Define logging options for Ethernet rules

Ethernet rules can create a log or alert entry each time they match.

By default, logging options set in a previous rule with Continue as its action are used. If no such rule exists, the default logging options defined in the template policy are used.

  • Layer 2 physical interfaces on Engines log connections by default.
  • Layer 2 Engines and Virtual Layer 2 Engines log connections by default.
  • IPS engines and Virtual IPS engines do not log connections by default.

Each individual rule can be set to override the default values.

When the Log Server is unavailable, log entries are temporarily stored on the engine. When the engine is running out of space to store the log entries, it begins discarding log data in the order of importance. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The Alert entries are the last log entries to be discarded.

The settings for storing the logs temporarily on the engine are defined in the engine's log spooling policy.

Note: A log entry is generated for each packet that matches an Ethernet rule. Use careful consideration when setting the logging options to avoid producing an excessive amount of log data.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Double-click the Logging cell in the rule.
  2. Define the options.

Logging - Select Rule Options dialog box (Ethernet rules)

Use this dialog box to define Ethernet rule logging options.

Option Definition
Log Level
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it at the moment), but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you add to the Alert field.
Alert When the Log Level is set to Alert, specifies that the Alert that is sent when the rule matches. Selecting different Alerts for different types of rules allows more fine-grained alert escalation policies.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.