Threat logs

This help contains the following topics:

Introduction
vSystem support information
Licensing requirements
Restrictions and guidelines
Configuration guidelines

Introduction

The Threat Log List page displays the logs generated by the IPS module and the anti-virus module. These logs help administrators customize IPS profiles and anti-virus profiles to improve network security.

When configuring an IPS profile or anti-virus profile, you can enable the logging function. The IPS module and anti-virus module can then generate logs for matching packets.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Licensing requirements

IPS

To use IPS, you must purchase and install the required license. After the license expires, the IPS feature is available through the existing IPS signature library, but you cannot update the IPS signature library to the version on the official website released after the license expires. For more information about licensing, see the license management help.

Anti-virus

To use anti-virus, you must purchase and install the required license. After the license expires, the anti-virus feature is available through the existing anti-virus signature library, but you cannot update the virus signature library or use the cloud query function. For more information about licensing, see the license management help.

Restrictions and guidelines

Only one log operation (import, export, or clear) is allowed at a time.
Only one user can perform a log operation at a time. When you import, export, or clear logs, make sure no one else is performing a log operation.
When querying logs of a time range, this page displays the logs of the first day by default. You can click Previous Day or Next Day to view the logs of a specific date.
For anti-virus logs, threat ID 4294967295 indicates that the virus was detected by cloud query.
For IPS logs, threat ID 4294967290 indicates that the attack was detected by semantic analysis.

Configuration guidelines

View threat log details

To view details of a log, click the Details icon in the Details column. In the Threat Log Details window, the threat name in the Threat information area and the fields in the Packet Details area may be incompletely displayed. To view the complete content, you can use the following methods:

Hover over the content.
Click Copy. On the window that opens, obtain the complete content.

Download capture files

After the intrusion prevention system executes the packet capture action, the device generates logs. With hard disks or USB disks installed, you can click Download of a log to obtain the captured file for threat analysis.

Add to whitelist

If false alarms exist in the threat logs, you can click the Add to whitelist icon of a log to add the detected IPS signature ID and URL to the whitelist. The whitelist feature permits packets matching the whitelist to pass through, reducing false alarms.

Import logs

Click the Monitor tab.
In the navigation pane, select Security Logs > Threat Logs.
Click Import.
In the dialog box that opens, click OK.
Select a log file, and enter the password for the log file. The password was set when the file was exported.

Export logs

Click the Monitor tab.
In the navigation pane, select Device Logs > Threat Logs.
Click on a column header, specify the search criteria to display the logs to be exported, and then click Apply.
Click Export.

On the page that opens, configure the log export settings.

Table-1 Log export configuration items

Item	Description
Set password	Enter a password for encrypting the log files. This password is required when you view or import the exported log files.
Logs per file	Specify the maximum number of logs allowed in a single log file. If the number of logs to be exported is smaller than or equal to the specified number, the device exports the logs to one file. If the number of logs to be exported is greater than the specified number, the device exports the logs to multiple files.

Item

Description

Set password

Enter a password for encrypting the log files. This password is required when you view or import the exported log files.

Logs per file

Specify the maximum number of logs allowed in a single log file.

If the number of logs to be exported is smaller than or equal to the specified number, the device exports the logs to one file.
If the number of logs to be exported is greater than the specified number, the device exports the logs to multiple files.

Click Export to export the log files to your PC.

Aggregate logs

Perform this task to enable log aggregation. Log aggregation reduces the number of log entries displayed on the Web interface and facilitates you to view the logs. With log aggregation enabled, the device aggregates service logs that meet the same aggregation criteria at configured intervals. The log aggregation criteria include source IP address, destination IP address, application, source port, destination port, threat ID, threat name, and service type.

Procedure

Click the Monitor tab.
In the navigation pane, select Security Logs > Threat Logs.
Click the More icon, and select Log aggregation settings.
On the page that opens, enable the log aggregation feature and configure the aggregation interval.
Click Apply.