Configuring Traffic Log Size

In SunScreen EFS 3.0, the size of the area used to log packet traffic, session and other events is configurable. The og file contains a number of files in a particular directory. Each Screen has a log file of its own, and the size of the log file on each Screen can be configured specifically.

Log file sizes are established in much the same way as other configuration items, and these sizes are propagated to various Screens being managed during the normal activation process. However, the actual resizing of the log file on a particular Screen only occurs on the next restart of that Screen after the activation that changes the size. This is true for primary and secondary Screens in a Centralized Management group and in an HA cluster.

It is advisable that changes to the log file size(s) be made during initial Screen installation because resizing of the log file on a particular Screen only occurs on the next restart of that Screen, after the activation that changes the size.

Setting the size of the log file does not cause immediate allocation of the filesystem space to store the log. Hence, other competing users of the filesystem on which the log file resides should not be allowed to consume this space. Even when the log has filled and begins to reuse filesystem space, the maximum amount of filesystem space is still not in use at all times.

Configuring the Global Default Log Size

The global default log size is controlled by the variable LogSize. It contains the following items:

prg=logname=LogSizevalue=size	(in Mbyte units)

description="descriptive text"	(optional)

enabled | disabled	(default is enabled)

The global default log size can only be configured using the command line interface (see Appendix B).

Group-Screen installations are configured on the primary Screen.

The following is an example of what you type to display the global default log file size, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> vars print prg=log name=LogSize PRG="log" NAME="LogSize" ENABLED VALUE="100" DESCRIPTION="global
log capacity (MB)" ...

The following is an example of what you type to set the global default log file size, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> vars add prg=log name=LogSize value=new size description=new description
edit> quit

It is not necessary to type save before quit above if only authuser, proxyuser, logmacro, or vars entities are altered.

The following is an example of what you type to set the global default log file size to 250 Mbytes, while logged in to the primary Screen:

edit> vars add prg=log name=LogSize value=250 description="log size (MB)"

Although, the output produced by print surrounds the value of each item in double quotes, these are only necessary on input to protect embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG=), these tags are recognized in a case-insensitive manner on input (for example, prg=, Prg=, PRG= are equivalent).

The following is an example of what you see if you attempt to save without changing entities other than these types, you are reminded by a message:

edit> savelock not held
failed (status 244)

This is a non-fatal message and you can simply quit the configuration editor.

Once a log file size has been changed, the system configuration must be activated to propagate the change. Then the effected Screen(s) must be restarted for the log file size change to take effect. (In the case of a change to the global default log file size, the effected Screens are all Screens except those for which a log file size has been specifically configured.)

Configuring the Log Size for a Specific Screen

Configuring the global log size for a centralized management group of Screens, or Screens in an HA cluster, is performed on the primary Screen through the administration GUI.

Global log size is also configured through the command line (see Appendix B). It is controlled by the variable LogSize.

The following is an example of what you type to display the log file size for a specific Screen, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> list Screen scrn1 ADMIN_CERTIFICATE "scrn1.admin" CDP ROUTING DNS scrn2 ADMIN_CERTIFICATE "scrn2.admin" CDP ROUTING DNS LOGSIZE 444

scrn1 does not have the log file size configured and so uses the global default value. scrn2 has a size of 444 (Mbytes) that is used instead of the global default value on that Screen.

The following is an example of what you type to set the log file size for a specific Screen, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> add Screen scrn1 ADMIN_CERTIFICATE scrn1.admin CDP ROUTING DNS LOGSIZE 20
edit> save
edit> quit

When altering the value of LogSize, be sure to reenter all the other attributes as they were displayed by the list verb.

The following is an example of how you would alter the log file size for a specific Screen through the administration GUI:

1. From the Policies page, select and edit the policy to be altered.

2. Select the desired Type: "Screen common object."

3. Edit the Screen's common object.

4. Alter the Log Size entry through the Miscellaneous tab.

5. Save the change in Save Changes.

6. Activate the policy.

7. Restart the Screen for the log file size change to take effect.

Configuring Events to be Logged

Logs contain three basic types of events:

• network traffic (packet)

• network session summaries

• extended events

For a given program component, the level of logging can be specified. This is done by means of a variable setting for that component; the name of the variable is LogSeverity. A variable that is specific to a particular Screen overrides the general setting for that component. Beyond the variable setting for a specific component, a general (non-component-specific) variable controls otherwise unlimited logging; again, a variable that is specific to a given Screen overrides this general default. This search order can be summarized as:

	Key Sought
	---------------------------------------------------
sys=Screenname prg=programname 

name=LogSeverityprg=programname name=LogSeveritysys=Screenname name=LogSeverityname=LogSeverity

As initially configured, SunScreen EFS 3.0 contains variables defined for each program components logging variable, along with the non-component non-Screen (global global) default; all are initially set to the value "info".

Configuring events to be logged can only be configured using the command line interface.

Configuring Log Event Limiters

The log limiters are controlled by LogSeverity variables as previously introduced. Each such variable contains the following items:

sys=Screenname		(optional)

prg=programname		(optional)

name=LogSeverityvalue=severityname		(emerg,alert,...,debug)

description="descriptive text"		(optional)

enabled | disabled		(default is enabled)

The LogSeverity variables can only be configured using the command line interface (see Appendix B). For group-Screen installations, they are configured on the primary Screen.

The following is an example of what you type to display the global global log limiter, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> vars print name=LogSeverity
NAME="LogSeverity" ENABLED VALUE="INFO" DESCRIPTION="global log
severity limit" ...

The following is an example of what you type to display the global log limiter for authentication events, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> vars print prg=auth name=LogSeverity
PRG="auth" NAME="LogSeverity" ENABLED VALUE="INFO" DESCRIPTION="global log severity limit,
authentication" ...

The following is an example of what you type to cause more (debugging) information to be logged on a particular Screen for authentication events, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> vars add sys=Screenname prg=auth name=LogSeverity value=debug description="debug authentication operations"
edit> quit

Although, the output produced by print surrounds the value of each item in double quotes, these are only necessary on input to protect embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG=), these tags are recognized in a case-insensitive manner on input (for example, prg=, Prg=, PRG= are equivalent. Finally, the VALUE string for the LogSeverity variable is likewise processed in a case-insensitive manner.)

The following is an example of the message you see if you attempt to save without changing entities other than these types:

edit> savelock not held
failed (status 244)

This is a non-fatal message and you can simply quit the configuration editor.

Once log limiters have been altered, the configuration must be activated to propagate the changes.