C613-22104-00 REV B UTM Log Messages | Page 66
Logging Advanced Network Protection
UTM Log Messages
The log messages from various UTM security features may come from a variety of sources and it is
sometimes not obvious to users which program names they need to specify in order to get the logs
from different features.
Log messages related to the firewall UTM features are generated by different programs, but from
AlliedWare 5.4.7-1.x they are all now assigned the facility ‘local5’. This means you can easily filter
log messages for all UTM messages via a single filter, for instance, to send all UTM log messages
from multiple devices to a single destination.
The UTM log messages are generated by these programs:
The program IPS generates messages for the Suricata stream-based security features Intrusion
Prevention System, IP Reputation, Malware Protection, URL Filtering.
The UTM program generates messages for the proxy-based features Web Control and Anti-virus.
Configuration example: logging UTM messages
To configure an AR-Series firewall to generate log messages for any UTM features in use and send
them to a syslog server at IP address 192.168.1.1, use the commands:
awplus# configure terminal
awplus(config)# log host 192.168.1.1 facility local5
To configure an AR-Series firewall to generate and send log messages for any UTM features in use
into the buffered log, use the commands:
awplus# configure terminal
awplus(config)# log buffered facility local5
awplus(config)# exit
To selectively view only the log messages that have been sent to the buffered log that contain the
facility local5, use the command line interface:
awplus# show log |grep local5
Output 6: Example firewall log messages
2016 Nov 28 23:26:34 kern.info awplus kernel: Firewall rule 10: PERMIT IN=
OUT=eth0 SRC=192.168.5.2 DST=192.168.5.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=7935 DF PROTO=ICMP TYPE=8 CODE=0 ID=2406 SEQ=1
2016 Nov 25 14:10:38 kern.info awplus kernel: Firewall: DENY probe FIN IN=vlan1
OUT=eth1 MAC=00:00:cd:38:00:bc:52:54:6b:6b:0f:1e:08:00 SRC=192.168.1.1
DST=172.16.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=54219 PROTO=TCP SPT=6000
DPT=21 WINDOW=512 RES=0x00 UG PSH FIN URGP=0
2016 Nov 25 18:38:36 kern.info awplus kernel: Firewall rule 20: PERMIT IN=eth1
OUT=vlan1 MAC=00:00:cd:38:00:96:52:54:78:36:8f:a6:08:00 SRC=172.16.1.2
DST=192.168.1.1 LEN=239 TOS=0x00 PREC=0x00 TTL=63 ID=20563 DF PROTO=TCP SPT=80
DPT=46254 WINDOW=905 RES=000 ACK PSH URGP=0 MARK=0x1053
To Next Page
Loading...
Need help?
General
