Login
- Table of Contents
-
- 07-System
- 01-High availability group
- 02-VRRP
- 03-Track
- 04-BFD
- 05-NQA
- 06-Basic log settings
- 07-Email server
- 08-Session log settings
- 09-NAT log settings
- 10-AFT log settings
- 11-Sandbox log settings
- 12-Threat log settings
- 13-Application audit log settings
- 14-NetShare log settings
- 15-URL filtering log settings
- 16-Attack defense log settings
- 17-Reputation log settings
- 18-Bandwidth alarm logs
- 19-Configuration log settings
- 20-Security policy log
- 21-Terminal identification logging
- 22-Heartbeat log settings
- 23-WAF log settings
- 24-IP access logs
- 25-MAC access log
- 26-Load balancing logging
- 27-Bandwidth management logs
- 28-Context rate limit logging
- 29-Zero trust logs
- 30-Report settings
- 31-Session settings
- 32-Signature upgrade
- 33-Software upgrade
- 34-License management
- 35-IRF
- 36-IRF advanced settings
- 37-Contexts
- 38-Administrators
- 39-Date and time
- 40-MAC address learning through a Layer 3 device
- 41-SNMP
- 42-Configuration management
- 43-Reboot
- 44-About
- 45-Ping
- 46-Tracert
- 47-Packet capture
- 48-Webpage Diagnosis
- 49-Diagnostic Info
- 50-Packet trace
- 51-Load balancing test
- 52-IPsec diagnosis
- 53-Fast Internet Access
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-Attack defense log settings | 21.48 KB |
Attack defense log settings
Introduction
Log aggregation for single-packet attack events
When you enable logging for single-packet attacks, the device generates logs when it detects single-packet attacks. The log generation and output require more system resources if single-packet attacks frequently occur. You can enable Log aggregation for single-packet attacks to save system resources. This feature aggregates multiple logs generated during a period of time and sends one log. Logs that are aggregated must have the following attributes in common:
· Attacks are detected on the same interface or security zone or are destined for the device.
· Attack type.
· Attack defense action.
· Source and destination IP addresses.
· VRF to which the victim IP address belongs.
Blacklist logging
With logging enabled for the blacklist feature, the system outputs logs in the following situations:
· A blacklist entry is manually added.
· A blacklist entry is dynamically added by the scanning attack detection feature.
· A blacklist entry is manually deleted.
· A blacklist entry ages out.
A blacklist log records the following information:
· Source IP address of the blacklist entry.
· Remote IP address of the DS-Lite tunnel.
· VRF name.
· Reason for adding or deleting the blacklist entry.
· Aging time for the blacklist entry.
Log buffer and log file
The device provides separate log buffers and log files for the blacklist module and the attack defense module. To enable outputting logs of service modules to their log buffers and log files, select the Output to log buffer option on the basic settings page for the syslog.
Logs are saved in the log file buffer before they are saved to the log file. After the system saves logs to the log file, the log file buffer is cleared.
When the maximum capacity of the log file is reached, the system replaces the oldest logs with new logs.
