Creating Security Logs
To configure security logging:
- Select Security Director > Devices > Device Management.
The Device Management page appears.
- Right-click a device and select Device Configuration
> Modify Configuration.
The View/Edit Configuration page appears.
- Under the Security section, click Security Logging.
The Create Security Logging page appears.
- Under the General Settings section, configure the following
parameters:
From the Mode list, select the mode of logging as stream or event.
To specify a source IP address or the IP address used when exporting security logs, enter the IP address in the Source Address field.
From the Format list, select the logging format as syslog, sd-syslog, or binary.
To limit the rate per second at which data plane logs are generated, enter the rate value in the Rate-Cap field.
To disable security logging for a device, select the Disable Logging check box.
To use Coordinated Universal Time (UTC) for security log timestamps, select the UTC-Timestamp check box.
To limit the rate per second at which logs are streamed, enter the event rate in the Event-rate field.
- Under the Stream section, configure the following parameters:
To create a new stream configuration:
Click the plus sign (+).
The Stream Configuration page appears.
In the Stream Name field, enter the name of the new stream configuration.
In the Host field, enter the IPv4 or IPv6 address.
In the Port field, enter the port number.
In the Severity list, select one of the following available required severity types:
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
In the Category list, select the type of category as all or content-security.
In the Format list, select the type of format as syslog, sd-syslog, welf, or binary.
To create a new stream, click Ok.
You can modify or delete the existing streams. To modify or edit a stream, select the stream and click the pencil icon. To delete a stream, select the stream and click the minus sign (-).
- Expand the File section and configure the following parameters:
In the File Name field, enter a filename for the log data file.
In the File Path field, enter the path where the log file is saved.
In the File Size field, enter the maximum size of the log file in megabytes.
In the Max No. Of files field, enter the maximum number of log files to create for each session.
- Expand the Cache section, and configure the following
parameters:
In the Limit field, enter the maximum number of log entries to store in the cache memory. The default value is 10,000 entries.
- To restrict the device from logging certain configurations,
you can create different exclude configurations.
To create a new exclude configuration:
Under the Exclude section, click the plus sign (+).
The Exclude Configuration page appears.
In the Name field, enter the name of a new exclude configuration.
Under the Destination section, in the IP Address field, enter the destination IP address in IPv4 or IPv6 address format. The audit log does not include security alarms from the specified destination IP address.
In the Port field, enter the destination IP address port.
Under the Source section, in the IP Address field, enter the source IP address in IPv4 or IPv6 address format. The audit log does not include security alarms from the specified source IP address.
In the Port field, enter the source IP address port.
Under the Other Filters section, configure the following parameters:
In the Event Id field, enter the event ID of the security event. The audit log does not include security alarms for this event ID.
To restrict the logging of failed events, select the Failure check box.
In the Interface field, enter the name of the interface. The audit log does not include security alarms from the specified interface.
In the Policy Name field, enter the policy name.
In the Process field, specify the name of the process that is generating the events.
In the Protocol field, enter the protocol name.
To restrict the logging of successful events, select the Success check box.
In the User Name field, enter the name of the authenticated user. All security events that are enabled by this user are not generated in the audit log.
To create a new exclude configuration, click Ok.
- To create a new security log, click Ok.
Security logging is not supported for the logical systems devices.