Log viewer

Display event information for different modules and filter logs. Take action on linked rules and policies.

The log viewer opens in a new full-screen browser window and by default shows firewall logs.
You can take the following actions:
  • Customize the view by selecting different modules or switch between tabular and detailed view. You can also decrypt anonymized information.
  • Filter by module, field, value, time, or free text.
  • Modify web policies, firewall rules, or SSL/TLS rules.

For more information on logs and their values, see the Logfile guide.

The log viewer automatically refreshes the view with new information as it comes in.

How to change the view

Use the following controls to change what the log viewer shows:

Control

Name of control

Description

Module selector

Select a different module to view other or additional logs.

Detailed view

See a detailed view of each log.

You can also hover on a module icon to see details.

Standard view

View logs in table format.

Add/Remove columns

Add or remove columns to the list.

Pause

Pause the automatic refresh of the logs.

Refresh

Force the logs to refresh.

Export

Export logs in CSV format.

Open PCAP

Open PCAP

View packet information when packet capture is turned on.

Deanonymize

View identities when data anonymization is turned on. You must be authorized and must provide your authentication credentials.

Copy to clipboard

Copy the information to the clipboard.

How to filter logs

Use filters to break down information.

  • Filter by module: Select a module from the module drop-down menu.
  • Filter by field and value: Click Add filter and select a field, a condition, and a value. Find available values in the Logfile guide.

    You can also click on a field to add it as a filter.

  • Filter by time: Select a time frame from the Timer filter.
  • Free text search: Use the search field or click on a field and select Free text search. For example, you can use ports, IP addresses, usernames, or rules. This works with anonymized information as well.

To clear all filters at once, click Reset.

How to modify policies and rules

The log viewer provides actions and links based on the module and log. This helps you manage web policies, NAT and firewall rules, and IPS policies. You can do the following:
  • Exclude a website or web category from decryption: Select SSL/TLS inspection from the module drop-down menu. Then move right to Manage and select Exclude. Select an option from the following list in the pop-up window and then select Exclude.

    • Subdomain or Domain: Domains and subdomains are added to the URL group Local TLS exclusion list.
    • Web category: Web categories are added to the rule Exclusions by website or category.
    • Other properties: Example: Username or IP address. Select the SSL/TLS engine rule to specify the object.

    The exclude option is not shown for traffic with error IDs 19004 (allowed traffic) and 19005 (blocked by a web policy).

    To view the exclusion lists, go to Rules and policies > SSL/TLS inspection rules.

  • Remove a signature for an IPS policy: Click on a signature ID and select Disable signature for this IPS policy.
  • Edit a rule: When you click a web policy, a NAT rule, or a firewall rule, you can follow a link back to the web admin console to edit that specific rule.
Note Firewall rules: Sessions are logged when a connection is terminated upon receiving a connection "Destroy" event. Connections that are terminated without a "Destroy" event being seen by XG Firewall, such as during the loss of internet connection, aren't logged.

SSL/TLS connections: Logs are recorded after the handshake is completed or when the connection is closed.

Differences between the standard view and detailed view

If you use a translated source address other than the MASQ (default masqueraded) address, the standard view of firewall rules shows the MASQ address as the outgoing address. To see the actual translated source address, see the src_trans_ip in the detailed view.