Login
- Table of Contents
-
- 07-System
- 01-Track
- 02-BFD
- 03-NQA
- 04-Basic log settings
- 05-Email server
- 06-Session log settings
- 07-Sandbox log settings
- 08-Threat log settings
- 09-Application audit log settings
- 10-NetShare log settings
- 11-URL filtering log settings
- 12-Attack defense log settings
- 13-Reputation log settings
- 14-Bandwidth alarm logs
- 15-Configuration log settings
- 16-Security policy log
- 17-Terminal identification logging
- 18-Heartbeat log settings
- 19-WAF log settings
- 20-Bandwidth management logs
- 21-Report settings
- 22-Session settings
- 23-Signature upgrade
- 24-Software upgrade
- 25-License management
- 26-Administrators
- 27-Date and time
- 28-SNMP
- 29-Configuration management
- 30-Reboot
- 31-About
- 32-Ping
- 33-Tracert
- 34-Packet capture
- 35-Webpage Diagnosis
- 36-Diagnostic Info
- 37-Packet trace
- 38-Fast Internet Access
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Basic log settings | 147.17 KB |
Basic log settings
This help contains the following topics:
¡ Syslog
¡ Flow log
¡ Fast log
· Configure basic log settings
¡ Configure storage space settings
Introduction
The device generates various types of logs for service modules based on the packets processed by the service modules. These logs help network administrators monitor network performance, troubleshoot network problems, as well as track, record, analyze, and audit network access behaviors of users.
The device supports outputting logs by using the following methods:
· Syslog.
· Flow log.
· Fast log output.
Syslog
Syslog entries are in ASCII format.
The information center on the device receives syslog messages generated by source modules and outputs the logs to the following destinations:
· Console.
· Monitor terminal.
· Log buffer.
· Log host.
· Log file.
Flow log
About flow log
Flow log records users' access to external networks based on flows. Each flow is identified by a 5-tuple of the source IP address, destination IP address, source port, destination port, and protocol number.
Flow log creates entries based on NAT sessions.
Flow log versions
Flow log has three versions: version 1.0, version 3.0, and version 5.0. Table 1, Table 2, and Table 3 show the fields available in the versions. The fields displayed on your device might differ from those listed in the tables depending the log analysis tool you have used.
|
Field |
Description |
|
SrcIP |
Source IP address before NAT. |
|
DestIP |
Destination IP address before NAT. |
|
SrcPort |
Source TCP/UDP port number before NAT. |
|
DestPort |
Destination TCP/UDP port number before NAT. |
|
StartTime |
Start time of the flow, in seconds. |
|
EndTime |
End time of the flow, in seconds. This field is 0 if the Operator field is 6 (regular connectivity check record for the active flow). |
|
Protocol |
Protocol number. |
|
Operator |
Reasons why a flow log entry was generated: · 0—Reserved. · 1—Flow was ended normally. · 2—Flow was aged out because of aging timer expiration. · 3—Flow was aged out because of configuration change or manual deletion. · 4—Flow was aged out because of insufficient resources. · 5—Reserved. · 6—Regular connectivity check record for the active flow. · 7—Flow was deleted because a new flow was created when the flow table was full. · 8—Flow was created. · FE—Other reasons. · 10-FE-1—Reserved for future use. |
|
Reserved |
Reserved for future use. |
Table 2 Flow log 3.0 fields
|
Field |
Description |
|
Protocol |
Protocol number. |
|
Operator |
Reasons why a flow log was generated: · 0—Reserved. · 1—Flow was ended normally. · 2—Flow was aged out because of aging timer expiration. · 3—Flow was aged out because of configuration change. · 4—Flow was aged out because of insufficient resources. · 5—Reserved. · 6—Regular connectivity check record for the active flow. · 7—Flow was deleted because a new flow was created when the flow table was full. · 8—Flow was created. · FE—Other reasons. · 10-FE-1—Reserved for future use. |
|
IPVersion |
IP packet version. |
|
TosIPv4 |
ToS field of the IPv4 packet. |
|
SourceIP |
Source IP address before NAT. |
|
SrcNatIP |
Source IP address after NAT. |
|
DestIP |
Destination IP address before NAT. |
|
DestNatIP |
Destination IP address after NAT. |
|
SrcPort |
Source TCP/UDP port number before NAT. |
|
SrcNatPort |
Source TCP/UDP port number after NAT. |
|
DestPort |
Destination TCP/UDP port number before NAT. |
|
DestNatPort |
Destination TCP/UDP port number after NAT. |
|
StartTime |
Start time of the flow, in seconds. |
|
EndTime |
End time of the flow, in seconds. This field is 0 when the Operator field is 6 (regular connectivity check record for the active flow). |
|
InTotalPkg |
Number of packets received for the session. |
|
InTotalByte |
Number of bytes received for the session. |
|
OutTotalPkg |
Number of packets sent for the session. |
|
OutTotalByte |
Number of bytes sent for the session. |
|
InVPNID |
ID of the source VPN instance. |
|
OutVPNID |
ID of the destination VPN instance. |
|
Reserved1 |
Reserved field. |
|
AppID |
Application protocol ID. |
|
Reserved3 |
Reserved field. |
|
Field |
Description |
|
Protocol |
Protocol number. |
|
Operator |
· Reasons why a flow log was generated: · 0—Reserved. · 1—Flow was ended normally. · 2—Flow was aged out because of aging timer expiration. · 3—Flow was aged out because of configuration change. · 4—Flow was aged out because of insufficient resources. · 5—Reserved. · 6—Regular connectivity check record for the active flow. · 7—Flow was deleted because a new flow was created when the flow table was full. · 8—Flow was created. · FE—Other reasons. · 10-FE-1—Reserved for future use. |
|
IPVersion |
IP packet version. |
|
TosIPv4 |
ToS field of the IPv4 packet. |
|
SourceIP |
Source IP address before NAT. |
|
SrcNatIP |
Source IP address after NAT. |
|
DestIP |
Destination IP address before NAT. |
|
DestNatIP |
Destination IP address after NAT. |
|
SrcPort |
Source TCP/UDP port number before NAT. |
|
SrcNatPort |
Source TCP/UDP port number after NAT. |
|
DestPort |
Destination TCP/UDP port number before NAT. |
|
DestNatPort |
Destination TCP/UDP port number after NAT. |
|
StartTime |
Start time of the flow, in seconds. |
|
EndTime |
End time of the flow, in seconds. This field is 0 when the Operator field is 6 (regular connectivity check record for the active flow). |
|
InTotalPkg |
Number of packets received for the session. |
|
InTotalByte |
Number of bytes received for the session. |
|
OutTotalPkg |
Number of packets sent for the session. |
|
OutTotalByte |
Number of bytes sent for the session. |
|
InVPNID |
ID of the source VPN instance. |
|
OutVPNID |
ID of the destination VPN instance. |
|
AppID |
Application protocol ID. |
|
UserName |
Username. |
|
Reserved1 Reserved2 Reserved3 |
Reserved fields. |
Fast log
The fast log output feature enables fast output of logs to log hosts.
Typically, logs generated by a service module are first sent to the information center, which then outputs the logs to the specified destination (such as to log hosts). When fast log output is configured, logs of service modules are sent directly to log hosts instead of to the information center. Compared to outputting logs to the information center, fast log output saves system resources.
Storage space settings
The device collects log data from service modules for central analysis and reporting.
The collected log data are preferably stored in a hard disk. If a hard disk is not present, the data are stored in a U disk. If a U disk is not present either, the data are stored in the memory. Support for storing the log data in a U disk depends on the device model.
The storage space settings feature allows you to set the storage time limit, storage space limit, and the storage limit-violated action for the traffic service and DPI services.
Before you remove a storage device, complete the following to avoid damaging the storage device or the stored data:
· From the Web interface, click Unload to remove the occupation of the service log processes on the file systems of the storage device.
· From the CLI, execute the umount command in user view to unmount all the file systems on the storage device.
Support for storage space settings depends on the device model.
Storage time limit
The storage time limit specifies the maximum number of days that the log data can be kept.
Processing of expired log data varies by the specified action:
· If the action is Delete, the system will delete the expired log data and generate a log message to record the event.
· If the action is Log-only, the system will generate a log message, but it does not delete the expired data.
Storage space limit
The storage space limit specifies the percentage of the total storage space the log data of a service can occupy.
Processing of the log data for a service whose storage space limit is exceeded varies by the specified action:
· If the action is Delete, the system will delete the oldest log data to save new data. A log message will be generated to record the event.
· If the action is Log-only, the system will generate a log message, but it does not delete old log data to save new data.
Action
The action specified for a storage limit of a service determines how the system processes the log data of the service when the storage limit is exceeded.
Supported actions are:
· Delete—Deletes data collected on the oldest dates and generates a log message. The data of the current day cannot be deleted.
· Log-only—Generates a log message only. When a storage limit is exceeded, old data are not deleted and new data cannot be saved. To view the log data, go to Monitor > Device Logs > System Logs.
Log severity levels
Logs are classified into eight severity levels from 0 through 7 in descending order. If you specify a severity level for log output, logs with a severity level that is higher than or equal to the specified level will be output. For example, if you specify a severity level of 6 (informational), logs that have a severity level from 0 to 6 are output.
Table 4 Log severity levels
|
Severity value |
Level |
Description |
|
0 |
Emergency |
The system is unusable. For example, the system authorization has expired. |
|
1 |
Alert |
Action must be taken immediately. For example, traffic on an interface exceeds the upper limit. |
|
2 |
Critical |
Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails. |
|
3 |
Error |
Error condition. For example, the link state changes. |
|
4 |
Warning |
Warning condition. For example, an interface is disconnected, or the memory resources are used up. |
|
5 |
Notification |
Normal but significant condition. For example, a terminal logs in to the device, or the device reboots. |
|
6 |
Informational |
Informational message. For example, a command or a ping operation is executed. |
|
7 |
Debugging |
Debugging message. |
Restrictions and guidelines
The device supports the following methods (in descending order of priority) for outputting logs of a module to designated log hosts:
· Fast log output.
· Flow log output.
· Syslog output.
If you configure multiple log output methods for a module, only the method with the highest priority takes effect.
Configure basic log settings
Configure syslog
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Syslog tab.
4. Configure the basic syslog settings.
Table 5 Syslog configuration items
|
Item |
Description |
|
Output to log buffer |
Select this item to enable system log output to the log buffer. This item enables system log output to log buffers based on the log source modules. · Logs generated by modules that have separate
log buffers are saved to their respective log buffers. · Logs generated by other modules are saved to the general log buffer. |
|
Log buffer size |
Enter the maximum number of logs that can be buffered. When the log buffer is full, the system will overwrite the oldest logs with new logs. This item specifies the size of the general log buffer. |
5. Click Apply.
6. Click Create.
The Create Log Host window opens.
7. Create a log host.
Table 6 Log host configuration items
|
Item |
Description |
|
Log host address |
Enter the IP address or host name of the log host. |
|
Port number |
Enter the port number of the log host. |
|
VRF |
Select the VRF (VPN instance) to which the log host belongs. If the log host belongs to the public network, select Public network. |
8. Click OK.
The new log host is displayed on the log host list of the Syslog tab.
Configure flow log
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Flow Log tab.
4. Configure the basic flow log settings.
Table 7 Flow log configuration items
|
Item |
Description |
|
Log version |
Select a flow log version. Options are 1.0, 3.0, and 5.0. Make sure the specified flow log version is supported on the log hosts specified for flow log export. |
|
Load balancing |
Select this item to enable load balancing for flow log entries. By default, load balancing is disabled. The device sends a copy of each flow log entry to all available log hosts. In load balancing mode, flow log entries are distributed among log hosts based on the source IP addresses (before NAT) that are recorded in the entries. The flow log entries generated for the same source IP address are sent to the same log host. If a log host goes down, the flow logs sent to it will be lost. |
|
Source IP for log packets |
Specify the source IP address for the flow log packets. By default, the source IP address of flow log packets is the IP address of their outgoing interface. Configure this item when you need to filter flow logs by source IP address on the log host. As a best practice, use a Loopback interface's address as the source IP address for flow log packets. A Loopback interface is always up. The setting avoids export failure on interfaces that might go down. |
5. Click Apply.
6. Click Create.
The Create Log Host window opens.
Table 8 Log host configuration items
|
Item |
Description |
|
Log host address |
Enter the IP address or host name of the log host. |
|
Port number |
Enter the port number of the log host. |
|
VRF |
Select the VPN instance to which the log host belongs. If the log host belongs to the public network, select Public network. |
7. Click OK.
The new log host is displayed on the log host list of the Flow Log tab.
Configure fast log output
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Fast Log Output tab.
4. Configure the fast log output settings.
Table 9 Fast log output configuration items
|
Item |
Description |
|
Log timestamp |
Select the time zone to use in the log timestamp. Options are: · Greenwich Mean Time (GMT)—Standard Greenwich Mean Time (GMT). · Local time—Standard GMT plus or minus the time zone offset. |
|
Source IP for log packets |
Select a source interface for fast log output. The primary IP address of the specified interface is used as the source IP address of fast output logs regardless of the outgoing interface. By default, the source IP address of fast output logs is the primary IP address of the outgoing interface. Configure this item when you need to filter logs by source IP address on the log host. As a best practice, use a Loopback interface's address as the source IP address for fast log output. A Loopback interface is always up. The setting avoids export failure on interfaces that might go down. |
5. Click Apply.
6. Click Create.
The Create Log Host window opens.
Table 10 Log host configuration items
|
Item |
Description |
|
Log host address |
Enter the IP address or host name of the log host. |
|
Port number |
Enter the port number of the log host. |
|
VRF |
Select the VPN instance to which the log host belongs. If the log host belongs to the public network, select Public network. |
|
Session logs |
Select this item to enable fast output of session logs to the log host. |
|
Application audit logs |
Select this item to enable fast output of application audit logs to the log host. |
|
URL filtering logs |
Select this item to enable fast output of URL filtering logs to the log host. |
|
Attack defense logs |
Select this item to enable output of attack defense logs to the log host. |
|
Reputation logs |
Select this item to enable fast output of IP, URL, and domain reputation logs to the log host. |
|
Netshare logs |
Select this item to enable fast output of netshare control logs to the log host. |
|
Security policy logs |
Select this item to enable fast output of security policy configuration logs to the log host. |
|
Heartbeat logs |
Select this item to enable fast output of heartbeat logs to the log host. |
|
IPS logs |
Select this item to enable fast output of IPS logs to the log host. |
|
Bandwidth management logs |
Select this item to enable fast output of bandwidth management logs to the log host. |
|
Sandbox logs |
Select this item to enable fast output of sandbox logs to the log host. |
|
WAF logs |
Select this item to enable fast output of WAF logs to the log host. |
|
Terminal identification logging |
Select this item to enable fast output of terminal identification logs to the log host. |
|
Anti-virus logs |
Select this item to enable fast output of anti-virus logs to the log host. |
|
External authentication logs |
Select this item to enable fast output of external authentication logs to the log host. |
|
Notification logs |
Select this item to enable fast output of policy notification logs to the log host. |
7. Click OK.
The new log host is displayed on the log host list of the Fast Log Output tab.
Configure storage space settings
1. Click the System tab.
2. In the navigation pane, select Log Settings > Basic Settings.
3. Click the Storage Space Settings tab.
4. Click the Edit icon for a service, and then configure the storage space settings for the service.
Table 11 Storage space configuration items
|
Item |
Description |
|
Service |
Name of the service for which you can configure storage space limit settings. |
|
Max storage days |
Specify the maximum number of days that the log data can be kept. This item is available only when a hard disk or U disk is present. |
|
Max storage space |
Specify the percentage of the total storage space the log data of the service can occupy. This item is available only when a hard disk or U disk is present. |
|
Action |
Specify the action to take when the storage time limit or storage space limit of the service is exceeded. This item is available only when a hard disk or U disk is present. |
|
Enable |
Enable logging for the service. |
5. Click OK.
