Configuring log management

The agent generates logs whenever user actions are blocked or when the agent conducts an audit. Depending on their severity, these logs can be sent to three different destinations. The various settings of this process can be defined in the configuration of agent groups. For further information, refer to the section Sending logs generated by agents.

In addition, for every security rule that you create, you can specify:

  • The severity of the logged events,
  • The destinations of these logs.

NOTE
In any case, even if no destination has been configured for the logs in question, they can be found in the context details when an attack occurs. For further information on context analysis, refer to Understanding what makes up a context.

The severity of events logged by a rule can be adjusted in the following cases:

  • If you have highly sensitive applications, raise the severity of their logs. Emergency and Alert logs take priority over other logs sent to agent handlers, and are sent more frequently (every 30 seconds by default, every hour for other log levels),
  • If a security rule generates too many irrelevant logs, lower their severity.
  1. Select your security policy in the Security > Policies menu of the administration console, then select your set of rules. The main page of the rule set appears.
  2. Click on the tab of the rule that you want to modify.
  3. If you are in read-only mode, click on Edit in the upper banner.
  4. In the banner at the top of the rule, click on . The Log settings window appears.
  5. In the Log severity field, assign the level to logs generated by this rule.
  6. In the Show on agent field, choose whether logs from this rule can be seen on the agent:
    • Inherit: the overall behavior defined for the agent group applies. In the example above, logs can be seen on the agent because this is the case for logs of all levels from Notice upwards.
    • Never: logs can never be seen on the agent regardless of the overall behavior.
    • Always: logs can always be seen on the agent regardless of the overall behavior.
      Note that only Alert and Emergency level logs that have led to a block are visible in the agent interface for a non-administrator user of his machine.
  7. In the Show on console field, choose whether logs from this rule can be seen on the administration console.
  8. In the Send to Syslog field, choose whether to send logs from this rule to the Syslog server if one has been configured. For further information, refer to the section Creating groups of agent handlers.
  9. Click on OK.
  10. Save the changes made to the rule.