Overview

List of logs

Audit logs are stored in the /log directory on Stormshield Network firewalls.

The following list provides a brief description of each one of these logs:

 

l_alarm

events relating to raised alarms.

l_auth

events relating to the authentication policy.

l_connection 

events relating to connections to and from the Firewall.

l_count 

statistics regarding the use of each rule.

l_date 

events relating to time changes on the firewall.

l_filter 

events relating to packet filtering.

l_filterstat 

statistics concerning the use of the firewall and its resources.

l_ftp

events relating to the operation of the FTP plugin.

l_monitor

statistics for the creation of performance graphs and security reports (web administration interface and Stormshield Network Realtime Monitor).

l_plugin 

events relating to processes carried out by ASQ plugins.

l_pop3

events relating to the operation of the POP3 plugin.

l_pvm 

events relating to vulnerability management.

l_sandboxing events relating to file sandboxing

l_server

events relating to the administration of the firewall

l_smtp

events relating to the operation of the SMTP plugin.

l_ssl

events relating to the operation of the HTTPS plugin.

l_system

events directly relating to the system (shutdown/reboot of the Firewall, system error, service operation, etc).

l_vpn

events relating to the use of connections via IPSEC VPN.

l_web

events relating to the operation of the HTTP plugin.

l_xvpn

events relating to the use of connections via SSL VPN.

Log management

File indexing

Logs are split up into several files whenever they exceed 5 MB. When a file exceeds this limit, it will be closed to make way for a new one, and the information relating to its indexation will be added to its name.

The nomenclature of closed log files takes on the following structure:

  • The type of traffic logged (example: l_filter, l_alarm, etc),
  • An index number: an 8-digit file number (starts from 0),
  • Creation date: GMT date of the first log contained in the file,
  • Closing date: GMT date of the last log contained in the file,
  • The number of logs stored in the file.

 

Example:

REMARKS

The name of the current log file only indicates the type of traffic logged (example: l_alarm, l_proxy).

REMARKS

File indexation (managed incrementally and starting from 0) makes it possible to not have to rely on creation or closing dates, as these dates may be distorted when the time is changed on the Firewall.