Configuring Events to be Logged

Logs contain three basic types of events:

• Network traffic (packet)

• Network session summaries

• Extended events

Network Traffic (Packet)

You can set the action for each rule to be ALLOW, DENY, ENCRYPT, SECURE. For each action, you can set the kind of packet logging that you want:

• LOG_NONE - Do not log packets.

• LOG_SUMMAR - Records the first 40 bytes of the packet in the log.

• LOG_DETAIL - Records the complete packet in the log.

Network Session Summaries

You can set the action to the LOG_SESSION in a rule so that it records information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. It is not used for stateless services such as ip all. You do this using the option LOG_SESSION.

The SESSION setting does not log packet content. Each basic protocol (for example, IP, UDP, TCP) logs statistics related to session as they complete

This option is not available for the DENY action

Extended events

In addition to logging of packets and sessions, other events are logged; these are stored in an extended format. Such other events arise from the following logging entities:

• auth - Au the tic at ion logic (in various other agents)

• edit - Configuration editor

• ftpp - The FTP proxy

• httpp - The HTTP proxy

• log - The logger itself

• smtpp - The SMTP proxy

• telnetpp - The Telnet proxy

Each entity has a var variable to limit the severity of logged items. These variables are named:

• prg=entity--the default for all Screens.

• sys=Screenentity name=LogSeverity--for a specific Screen

In addition, there exist default limiters as catchall for unnamed entities:

• name=LogSeverity

• sys=Screeny (for all Screens or Screen-specific, respectively).

The LogSeverity variables take text strings as their value. The value functions as a not-more-detail-than limiter and is similar to the functionality of the Solaris' syslog command. The text values are:

• NONE

• ALERT

• CRIT

• ERR

• WARN

• NOTE

• INFO

• DEBUG

These limiter variables operate globally (within the entities and Screens to which their scope applies). This deals with logging situations where a particular rule is not yet known or where no rule applies.

In addition, the effect of the per-rule DETAIL, SUMMARY, and SESSION attributes is overridden by some of these logging entities. This override allows for finer-grain control over events which can be attributed to a particular rule. Specifically, any rule-specific event of a severity of INFO or greater will be logged if that rule has (packet or session) logging enabled.