You can configure the size of the area used to log packet traffic, session and other events. The log consists of a number of files in a particular directory. Each Screen has a log file of its own.
You can specifically configure the size of the log file on each Screen. You establish the size of the log files in much the same way as other configuration items. These sizes are propagated to various Screens being managed during the normal activation process. The log file is resized on a particular Screen only when that Screen is restarted after the activation. This is true for primary and secondary Screens in a centralized management group and in an HA cluster.
You should change the size of the log file when you are configuring your policies just after installing the Screen. Activating the policy with the new log sizes does not resize the log files. The log file on a particular Screen is only resized when that Screen is restarted. When the Screen is restarted, it uses the policy that was the last currently active one. Instructions for setting logsize (global and for a particular Screen) are included below.
Setting the size of the log file does not cause the file system to allocate space for storing the log immediately. Competing users of the file system on which the log file resides should, therefore, not be allowed to consume this space. Even when the log has filled and begins to reuse filesystem space, the maximum amount of filesystem space is still not in use at all times.
The global default log size, which can only be configured using the configuration editor, is controlled by the variable LogSize. It contains the following items:
prg=log
name=LogSize
value=size (in megabytes)
description="descriptive text" (optional)
enabled | disabled (default is enabled)
Group Screen installations are configured on the primary Screen. To set the global default log file size to 250 Mbytes, while logged into the primary Screen:
admin% ssadm -r primary edit Initial edit> vars add prg=log name=LogSize value=250 description="log size (MB)" |
To display the global default log file size:
admin% ssadm -r primary edit Initial edit> vars print prg=log name=LogSize PRG="log" NAME="LogSize" ENABLED VALUE="250" DESCRIPTION="log size (MB)" |
Although the output produced by print surrounds the value of each item in double quotes, these are only necessary on input if there are embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG), these tags are recognized in a case-insensitive manner on input (for example, prg, Prg, and PRG are equivalent).
This section shows you how to set a log size for a particular Screen that is different from the global log size.
To display the log file size for all Screens in an HA cluster:
admin% ssadm -r primary edit Initial edit> list Screen scrn1 CDP ROUTING DNS scrn2 CDP ROUTING DNS LOGSIZE 444 |
scrn1 does not have the log file size configured and uses the global default value. scrn2 has a size of 444 (Mbytes) that it uses instead of the global default value on that Screen.
To set the log file size for a specific Screen (scrn1) to 200 MB:
admin% ssadm -r primary edit Initial edit> add Screen scrn1 CDP ROUTING DNS LOGSIZE 200 edit> save edit> quit |
When altering the value of LogSize, be sure to reenter all the other attributes as they were displayed by the list verb.
Logs contain three basic types of events:
You can set the action for each rule to be ALLOW, DENY, ENCRYPT, or VPN. For each action, you can set the kind of packet logging that you want:
You can set the action to LOG_SESSION in a rule so that it records information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. This action is not used for stateless services such as ip all.
The SESSION setting does not log packet content. Each basic protocol (for example, IP, UDP, TCP) logs statistics related to sessions as they are finalized.
This option is not available for the DENY action (because no session was allowed).
Other events are logged besides packets and sessions. They are stored in an extended format. These other events arise from the following logging entities:
auth - Authentication logic (in various other agents)
edit - Configuration editor
ftpp - The FTP proxy
ha - The high-availability subsystem
httpp - The HTTP proxy
iked - The IKE daemon
log - The logger itself
smtpp - The SMTP proxy
telnetp - The Telnet proxy
Each entity has a LogSeverity variable which limits the extent of its logging of noteworthy events based on the severity level of those events.
In addition, there exist default limiters as catchallsl for unnamed entities:
name=LogSeverity - For all Screens
sys=Screen name=LogSeverity - Screen-specific
The LogSeverity variables take text strings as their value. The value functions as a not-more-detail-than limiter and is similar to the functionality of the Solaris syslog command. The text values are:
NONE
ALERT
CRIT
ERR
WARN
NOTE
INFO
DEBUG
These limiter variables operate with several levels of globality, within entities and/or Screens, and/or universally. The limiters serve to control logging situations where a particular rule is not yet known to the entity, or where no particular rule applies.
In addition, the effect of the per-rule DETAIL, SUMMARY, and SESSION attributes is overridden by some of these logging entities. This override allows for finer control over events that can be attributed to a particular rule. Specifically, any rule-specific event of a severity of INFO or greater is logged if that rule has packet or session logging enabled.
All items in the logs have a common, 24-byte header. After this header, the sizes shown in the table below apply to logged items (by type).
Table 11-1 Sizes of Logged Items
Type |
Total Item Size (in bytes) |
|
---|---|---|
(packet) |
DETAIL |
24 + 44 + size of packet |
|
SUMMARY |
24 + 44 + 40 |
SESSION |
ip |
24 + 40 |
|
tcp |
24 + 44 |
|
udp |
24 + 40 |
EXTENDED |
|
24 + 64 + UTF-8 text: 0 to 4008 |
Because the level of logging from a given program entity can be limited by the setting of the LogSeverity variable for that entity, a variable can be specific to a particular Screen (within a CMG group of centrally-managed Screens) or applicable to all Screens (those without a Screen-specific variable). If no variable is defined for a given entity, more general variables control such logging (again, on a per-Screen or non-Screen-specific basis). The search order for log limiter variables can be summarized as:
sys=Screenname prg=entityname name=LogSeverity
prg=entityname name=LogSeverity
sys=Screenname name=LogSeverity
name=LogSeverity
As initially configured, SunScreen contains log limiter variables for each program entity, as well as the non-Screen, non-entity-specific (global global) default. All are initially configured to the value info.
Log limiter variables are configured using the configuration editor.
The log limiters are controlled by LogSeverity variables, which contain the following items:
sys=Screenname (optional)
prg=programname (optional)
name=LogSeverity
value=severityname (emerg,alert,...,debug)
description=descriptive text (optional)
enabled | disabled (The default is enabled.)
Once log limiters have been altered, the configuration must be activated to propagate the changes.
Do the following while logged into the primary Screen.
To Display the global global log limiter:
admin% ssadm -r primary edit Initial edit> vars print name=LogSeverity NAME="LogSeverity" ENABLED VALUE="INFO" DESCRIPTION="global log severity limit" |
To display the global log limiter for authentication events:
admin% ssadm -r primary edit Initial edit> vars print prg=auth name=LogSeverity PRG="auth" NAME="LogSeverity" ENABLED VALUE="INFO" DESCRIPTION="global log severity limit, authentication"... |
To log more debugging information on a particular Screen for authentication events:
admin% ssadm -r primary edit Initial edit> vars add sys=Screenname prg=auth name=LogSeverity value=debug description="debug authentication operations" edit> quit |
Although, the output produced by print surrounds the value of each item in double quotes, these are only necessary on input if there are embedded spaces within the values of items. Also, although print outputs all tag names in capital letters (for example, PRG=), these tags are recognized in a case-insensitive manner on input (for example, prg=, Prg=, PRG= are equivalent). Finally, the VALUE string for the LogSeverity variable is likewise processed in a case-insensitive manner.