Configure log handling settings
Log Handling settings allow you to adjust logging when the log spool on the Firewall, IPS, Layer 2 Firewall, or Master Engine fills up.
Logs are spooled locally when the Log Server is not available. The Master Engine spools its own logs and the logs sent by the Virtual Engines that the Master Engine hosts.
You can also configure Log Compression to save resources on the engine. By default, each generated Antispoofing and Discard log entry is logged separately and displayed as a separate entry in the Logs view. Log Compression allows you to define the maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information on the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are once more logged and displayed separately.
The general Log Compression settings you define in the Engine Editor are applied as default settings on all interfaces. You can also define Log Compression and override the global settings in each interface’s properties.
You can optionally save copies of the most recent log entries locally on the Engine. You can browse the saved log entries on the command line of the Engine even if the log entries have already been sent to the Log Server.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
Click
Save and Refresh to transfer the configuration changes.
Engine Editor > Advanced Settings > Log Handling
Use this branch to change log handling settings for the Engine. You can use log handling settings to adjust logging when the log spool fills up.
| Option | Definition |
|---|---|
|
Log Spooling Policy
(Not Virtual Engines) |
Defines what happens when the log spool becomes full.
|
|
Log Compression
(Antispoofing Log Event Type for Firewalls only) |
The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged.
The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. The individual log entries are deleted.
After the single log entry is created, logging returns to normal and all entries are logged and shown separately. Double-click a cell to edit the value. Note: Do not
enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
|
| Set to Default | Returns Log Compression settings to the default settings. |
| Store a Copy of Recent Log Files on the Engine | When selected, the Engine stores copies of logs according to the specified settings. |
| Maximum Time | The maximum length of time for which to store copies of logs. Values can be 1–720 hours (the maximum is 30 days), or not specified. If a value is not specified, the Engine stores copies of logs until the limits specified in the Guaranteed Free Spool Partition or Guaranteed Free Spool Partition Size options are reached. |
| Guaranteed Free Spool Partition | The minimum percentage of the spool partition that must be kept free. When the amount of free space reaches the limit, the Engine starts deleting the oldest stored copies
of log and alert entries when a new log or alert entry is saved. Values can be 5–80 %, or not specified. Note: You must enter a value for at least
one of the guarantee options. If you enter a value for both options, both limits are enforced.
|
| Guaranteed Free Spool Partition Size | The minimum amount of file space, in MB, on the spool partition that must be kept free. When the amount of free space reaches the limit, the Engine starts deleting the
oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be 50–1000 MB, or not specified. Note: You must enter a value for at least
one of the guarantee options. If you enter a value for both options, both limits are enforced.
|