Configure log handling settings

Log Handling settings allow you to adjust logging when the log spool on the Firewall, IPS, Layer 2 Firewall, or Master Engine fills up.

Logs are spooled locally when the Log Server is not available. The Master Engine spools its own logs and the logs sent by the Virtual Engines that the Master Engine hosts.

You can also configure Log Compression to save resources on the engine. By default, each generated Antispoofing and Discard log entry is logged separately and displayed as a separate entry in the Logs view. Log Compression allows you to define the maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information on the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are once more logged and displayed separately.

The general Log Compression settings you define in the Engine Editor are applied as default settings on all interfaces. You can also define Log Compression and override the global settings in each interface’s properties.

You can optionally save copies of the most recent log entries locally on the Engine. You can browse the saved log entries on the command line of the Engine even if the log entries have already been sent to the Log Server.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall, IPS, Layer 2 Firewall, or Master Engine element and select Edit <element type>.
  2. In the navigation pane on the left, browse to Advanced Settings > Log Handling.
  3. Configure the options according to your environment.
    Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
  4. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > Log Handling

Use this branch to change log handling settings for the Engine. You can use log handling settings to adjust logging when the log spool fills up.

Note: These settings are not supported for Virtual Engines.
Option Definition
Log Spooling Policy

(Not Virtual Engines)

Defines what happens when the log spool becomes full.
  • Stop Traffic — The Engine stops processing traffic and goes offline.
  • Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The Engine continues to process traffic.
Log Compression

(Antispoofing Log Event Type for Firewalls only)

The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. The individual log entries are deleted. After the single log entry is created, logging returns to normal and all entries are logged and shown separately. Double-click a cell to edit the value.
Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default Returns Log Compression settings to the default settings.
Store a Copy of Recent Log Files on the Engine When selected, the Engine stores copies of logs according to the specified settings.
Maximum Time The maximum length of time for which to store copies of logs. Values can be 1–720 hours (the maximum is 30 days), or not specified. If a value is not specified, the Engine stores copies of logs until the limits specified in the Guaranteed Free Spool Partition or Guaranteed Free Spool Partition Size options are reached.
Guaranteed Free Spool Partition The minimum percentage of the spool partition that must be kept free. When the amount of free space reaches the limit, the Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be 5–80 %, or not specified.
Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits are enforced.
Guaranteed Free Spool Partition Size The minimum amount of file space, in MB, on the spool partition that must be kept free. When the amount of free space reaches the limit, the Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be 50–1000 MB, or not specified.
Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits are enforced.