Extended events

In addition to logging of packets and sessions, other events are logged; these are stored in an extended format. Such other events arise from the following logging entities:

• auth - Au the tic at ion logic (in various other agents)

• edit - Configuration editor

• ftpp - The FTP proxy

• httpp - The HTTP proxy

• log - The logger itself

• smtpp - The SMTP proxy

• telnetpp - The Telnet proxy

Each entity has a var variable to limit the severity of logged items. These variables are named:

• prg=entity--the default for all Screens.

• sys=Screenentity name=LogSeverity--for a specific Screen

In addition, there exist default limiters as catchall for unnamed entities:

• name=LogSeverity

• sys=Screeny (for all Screens or Screen-specific, respectively).

The LogSeverity variables take text strings as their value. The value functions as a not-more-detail-than limiter and is similar to the functionality of the Solaris' syslog command. The text values are:

• NONE

• ALERT

• CRIT

• ERR

• WARN

• NOTE

• INFO

• DEBUG

These limiter variables operate globally (within the entities and Screens to which their scope applies). This deals with logging situations where a particular rule is not yet known or where no rule applies.

In addition, the effect of the per-rule DETAIL, SUMMARY, and SESSION attributes is overridden by some of these logging entities. This override allows for finer-grain control over events which can be attributed to a particular rule. Specifically, any rule-specific event of a severity of INFO or greater will be logged if that rule has (packet or session) logging enabled.