Configuring Events to be Logged

Logs contain three basic types of events:

• Network traffic (packet)

• Network session summaries

• Extended events

Network Traffic (Packet)

You can set the action for each rule to be ALLOW, DENY, ENCRYPT, or VPN. For each action, you can set the kind of packet logging that you want:

• LOG_NONE - Do not log packets

• LOG_SUMMARY - Records the first 40 bytes of the packet in the log

• LOG_DETAIL - Records the complete packet in the log

Network Session Summaries

You can set the action to LOG_SESSION in a rule so that it records information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. This action is not used for stateless services such as ip all.

The SESSION setting does not log packet content. Each basic protocol (for example, IP, UDP, TCP) logs statistics related to sessions as they are finalized.

This option is not available for the DENY action (because no session was allowed).

Extended Events

Other events are logged besides packets and sessions. They are stored in an extended format. These other events arise from the following logging entities:

• auth - Authentication logic (in various other agents)

• edit - Configuration editor

• ftpp - The FTP proxy

• ha - The high-availability subsystem

• httpp - The HTTP proxy

• iked - The IKE daemon

• log - The logger itself

• smtpp - The SMTP proxy

• telnetp - The Telnet proxy

Each entity has a LogSeverity variable which limits the extent of its logging of noteworthy events based on the severity level of those events.

In addition, there exist default limiters as catchallsl for unnamed entities:

• name=LogSeverity - For all Screens

• sys=Screen name=LogSeverity - Screen-specific

The LogSeverity variables take text strings as their value. The value functions as a not-more-detail-than limiter and is similar to the functionality of the Solaris syslog command. The text values are:

• NONE

• ALERT

• CRIT

• ERR

• WARN

• NOTE

• INFO

• DEBUG

These limiter variables operate with several levels of globality, within entities and/or Screens, and/or universally. The limiters serve to control logging situations where a particular rule is not yet known to the entity, or where no particular rule applies.

In addition, the effect of the per-rule DETAIL, SUMMARY, and SESSION attributes is overridden by some of these logging entities. This override allows for finer control over events that can be attributed to a particular rule. Specifically, any rule-specific event of a severity of INFO or greater is logged if that rule has packet or session logging enabled.