Device Configuration : Configure : System Services : Log Settings
Log Settings
Device Configuration > Configure > System Services > Log Settings
Device provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network abuse. To view logs, relevant modules must be subscribed.
Device can log many different network activities and traffic including:
Security Policies log
Anti Virus infection and blocking
Web filtering, URL and HTTP content blocking
Signature and anomaly attack and prevention
Spam filtering
Administrator logs
User Authentication logs
SSL VPN logs
WAF logs
Advanced Threat Protection logs
Device can either store logs locally or send logs to external syslog servers for storage and archival purposes. Traffic Discovery logs can be stored locally only.
Syslog is an industry standard protocol/method for collecting and forwarding Logs from devices to a server running a syslog daemon usually via UDP Port 514. Logging to a central syslog server helps in aggregation of logs and alerts.
If configured, device sends a detailed log to an external syslog server in addition to the standard event log. Device Syslog support requires an external server running a syslog daemon on any of the UDP Port. When configuring logging to a syslog server, one needs to configure the facility, severity and log file format. One can also specify logging location if multiple syslog servers are defined.
Device logs all activity and includes every connection source and destination IP Address (IPv4 / IPv6), IP service, and number of bytes transferred.
A Syslog service simply accepts messages, and store them in files or prints. This form of logging is the best as it provides a central logging facility and a protected long-term storage for logs. This is useful both in routine troubleshooting and in incident handling.
Use this page to configure below settings:
Syslog Servers - Configure Syslog server for logs storage and archival purposes.
Log Settings - Configure logs to be sent to the Syslog server.
Syslog Servers
The Syslog Servers section displays list of configured syslog servers. You can sort the list based on server name. The page also provides option to add, update, or delete the server.
Log Settings
After configuring syslog server, configure logs to be sent to the syslog server. If multiple syslog servers are configured, you can send various logs on different servers.
To record logs you must enable the respective log and specify logging location. Administrator can choose between On-Device (local) logging or Syslog logging. Administrator can also disable logging temporarily. Below are the screen elements with their description:
Log Type (System)
Security Policy
Security Policy Log records invalid traffic, local ACL traffic, DoS attack, ICMP redirected packets, source routed and fragmented traffic.
Policy Rules
Log records the entire traffic for Firewall.
Invalid Traffic
Log records the dropped traffic that does not follow the protocol standards, invalid fragmented traffic and the traffic whose packets or device is not able to relate to any connection.
Local ACLs
Log records the entire (allowed and dropped) incoming traffic.
DoS Attack
The DoS Attack Log records attacks detected and prevented by the device i.e. dropped TCP, UDP and ICMP packets.
To generate logs, go to System > System Services > DoS and click Apply Flag against SYN Flood, UDP Flood, TCP Flood, and ICMP/ICMPv6 Flood individually.
Dropped ICMP Redirected Packet
Log records all the dropped ICMP redirect packets.
To generate log, go to System > System Services > DoS and click Apply Flag against Disable ICMP/ICMPv6 Redirect Packet.
Dropped Source Routed Packet
Log records all the dropped source routed packets.
To generate log, go to System > System Services > DoS and click Apply Flag against Drop Source Routed Packets.
Dropped Fragmented Traffic
Log records the dropped fragmented traffic.
MAC Filtering
Log records the dropped packets when filtering is enabled from Spoof prevention.
IP-MAC Pair Filtering
Log records the dropped packets when filtering is enabled from Spoof prevention.
IP Spoof Prevention
Log records the dropped packets when filtering is enabled from Spoof prevention.
SSL VPN Tunnel
Log records of SSL VPN traffic.
Virtual Host
Log records of Virtual Host traffic.
IPS
Records detected and dropped attacks based on unknown or suspicious patterns (anomaly) and signatures.
Anti Virus
Virus detected in HTTP, SMTP, FTP, POP3, IMAP4, HTTPS, SMTPS, IMAPS and POPS traffic.
Anti Spam
SMTP, POP3, IMAP4, SMTPS, POPS, IMAPS spam and probable spam mails.
Content Filtering
Web filtering and Application Filtering logs.
Log records of the name of applications/URLs accessed and their categories.
* To view the logs:
Web Filter and Application Filter Policies should be applied in Security Policy.
Log Firewall Traffic under Policies should be enabled.
Events
Admin Events: Log records of configurations done through Admin Console.
Authentication Events: Log records of all authentication related events.
System Events: Log records of all system related events like Gateway Up/Down, Anti Virus updates etc.
WAF
WAF Events.
* WAF logs are not available in CR10iNG, CR15i, CR15wi, CR15iNG, CR15wiNG, CR25ia, CR25wi, CR35ia and CR35wi Sophos Devices.
Advanced Threat Protection
ATP Events: Log records of drop or alert event.
Heartbeat
Endpoint Status: Log records of the health status of the endpoint.
System Health
Usage: Log records of CPU usage, memory usage, no. of live users, interface and disk partition information.
Sandbox
Sandbox Event: Log records of all Sandstorm events.