test

SunScreen 3.1 Reference Manual

Configuring Traffic Log Size

You can configure the size of the area used to log packet traffic, session and other events. The log actually consists of a number of files in a particular directory. Each Screen has a log file of its own, and you can specifically configure the size of the log file on each Screen.

You establish the size of the log files in much the same way as other configuration items, and these sizes are propagated to various Screens being managed during the normal activation process. The actual resizing of the log file on a particular Screen only occurs on the next restart of that Screen after the activation that changes the size. This is true for primary and secondary Screens in a centralized management group and in an HA cluster.

You should change the size of the log file when you are configuring your policies just after installing the Screen. You must have activated the policy with the new log sizes, but activating the policy with then new log sizes does not resize the log files. The log file on a particular Screen is only resized when that Screen is restarted. When the Screen is restarted, it uses the policy that was the last currently active one.

Setting the size of the log file does not cause the file system to allocate space for storing the log immediately. Competing users of the file system on which the log file resides should, therefore, not be allowed to consume this space. Even when the log has filled and begins to reuse file-system space, the maximum amount of file-system space is still not in use at all times.

Configuring the Global Default Log Size

The global default log size is controlled by the variable LogSize. It contains the following items:


prg=logname=LogSizevalue=size (in Mbyte units)
description="descriptive text" (optional)
enabled | disabled (default is enabled)

The global default log size can only be configured using the command line interface. (see Appendix B, Command-Line Reference.)

Group-Screen installations are configured on the primary Screen.

The following is an example of what you would type to display the global default log file size, while logged in to the primary Screen:


admin% ssadm -r primary edit Initial
edit> vars print prg=log name=LogSize
PRG="log" NAME="LogSize" ENABLEDVALUE="100"
DESCRIPTION="global log capacity (MB)"...

The following is an example of what you would type to set the global default log file size, while logged in to the primary Screen:


admin% ssadm -r primary edit Initial
edit> vars add prg=log name=LogSize value=new size
description=new description
edit> quit

The following is an example of what you would type to set the global default log file size to 250 Mbytes, while logged in to the primary Screen:


edit> vars add prg=log name=LogSize value=250 description="log size (MB)"
Note -

Although, the output produced by print surrounds the value of each item in double quotes, these are only necessary on input to protect embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG=), these tags are recognized in a case-insensitive manner on input (for example, prg=, Prg=, PRG= are equivalent).

Configuring the Log Size for a Specific Screen

You configure the global log size for a centralized management group of Screens, or Screens in an HA cluster, on the primary Screen through the administration GUI.

You configure the global log size through the command line (see Appendix B, Command-Line Reference). It is controlled by the variable LogSize.

The following is an example of what you would type to display the log file size for a specific Screen, while logged in to the primary Screen:


admin% ssadm -r primary edit Initial
edit> list Screen 
scrn1 ADMIN_CERTIFICATE "scrn1.admin"
CDP ROUTING DNS
scrn2 ADMIN_CERTIFICATE "scrn2.admin" CDP ROUTING DNS LOGSIZE 444

scrn1 does not have the log file size configured and so uses the global default value. scrn2 has a size of 444 (Mbytes) that is used instead of the global default value on that Screen.

The following is an example of what you would type to set the log file size for a specific Screen, while logged in to the primary Screen:


admin% ssadm -r primary edit Initialedit> add Screen scrn1
ADMIN_CERTIFICATE
scrn1.admin CDP ROUTING DNS LOGSIZE 20edit> save
edit> quit
Note -

When altering the value of LogSize, be sure to reenter all the other attributes as they were displayed by the list verb.

Configuring Events to be Logged

Logs contain three basic types of events:

Network Traffic (Packet)

You can set the action for each rule to be ALLOW, DENY, ENCRYPT, SECURE. For each action, you can set the kind of packet logging that you want:

Network Session Summaries

You can set the action to the LOG_SESSION in a rule so that it records information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. It is not used for stateless services such as ip all. You do this using the option LOG_SESSION.

The SESSION setting does not log packet content. Each basic protocol (for example, IP, UDP, TCP) logs statistics related to session as they complete

This option is not available for the DENY action

Extended events

In addition to logging of packets and sessions, other events are logged; these are stored in an extended format. Such other events arise from the following logging entities:

Each entity has a var variable to limit the severity of logged items. These variables are named:

In addition, there exist default limiters as catchall for unnamed entities:

The LogSeverity variables take text strings as their value. The value functions as a not-more-detail-than limiter and is similar to the functionality of the Solaris' syslog command. The text values are:

These limiter variables operate globally (within the entities and Screens to which their scope applies). This deals with logging situations where a particular rule is not yet known or where no rule applies.

In addition, the effect of the per-rule DETAIL, SUMMARY, and SESSION attributes is overridden by some of these logging entities. This override allows for finer-grain control over events which can be attributed to a particular rule. Specifically, any rule-specific event of a severity of INFO or greater will be logged if that rule has (packet or session) logging enabled.

Size of Logged Items

All items in the logs have a common, 24-byte header. After this header, the following sizes apply to logged items (by type), shown in TABLE 11-1.

Table 11-1 Sizes of Logged Items

Type 

Total Item Size (in bytes) 

(packet) 

DETAIL

24 + 44 + size of packet

 

SUMMARY

24 + 44 + 40 

SESSION

ip

24 + 40 

 

tcp

24 + 44 

 

udp

24 + 40 

EXTENDED 

 

24 + 64 + UTF-8 text: 0 to 4008

Level of Logging

For a given program component, you can specify the level of logging. You do this by means of a variable setting for that component; the name of the variable is LogSeverity. A variable that is specific to a particular Screen overrides the general setting for that component. Beyond the variable setting for a specific component, a general (that is, a component that is not specific) variable controls otherwise unlimited logging. A variable that is specific to a given Screen overrides this general default. This search order can be summarized as:


       Key Sought
 ---------------------------------------------------
sys=Screenname
prg=programname name=LogSeverity
prg=programname name=LogSeverity
sys=Screenname name=LogSeverity
name=LogSeverity

As initially configured, SunScreen contains variables defined for each program components logging variable, along with the noncomponent non-Screen (global global) default; all are initially set to the value info.

You can only configure events to be logged using the command line.

Configuring Log Event Limiters

The log limiters are controlled by LogSeverity variables as previously introduced. Each such variable contains the following items:

You can only configure the LogSeverity variables using the command line interface (see Appendix B, Command-Line Reference). You configure group-Screen installations on the primary Screen.

The following is an example of what you would type to display the global global log limiter, while logged in to the primary Screen:


admin% ssadm -r primary edit Initial
edit> vars print name=LogSeverity
NAME="LogSeverity" ENABLED VALUE="INFO"DESCRIPTION="global log severity limit" ...

The following is an example of what you would type to display the global log limiter for authentication events, while logged in to the primary Screen:


admin% ssadm -r primary edit Initial
edit> vars print prg=auth
name=LogSeverity
PRG="auth" NAME="LogSeverity" ENABLED VALUE="INFO"
 DESCRIPTION="global log severity limit, authentication"
...

The following is an example of what you would type to log more (debugging) information on a particular Screen for authentication events, while logged in to the primary Screen:


admin% ssadm -r primary edit Initial
edit> vars add sys=Screenname
prg=auth
name=LogSeverity
value=debug
description="debug authentication operations"
edit> quit
Note -

Although, the output produced by print surrounds the value of each item in double quotes, these are only necessary on input to protect embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG=), these tags are recognized in a case-insensitive manner on input (for example, prg=, Prg=, PRG= are equivalent). Finally, the VALUE string for the LogSeverity variable is likewise processed in a case-insensitive manner.

Once log limiters have been altered, the configuration must be activated to propagate the changes.