Log Settings

Device Configuration > Configure > System Services > Log Settings

Device provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network abuse. To view logs, relevant modules must be subscribed.

Device can log many different network activities and traffic including:
  • Security Policies log
  • Anti Virus infection and blocking
  • Web filtering, URL and HTTP content blocking
  • Signature and anomaly attack and prevention
  • Spam filtering
  • Administrator logs
  • User Authentication logs
  • SSL VPN logs
  • WAF logs
  • Advanced Threat Protection logs

Device can either store logs locally or send logs to external syslog servers for storage and archival purposes. Traffic Discovery logs can be stored locally only.

Syslog is an industry standard protocol/method for collecting and forwarding Logs from devices to a server running a syslog daemon usually via UDP Port 514. Logging to a central syslog server helps in aggregation of logs and alerts.

If configured, device sends a detailed log to an external syslog server in addition to the standard event log. Device Syslog support requires an external server running a syslog daemon on any of the UDP Port. When configuring logging to a syslog server, one needs to configure the facility, severity and log file format. One can also specify logging location if multiple syslog servers are defined.

Device logs all activity and includes every connection source and destination IP Address (IPv4 / IPv6), IP service, and number of bytes transferred.

A Syslog service simply accepts messages, and store them in files or prints. This form of logging is the best as it provides a central logging facility and a protected long-term storage for logs. This is useful both in routine troubleshooting and in incident handling.

Use this page to configure below settings:
  • Syslog Servers - Configure Syslog server for logs storage and archival purposes.
  • Log Settings - Configure logs to be sent to the Syslog server.

Syslog Servers

The Syslog Servers section displays list of configured syslog servers. You can sort the list based on server name. The page also provides option to add, update, or delete the server.

Log Settings

After configuring syslog server, configure logs to be sent to the syslog server. If multiple syslog servers are configured, you can send various logs on different servers.

To record logs you must enable the respective log and specify logging location. Administrator can choose between On-Device (local) logging or Syslog logging. Administrator can also disable logging temporarily. Below are the screen elements with their description:

Log Type (System)

Security Policy
Security Policy Log records invalid traffic, local ACL traffic, DoS attack, ICMP redirected packets, source routed and fragmented traffic.
  • Policy Rules

    Log records the entire traffic for Firewall.

  • Invalid Traffic

    Log records the dropped traffic that does not follow the protocol standards, invalid fragmented traffic and the traffic whose packets or device is not able to relate to any connection.

  • Local ACLs

    Log records the entire (allowed and dropped) incoming traffic.

  • DoS Attack

    The DoS Attack Log records attacks detected and prevented by the device i.e. dropped TCP, UDP and ICMP packets.

    To generate logs, go to System > System Services > DoS and click Apply Flag against SYN Flood, UDP Flood, TCP Flood, and ICMP/ICMPv6 Flood individually.

  • Dropped ICMP Redirected Packet

    Log records all the dropped ICMP redirect packets.

    To generate log, go to System > System Services > DoS and click Apply Flag against Disable ICMP/ICMPv6 Redirect Packet.

  • Dropped Source Routed Packet

    Log records all the dropped source routed packets.

    To generate log, go to System > System Services > DoS and click Apply Flag against Drop Source Routed Packets.

  • Dropped Fragmented Traffic

    Log records the dropped fragmented traffic.

  • MAC Filtering

    Log records the dropped packets when filtering is enabled from Spoof prevention.

  • IP-MAC Pair Filtering

    Log records the dropped packets when filtering is enabled from Spoof prevention.

  • IP Spoof Prevention

    Log records the dropped packets when filtering is enabled from Spoof prevention.

  • SSL VPN Tunnel

    Log records of SSL VPN traffic.

  • Virtual Host

    Log records of Virtual Host traffic.

IPS

Records detected and dropped attacks based on unknown or suspicious patterns (anomaly) and signatures.

Anti Virus

Virus detected in HTTP, SMTP, FTP, POP3, IMAP4, HTTPS, SMTPS, IMAPS and POPS traffic.

Anti Spam

SMTP, POP3, IMAP4, SMTPS, POPS, IMAPS spam and probable spam mails.

Content Filtering

Web filtering and Application Filtering logs.

Log records of the name of applications/URLs accessed and their categories.

Note To view the logs:
  • Web Filter and Application Filter Policies should be applied in Security Policy.
  • Log Firewall Traffic under Policies should be enabled.
Events

Admin Events: Log records of configurations done through Admin Console.

Authentication Events: Log records of all authentication related events.

System Events: Log records of all system related events like Gateway Up/Down, Anti Virus updates etc.

WAF
WAF Events.
Note WAF logs are not available in CR10iNG, CR15i, CR15wi, CR15iNG, CR15wiNG, CR25ia, CR25wi, CR35ia and CR35wi Sophos Devices.
Advanced Threat Protection

ATP Events: Log records of drop or alert event.

Heartbeat

Endpoint Status: Log records of the health status of the endpoint.

System Health

Usage: Log records of CPU usage, memory usage, no. of live users, interface and disk partition information.

Sandbox

Sandbox Event: Log records of all Sandstorm events.