new data. A log message will be generated to record the event.
· If the action is Log-only, the system will generate a log message, but it does not delete old log data to save new data.
Action
The action specified for a storage limit of a service determines how the system processes the log data of the service when the storage limit is exceeded.
Supported actions are:
· Delete—Deletes data collected on the oldest dates and generates a log message. The data of the current day cannot be deleted.
· Log-only—Generates a log message only. When a storage limit is exceeded, old data are not deleted and new data cannot be saved. To view the log data, go to Monitor > Device Logs > System Logs.
Log severity levels
Logs are classified into eight severity levels from 0 through 7 in descending order. If you specify a severity level for log output, logs with a severity level that is higher than or equal to the specified level will be output. For example, if you specify a severity level of 6 (informational), logs that have a severity level from 0 to 6 are output.
Table 4 Log severity levels
|
Severity value |
Level |
Description |
|
0 |
Emergency |
The system is unusable. For example, the system authorization has expired. |
|
1 |
Alert |
Action must be taken immediately. For example, traffic on an interface exceeds the upper limit. |
|
2 |
Critical |
Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails. |
|
3 |
Error |
Error condition. For example, the link state changes. |
|
4 |
Warning |
Warning condition. For example, an interface is disconnected, or the memory resources are used up. |
|
5 |
Notification |
Normal but significant condition. For example, a terminal logs in to the device, or the device reboots. |
|
6 |
Informational |
Informational message. For example, a command or a ping operation is executed. |
|
7 |
Debugging |
Debug message. |
Restrictions and guidelines
The device supports the following methods (in descending order of priority) for outputting logs of a module to designated log hosts:
· Fast log output.
· Flow log output.
· Syslog output.
If you configure multiple log output methods for a module, only the method with the highest priority takes effect.
Configure basic log settings
Configure syslog
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Syslog tab.
4. Configure the basic syslog settings.
Table 5 Syslog configuration items
|
Item |
Description |
|
Output to log buffer |
Select this item to enable system log output to the log buffer. This item enables system log output to log buffers based on the log source modules. · Logs generated by modules that have separate
log buffers are saved to their respective log buffers. · Logs generated by other modules are saved to the general log buffer. |
|
Log buffer size |
Enter the maximum number of logs that can be buffered. When the log buffer is full, the system will overwrite the oldest logs with new logs. This item specifies the size of the general log buffer. |
5. Click Apply.
6. Click Create.
The Create Log Host window opens.
7. Create a log host.
Table 6 Log host configuration items
|
Item |
Description |
|
Log host address |
Enter the IP address or host name of the log host. |
|
Port number |
Enter the port number of the log host. |
|
VRF |
Select the VRF (VPN instance) to which the log host belongs. If the log host belongs to the public network, select Public network. |
8. Click OK.
The new log host is displayed on the log host list of the Syslog tab.
Configure flow log
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Flow Log tab.
4. Configure the basic flow log settings.
Table 7 Flow log configuration items
|
Item |
Description |
|
Log version |
Select a flow log version. Options are 1.0, 3.0, and 5.0. Make sure the specified flow log version is supported on the log hosts specified for flow log export. |
|
Load balancing |
Select this item to enable load balancing for flow log entries. By default, load balancing is disabled. The device sends a copy of each flow log entry to all available log hosts. In load balancing mode, flow log entries are distributed among log hosts based on the source IP addresses (before NAT) that are recorded in the entries. The flow log entries generated for the same source IP address are sent to the same log host. If a log host goes down, the flow logs sent to it will be lost. |
|
Source IP for log packets |
Specify the source IP address for the flow log packets. By default, the source IP address of flow log packets is the IP address of their outgoing interface. Configure this item when you need to filter flow logs by source IP address on the log host. As a best practice, use a Loopback interface's address as the source IP address for flow log packets. A Loopback interface is always up. The setting avoids export failure on interfaces that might go down. |
5. Click Apply.
6. Click Create.
The Create Log Host window opens.
Table 8 Log host configuration items
|
Item |
Description |
|
Log host address |
Enter the IP address or host name of the log host. |
|
Port number |
Enter the port number of the log host. |
|
VRF |
Select the VPN instance to which the log host belongs. If the log host belongs to the public network, select Public network. |
7. Click OK.
The new log host is displayed on the log host list of the Flow Log tab.
Configure fast log output
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Fast Log Output tab.
4. Configure the fast log output settings.
Table 9 Fast log output configuration items
|
Item |
Description |
|
Log timestamp |
Select the time zone to use in the log timestamp. Options are: · Greenwich Mean Time (GMT)—Standard Greenwich Mean Time (GMT). · Local time—Standard GMT plus or minus the time zone offset. |
|
Source IP for log packets |
Select a source interface for fast log output. The primary IP address of the specified interface is used as the source IP address of fast output logs regardless of the outgoing interface. By default, the source IP address of fast output logs is the primary IP address of the outgoing interface. Configure this item when you need to filter logs by source IP address on the log host. As a best practice, use a Loopback interface's address as the source IP address for fast log output. A Loopback interface is always up. The setting avoids export failure on interfaces that might go down. |
5. Click Apply.
6. Click Create.
The Create Log Host window opens.
Table 10 Log host configuration items
|
Item |
Description |
|
Log host address |
Enter the IP address or host name of the log host. |
|
Port number |
Enter the port number of the log host. |
|
VRF |
Select the VPN instance to which the log host belongs. If the log host belongs to the public network, select Public network. |
|
Session logs |
Select this item to enable fast output of session logs to the log host. |
|
NAT logs |
Select this item to enable fast output of NAT logs to the log host. |
|
Log format |
This item is available only when the NAT logs item is selected. Select a log output format. Options are China Unicom, China Telecom, and CMCC. |
|
NAT session logs |
This item is available only when the NAT logs item is selected. Select this item to enable fast output of NAT session logs to the log host. |
|
NAT444 user logs |
This item is available only when the NAT logs item is selected. Select this item to enable fast output of NAT444 user logs to the log host. |
|
AFT logs |
Select this item to enable fast output of AFT port block logs to the log host. |
|
Application audit logs |
Select this item to enable fast output of application audit logs to the log host. |
|
URL filtering logs |
Select this item to enable fast output of URL filtering logs to the log host. |
|
Attack defense logs |
Select this item to enable fast output of attack defense logs to the log host. |
|
LB logs |
Select this item to enable fast output of load balancing logs to the log host. |
|
IP reputation logs |
Select this item to enable fast output of IP reputation logs to the log host. |
|
Netshare logs |
Select this item to enable fast output of netshare control logs to the log host. |
|
Security policy logs |
Select this item to enable fast output of security policy configuration logs to the log host. |
|
Heartbeat logs |
Select this item to enable fast output of heartbeat logs to the log host. |
|
IPS logs |
Select this item to enable fast output of IPS logs to the log host. |
|
Bandwidth management logs |
Select this item to enable fast output of bandwidth management logs to the log host. |
|
Anti-virus logs |
Select this item to enable fast output of anti-virus logs to the log host. |
|
WAF logs |
Select this item to enable fast output of WAF logs to the log host. |
7. Click OK.
The new log host is displayed on the log host list of the Fast Log Output tab.
Configure the email server
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Email Server tab.
4. Configure the email server settings.
Table 11 Email server configuration items
|
Item |
Description |
|
Mail server address |
Enter the IP address or host name of the email server. |
|
Sender address |
Enter the email sender address. |
|
Recipient addresses |
Enter a colon-separated list of email recipient addresses. |
|
DNS server address |
Enter the IP address of the DNS server. |
|
Identity authentication |
Select Enable to enable email client authentication. Enable email client authentication as required by the email server. |
|
Secure user info transmission |
Select this item to enable secure transmission of user authentication credentials. |
|
Username |
Enter the username for connecting to the email server. |
|
Password |
Enter the password for connecting to the email server. |
5. Click Apply.
Configure storage space settings
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Storage Space Settings tab.
4. Configure the storage space settings for services.
Table 12 Storage space configuration items
|
Item |
Description |
|
Service |
Name of the service for which you can configure storage space limit settings. Supported services are: · Traffic service. · DPI services, including: ¡ Audit service. ¡ Threat service, which includes both the IPS service and anti-virus service. ¡ URL filtering service. ¡ File filtering service. |
|
Max storage days |
Specify the maximum number of days that the log data can be kept. |
|
Max storage space |
Specify the percentage of the total storage space the log data of the service can occupy. |
|
Action |
Specify the action to take when the storage time limit or storage space limit of a service is exceeded. |
5. Click Submit.
The Edited Items window opens.
6. Verify that the edited settings are correct, and then click Apply.
