SunScreen 3.2 Administrator's Overview

Configuring Traffic Log Size

You can configure the size of the area used to log packet traffic, session and other events. The log consists of a number of files in a particular directory. Each Screen has a log file of its own.

You can specifically configure the size of the log file on each Screen. You establish the size of the log files in much the same way as other configuration items. These sizes are propagated to various Screens being managed during the normal activation process. The log file is resized on a particular Screen only when that Screen is restarted after the activation. This is true for primary and secondary Screens in a centralized management group and in an HA cluster.

You should change the size of the log file when you are configuring your policies just after installing the Screen. Activating the policy with the new log sizes does not resize the log files. The log file on a particular Screen is only resized when that Screen is restarted. When the Screen is restarted, it uses the policy that was the last currently active one. Instructions for setting logsize (global and for a particular Screen) are included below.

Setting the size of the log file does not cause the file system to allocate space for storing the log immediately. Competing users of the file system on which the log file resides should, therefore, not be allowed to consume this space. Even when the log has filled and begins to reuse filesystem space, the maximum amount of filesystem space is still not in use at all times.

Configuring the Global Default Log Size

The global default log size, which can only be configured using the configuration editor, is controlled by the variable LogSize. It contains the following items:

prg=log
name=LogSize
value=size (in megabytes)
description="descriptive text" (optional)
enabled | disabled (default is enabled)

Examples: Setting or Displaying the Global Default Log File Size

Group Screen installations are configured on the primary Screen. To set the global default log file size to 250 Mbytes, while logged into the primary Screen:

admin% ssadm -r primary edit Initial
edit> vars add prg=log name=LogSize value=250 description="log size (MB)"

To display the global default log file size:

admin% ssadm -r primary edit Initial
edit> vars print prg=log name=LogSize
PRG="log" NAME="LogSize" ENABLED VALUE="250" DESCRIPTION="log size (MB)"

Note -

Although the output produced by print surrounds the value of each item in double quotes, these are only necessary on input if there are embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG), these tags are recognized in a case-insensitive manner on input (for example, prg, Prg, and PRG are equivalent).

Configuring the Log Size for a Specific Screen

This section shows you how to set a log size for a particular Screen that is different from the global log size.

Examples: Displaying and Setting the Log File Size

To display the log file size for all Screens in an HA cluster:

admin% ssadm -r primary edit Initial
edit> list Screen 
scrn1 CDP ROUTING DNS
scrn2 CDP ROUTING DNS LOGSIZE 444

scrn1 does not have the log file size configured and uses the global default value. scrn2 has a size of 444 (Mbytes) that it uses instead of the global default value on that Screen.

To set the log file size for a specific Screen (scrn1) to 200 MB:

admin% ssadm -r primary edit Initial
edit> add Screen scrn1 CDP ROUTING DNS LOGSIZE 200
edit> save
edit> quit

Note -

When altering the value of LogSize, be sure to reenter all the other attributes as they were displayed by the list verb.

Configuring Events to be Logged

Logs contain three basic types of events:

Network traffic (packet)
Network session summaries
Extended events

Network Traffic (Packet)

You can set the action for each rule to be ALLOW, DENY, ENCRYPT, or VPN. For each action, you can set the kind of packet logging that you want:

LOG_NONE - Do not log packets
LOG_SUMMARY - Records the first 40 bytes of the packet in the log
LOG_DETAIL - Records the complete packet in the log

Network Session Summaries

You can set the action to LOG_SESSION in a rule so that it records information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. This action is not used for stateless services such as ip all.

The SESSION setting does not log packet content. Each basic protocol (for example, IP, UDP, TCP) logs statistics related to sessions as they are finalized.

This option is not available for the DENY action (because no session was allowed).

Extended Events

Other events are logged besides packets and sessions. They are stored in an extended format. These other events arise from the following logging entities:

auth - Authentication logic (in various other agents)
edit - Configuration editor
ftpp - The FTP proxy
ha - The high-availability subsystem
httpp - The HTTP proxy
iked - The IKE daemon
log - The logger itself
smtpp - The SMTP proxy
telnetp - The Telnet proxy

Each entity has a LogSeverity variable which limits the extent of its logging of noteworthy events based on the severity level of those events.

In addition, there exist default limiters as catchallsl for unnamed entities:

name=LogSeverity - For all Screens
sys=Screen name=LogSeverity - Screen-specific

The LogSeverity variables take text strings as their value. The value functions as a not-more-detail-than limiter and is similar to the functionality of the Solaris syslog command. The text values are:

NONE
ALERT
CRIT
ERR
WARN
NOTE
INFO
DEBUG

These limiter variables operate with several levels of globality, within entities and/or Screens, and/or universally. The limiters serve to control logging situations where a particular rule is not yet known to the entity, or where no particular rule applies.

In addition, the effect of the per-rule DETAIL, SUMMARY, and SESSION attributes is overridden by some of these logging entities. This override allows for finer control over events that can be attributed to a particular rule. Specifically, any rule-specific event of a severity of INFO or greater is logged if that rule has packet or session logging enabled.

Size of Logged Items

All items in the logs have a common, 24-byte header. After this header, the sizes shown in the table below apply to logged items (by type).

Table 11-1 Sizes of Logged Items


Type		Total Item Size (in bytes)
(packet)	`DETAIL`	24 + 44 + `size of packet`
	`SUMMARY`	24 + 44 + 40
`SESSION`	`ip`	24 + 40
	`tcp`	24 + 44
	`udp`	24 + 40
EXTENDED		24 + 64 + `UTF-8 text: 0 to 4008`

Level of Logging

Because the level of logging from a given program entity can be limited by the setting of the LogSeverity variable for that entity, a variable can be specific to a particular Screen (within a CMG group of centrally-managed Screens) or applicable to all Screens (those without a Screen-specific variable). If no variable is defined for a given entity, more general variables control such logging (again, on a per-Screen or non-Screen-specific basis). The search order for log limiter variables can be summarized as:

sys=Screenname prg=entityname name=LogSeverity

prg=entityname name=LogSeverity

sys=Screenname name=LogSeverity

name=LogSeverity

As initially configured, SunScreen contains log limiter variables for each program entity, as well as the non-Screen, non-entity-specific (global global) default. All are initially configured to the value info.

Log limiter variables are configured using the configuration editor.

Configuring Log Event Limiters

The log limiters are controlled by LogSeverity variables, which contain the following items:

sys=Screenname (optional)
prg=programname (optional)
name=LogSeverity
value=severityname (emerg,alert,...,debug)
description=descriptive text (optional)
enabled | disabled (The default is enabled.)

Once log limiters have been altered, the configuration must be activated to propagate the changes.

Examples: Manipulating Log Limiters

Do the following while logged into the primary Screen.

To Display the global global log limiter:

admin% ssadm -r primary edit Initial
edit> vars print name=LogSeverity
NAME="LogSeverity" ENABLED VALUE="INFO" DESCRIPTION="global log severity limit"

To display the global log limiter for authentication events:

admin% ssadm -r primary edit Initial
edit> vars print prg=auth name=LogSeverity
PRG="auth" NAME="LogSeverity" ENABLED VALUE="INFO" DESCRIPTION="global log severity limit, 
authentication"...

To log more debugging information on a particular Screen for authentication events:

admin% ssadm -r primary edit Initial
edit> vars add sys=Screenname prg=auth name=LogSeverity value=debug 
description="debug authentication operations"

edit> quit

Note -

Although, the output produced by print surrounds the value of each item in double quotes, these are only necessary on input if there are embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG=), these tags are recognized in a case-insensitive manner on input (for example, prg=, Prg=, PRG= are equivalent). Finally, the VALUE string for the LogSeverity variable is likewise processed in a case-insensitive manner.