Creating Security Logs
Procedure
To configure security logging:
- Select Security Director > Devices > Device Management.
The Device Management page appears.
- Right-click a device and select Device Configuration
> Modify Configuration.
The View/Edit Configuration page appears.
- Under the Security section, click Security Logging.
The Create Security Logging page appears.
- Under the General Settings section, configure the following
parameters:
- From the Mode list, select the mode of logging as stream
or event.
- To specify a source IP address or the IP address used
when exporting security logs, enter the IP address in the Source Address
field.
- From the Format list, select the logging format as syslog,
sd-syslog, or binary.
- To limit the rate per second at which data plane logs
are generated, enter the rate value in the Rate-Cap field.
- To disable security logging for a device, select the Disable Logging check box.
- To use Coordinated Universal Time (UTC) for security log
timestamps, select the UTC-Timestamp check box.
- To limit the rate per second at which logs are streamed,
enter the event rate in the Event-rate field.
- Under the Stream section, configure the following parameters:
To create a new stream configuration:
You can modify or delete the existing streams. To modify or
edit a stream, select the stream and click the pencil icon. To delete
a stream, select the stream and click the minus sign (-).
- Expand the File section and configure the following parameters:
- In the File Name field, enter a filename for the log data
file.
- In the File Path field, enter the path where the log file
is saved.
- In the File Size field, enter the maximum size of the
log file in megabytes.
- In the Max No. Of files field, enter the maximum number
of log files to create for each session.
- Expand the Cache section, and configure the following
parameters:
- In the Limit field, enter the maximum number of log entries
to store in the cache memory. The default value is 10,000 entries.
- To restrict the device from logging certain configurations,
you can create different exclude configurations.
To create a new exclude configuration:
- Under the Exclude section, click the plus sign (+).
The Exclude Configuration page appears.
- In the Name field, enter the name of a new exclude configuration.
- Under the Destination section, in the IP Address field,
enter the destination IP address in IPv4 or IPv6 address format. The
audit log does not include security alarms from the specified destination
IP address.
In the Port field, enter the destination IP address port.
- Under the Source section, in the IP Address field, enter
the source IP address in IPv4 or IPv6 address format. The audit log
does not include security alarms from the specified source IP address.
In the Port field, enter the source IP address port.
- Under the Other Filters section, configure the following
parameters:
- In the Event Id field, enter the event ID of the security
event. The audit log does not include security alarms for this event
ID.
- To restrict the logging of failed events, select the Failure check box.
- In the Interface field, enter the name of the interface.
The audit log does not include security alarms from the specified
interface.
- In the Policy Name field, enter the policy name.
- In the Process field, specify the name of the process
that is generating the events.
- In the Protocol field, enter the protocol name.
- To restrict the logging of successful events, select the Success check box.
- In the User Name field, enter the name of the authenticated
user. All security events that are enabled by this user are not generated
in the audit log.
- To create a new exclude configuration, click Ok.
- To create a new security log, click Ok.
Note: Security logging is not supported for the logical systems
devices.
Help us to improve. Rate this article.
Feedback Received. Thank You!