Define logging options for Ethernet rules
Ethernet rules can create a log or alert entry each time they match.
By default, logging options set in a previous rule with Continue as its action are used. If no such rule exists, the default logging options defined in the template policy are used.
- Layer 2 physical interfaces on Engines log connections by default.
- Layer 2 Engines and Virtual Layer 2 Engines log connections by default.
- IPS engines and Virtual IPS engines do not log connections by default.
Each individual rule can be set to override the default values.
When the Log Server is unavailable, log entries are temporarily stored on the engine. When the engine is running out of space to store the log entries, it begins discarding log data in the order of importance. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The Alert entries are the last log entries to be discarded.
The settings for storing the logs temporarily on the engine are defined in the engine's log spooling policy.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Double-click the Logging cell in the rule.
- Define the options.
Logging - Select Rule Options dialog box (Ethernet rules)
Use this dialog box to define Ethernet rule logging options.
Option | Definition |
---|---|
Log Level |
|
Alert | When the Log Level is set to Alert, specifies that the Alert that is sent when the rule matches. Selecting different Alerts for different types of rules allows more fine-grained alert escalation policies. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |