log

NAME
SYNOPSIS
DESCRIPTION
SEE ALSO
AUTHOR
COPYRIGHT

NAME

log - Manage Logs

SYNOPSIS

[1] log [type [(web | rweb | firewall | guard | antivirus | avserver | waf) [(on | off) [(on | off)]]]]

[2] log [rotate [report] | force]

[3] log [save (web | rweb | firewall | guard | antivirus | avserver | waf | system) <serial> (ftp | sftp | tftp) <file-server> <file-name>]

[4] log syslog [raz | (add | del) (udp | tcp) <syslog-server> [<port>] | test]

DESCRIPTION

Log reports gives you visibility into all traffic and key events happening in the system. To benefit from the logging the logging mode should be activated (see the command mode). Eight types of logs are generated by the appliance:

web log: reports traffic managed by the forwarding and transparent proxy.

rweb log: reports traffic managed by the reverse proxy.

guard log: reports attempts to access non-authorized Web sites.

antivirus log: reports attempts to access virus infected objects coming from the Web.

avserver log: reports attempts to access virus infected objects coming from the external systems such as an MTA (Mail Transfer Agent).

waf log: reports unauthorized requests blocked by the Web Application Firewall.

firewall log: reports denied packets by the IP firewall.

system log: reports low level system events (only for maintenance purpose).

Please note that an attempt to inject a virus on a Web server protected by the appliance (in reverse mode) is logged in the WAF log file and not in the antivirus log file (which is reserved for forwarding and transparent Web accesses).

All log types (except the system log) can be activated or deactivated. The first usage form allows you to activated or deactivated log types. To activate a log type use the keyword type followed by the required log type specifier (web, rweb, guard, antivirus, avserver, waf or firewall) and the keyword on. To deactivate a log type use the keyword off instead. When a log type is activated, you can optionality activate of deactivate the remote logging for it (see the fourth usage form below). The final argument in this usage form allows you to activate (on) or deactivate (off) the remote logging (on syslog servers).

Without any arguments, this command displays a history of generated logs. Logs can be saved after their rotation and never when they are in use. To inspect live logs you can use the Web Auditing module (see the command admin).

The system keeps logs of n days of activity archived on separate files for each day. The number n is called the retention period and is set up during the appliance installation. Log rotation is normally an automatic daily operation. However it is always possible to force a log rotation by using the command log rotate. Use this if you want to download today’s logs immediately without waiting for a daily log rotation. Without the optional argument force the user is invited to confirm the log rotation operation. The optional report keyword allows you to display a report of the last manual log rotation.

Important notice: according to the number of users set up during the installation, an upper limit is fixed for log sizes and the required storage space is reserved for them. If a log report grows abnormally too fast a log rotation is forced without waiting for the daily log rotation. This prevents the system from being saturated. In the case of an advanced rotation an SNMP trap is sent to configure SNMP receivers.

A log rotation is an asynchronous operation (you are not blocked during its execution). Note that log rotation may fail if an apply operation or another asynchronous operation is running.

Accesses to non-authorized objects are logged in separate files while authorized forwarding and reverse Web accesses are saved each in a distinct file. A web or rweb log has the following format:

client-ip authuser [date] "request" status bytes cache-status cache-peer-status where:

client-ip: the remote client IP address.

authuser: the user name by which the user has authenticated himself (if the authentication mode is activated).

[date]: date and time of the request in RFC3339 format (with the caveat that minutes and hours in the time offset are not separated by a colon).

"request": the request line exactly as it came from the client.

status: the HTTP status code returned to the client.

bytes: the content-length of the object transferred (including headers).

cache-status: the cache status (HIT, MISS...).

cache-peer-status: peer cache status (HIT, MISS...).

User Agent>: the Web browser type used by the user.

Please note that the two last information are not present in a rweb log.

The second usage form of this command allows you to save logs on a file server. The argument <serial> specifies the serial number of the saved log. The most recent log has the number 1. The older one has the number 2 and so on. If you want to save logs on a remote file server for archiving purpose, your backup cycle must be equal to or less than the logs retention period described below.

Logs can be saved on a trusted remote file server. Trusted file servers are defined with the command access. All logs are saved in gzip compressed files. The full file name including the extension .gz should be specified. A system log is saved in gzip tar (archive) format. The third usage form allows you to save logs.

In addition to be locally saved, some logs can be sent in real time to remote syslog servers. The following log types can be sent to remote syslog servers: guard, antivirus, avserver, waf and firewall. The fourth usage form allows you to manage remote syslog servers. To add a remote syslog server use the keywords syslog add followed by its server IP address or DNS name and its listening port. To delete a remote syslog server use the del keyword instead of the add keyword. To erase the list of syslog servers use the keywords syslog raz.

To check connectivities with syslog servers you can send testing syslog messages to all configured servers by using the keyword test. Please note that as with any other commands, the new configuration should be applied using the command apply before being able to send testing syslog messages.

SEE ALSO

access (1) apply (1) mode (1)

AUTHOR

CacheGuard Technologies Ltd <www.cacheguard.com>

Send bug reports or comments to the above author.

COPYRIGHT

Copyright (C) 2009-2023 CacheGuard - All rights reserved