SunScreen provides flexible logging of packets. This means that each Screen can keep a log of its traffic as configured. In HA clusters, a log of the packets is kept on the Screen that passed or rejected the packets.
You can configure a Screen to log a packet when the packet matches a rule or when it does not. Most frequently, packets matching DENY rules or packets that are dropped because they do not match any rule are logged. The action defined in a rule controls whether a packet is logged and what information about the packet is recorded.
Each system in a high availability (HA) cluster logs what that Screen passed or rejected, as well as local Screen events. Only the active Screen in an HA cluster logs packets, but even when an HA Screen is passive, some local events (such as becoming the active Screen) are logged.
The following limitations apply to logging:
During a situation or time when there is excessive traffic through the Screen, not all packets are logged.
This logging limitation is an isolated instance and depends on how fast your system runs.
Decrypted packets are logged, but SKIP certificate IDs are not logged.
Only the active system logs packets.
If the active HA cluster Screen fails, its logs become inaccessible, and the new active HA cluster Screen begins logging the packets.