Configuring log management
The agent generates logs whenever user actions are blocked or when the agent conducts an audit. Depending on their severity, these logs can be sent to three different destinations. The various settings of this process can be defined in the configuration of agent groups. For further information, refer to the section Sending logs generated by agents.
In addition, for every security rule that you create, you can specify:
- The severity of the logged events,
- The destinations of these logs.
In any case, even if no destination has been configured for the logs in question, they can be found in the detailed context of incidents when an attack occurs. For further information on incident analysis, refer to Understanding the types of contexts.
The severity of events logged by a rule can be adjusted in the following cases:
- If you have highly sensitive applications, raise the severity of their logs. Emergency and Alert logs take priority over other logs sent to agent handlers, and are sent more frequently (every 30 seconds by default, every hour for other log levels),
- If a security rule generates too many irrelevant logs, lower their severity.
- Select your security policy in the Policies tab of the administration console, then select your set of rules. The main page of the rule set appears.
- Click on the tab of the rule that you want to modify.
- If you are in read-only mode, click on Edit in the upper banner.
- In the banner at the top of the rule, click on . The Log settings window appears.
- In the Log severity field, assign the level to logs generated by this rule.
- In the Show on agent field, choose whether logs from this rule can be seen on the agent:
- Inherit: the overall behavior defined for the agent group applies. In the example above, logs can be seen on the agent because this is the case for logs of all levels from Notice upwards.
- Never: logs can never be seen on the agent regardless of the overall behavior.
- Always: logs can always be seen on the agent regardless of the overall behavior.
- In the Show on console field, choose whether logs from this rule can be seen on the administration console.
- In the Send to Syslog field, choose whether to send logs from this rule to the Syslog server if one has been configured. For more information, see section
- Click on OK.
- Save the changes made to the rule.