Configure log handling settings for the NGFW Engine

In the log handling settings, you can configure log compression and define what happens when the log spool on the NGFW Engine becomes full.

Log compression allows you to define the maximum number of separately logged entries. When the defined limit is reached, a single antispoofing log entry or discard log entry is logged. The single log entry contains information about the total number of antispoofing log entries or discard log entries. The individual log entries are deleted. After the single log entry is created, logging returns to normal and all entries are logged and shown separately.

The general log compression settings are applied as default settings on all interfaces. You can also define log compression and override the global settings in the properties of each interface.

Note: Do not enable log compression if you want all antispoofing and discard entries to be logged as separate log entries, such as for reporting or statistics.

Steps

  1. Browse to NGFW > Properties > General.
  2. Configure the settings, then click Save.
  3. Publish the changes.

Example

Fields marked with an asterisk in the user interface are mandatory.

Table 1. NGFW Engine Properties - Log Handling
Option Definition
Log Spooling Policy

Defines what happens when the log spool becomes full.

  • Stop Traffic — The NGFW Engine stops processing traffic and goes offline.
  • Discard Logs — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The NGFW Engine continues to process traffic.

To use log compression, you must select the Discard Logs option. When you use log compression, log entries are discarded proactively according to the Log Rate and Log Burst Size settings.

Log Compression

When enabled, enables log compression for the selected types of log entries.

  • Discard Logs — When enabled, log compression is enabled for discard log entries.
  • Antispoofing Logs — When enabled, log compression is enabled for antispoofing log entries. This option is enabled by default when you enable Log Compression.
Log Rate

The maximum sustained number of log entries per second.

The default value is 100 log entries per second.

Log Burst Size

The maximum number of log entries in a single burst.

The default value is 1000 log entries.