Displaying and Creating Log Macros

Log macros are actually a derivative of the general SunScreen variable mechanism. Therefore, the variable naming and value structures exist for log macros, namely:

sys=Screen				(optional)
name=macroname
value="macrobody"
description="descriptive text"	(optional)
enabled | disabled			(default is enabled)

Log macros are configured in the registry using the logmacro edit sub-command of ssadm. For group-Screen installations, they are configured on the primary Screen.

The following is an example of what you type to display the definition of a non-Screen specific macro, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> logmacro print name=mail-only
NAME="mail-only" ENABLED VALUE="svc
smtp" 

DESCRIPTION="SMTP mail" ...

The following is an example of what you type to define a non-Screen specific macro, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> logmacro add name=pkts-only value="loglvl pkt" Description="only network packets"
edit> quit

The following is an example of what you type to define a macro for a specific Screen, while logged in to the primary Screen:

admin% ssadm -r primary edit Initialedit> logmacro add sys=Screenname name=SFO-routing value="port rip src SFO-routers" description="routing activity in SFO district"
edit> quit

Although, the output produced by print surrounds the value of each item in double quotes, these are only necessary on input to protect embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, NAME=), these tags are recognized in a case-insensitive manner on input (for example, name=, Name=, NAME= are equivalent.)

The following is an example of the message you see if you attempt to save without changing entities other than these types:

edit> savelock not held
failed (status 244)

This is a non-fatal message and you can simply quit the configuration editor.

Log macros are available for immediate use on the Screen whereupon they have been defined. It is not necessary to do an activate each time a log macro is changed to use it. However, to propagate log macro definitions from a primary Screen to secondaries, activation is necessary.

As previously indicated, it is also possible to create expediency log macros on any Screen. This is done using logmacro as a sub-command of ssadm (rather than a ssadm edit sub-command). The syntax of the rest of the usage is the same as given above.

The following is an example of what you type to display the definition of a non-Screen-specific macro, while logged in to the primary Screen:

admin% ssadm -r secondary logmacro print name=mail-only
NAME="mail-only" ENABLED VALUE="svc
smtp" 

DESCRIPTION="SMTP mail" ...

The following is an example of what you type to define a macro for a specific Screen, while logged in to the primary Screen:

admin% ssadm -r secondary logmacro add sys=slave name=SFO-routing value="port rip src SFO-routers" description="routing activity in SFO district"

It is bad practice to define Screen-non-specific log macros on secondary Screens. In future SunScreen firewall releases, the ability to do so will be removed.