Extended Events

Other events are logged besides packets and sessions. They are stored in an extended format. These other events arise from the following logging entities:

• auth - Authentication logic (in various other agents)

• edit - Configuration editor

• ftpp - The FTP proxy

• ha - The high-availability subsystem

• httpp - The HTTP proxy

• iked - The IKE daemon

• log - The logger itself

• smtpp - The SMTP proxy

• telnetp - The Telnet proxy

Each entity has a LogSeverity variable which limits the extent of its logging of noteworthy events based on the severity level of those events.

In addition, there exist default limiters as catchallsl for unnamed entities:

• name=LogSeverity - For all Screens

• sys=Screen name=LogSeverity - Screen-specific

The LogSeverity variables take text strings as their value. The value functions as a not-more-detail-than limiter and is similar to the functionality of the Solaris syslog command. The text values are:

• NONE

• ALERT

• CRIT

• ERR

• WARN

• NOTE

• INFO

• DEBUG

These limiter variables operate with several levels of globality, within entities and/or Screens, and/or universally. The limiters serve to control logging situations where a particular rule is not yet known to the entity, or where no particular rule applies.

In addition, the effect of the per-rule DETAIL, SUMMARY, and SESSION attributes is overridden by some of these logging entities. This override allows for finer control over events that can be attributed to a particular rule. Specifically, any rule-specific event of a severity of INFO or greater is logged if that rule has packet or session logging enabled.