“Local storage” tab

The configuration of logs allows allocating disk space for each type of log on the firewall. This menu also allows modifying the firewall’s behavior when saving these logs.

This screen is divided into 2 sections:

  • Top: a menu setting out the various options
  • Bottom: a table

NOTE 

This tab will be grayed out if the firewall is a model that does not have a hard disk. In this case, when the module is opened, the Syslog tab will appear.

This button makes it possible to enable or disable log storage on the hard disk or on an SD card (S series firewalls).

 

Storage device

You have the option of using as a storage medium:

  • Your firewall’s internal hard disk – 6 GB internal support option
  • An SD card for firewalls in the "S" Series and by subscribing to the "external storage" option.

NOTE 

For more information, refer to the Guides PRESENTATION AND INSTALLATION OF NETASQ PRODUCTS U SERIES – S Models or PRESENTATION AND INSTALLATION OF STORMSHIELD NETWORK PRODUCTS SN Range, available on Stormshield's Technical Documentation website.

 

When storage device is saturated, the most recent logs will erase the oldest logs.

Refresh

 

Refreshes the list of storage media

Format 

Formats the storage medium in a specific format

Whenever the medium is full (no more space available), logs will automatically be rotated, so the most recent logs will erase the oldest ones.

NOTE 

When the firewall is in high availability, actions relating to the SD card are only valid for the card inserted into the active firewall.  To perform operations on the passive firewall’s SD card, you will need to switch the remote firewall to active mode using the Maintenance module, then go back to the menu Logs–Syslog to be able to make changes to the SD card.

Configuration of the space reserved for logs

The firewall manages a certain number of log files intended for collecting events detected by the log functions. The files involved in security events are:

  • Alarms: events relating to the application of intrusion prevention features (l_alarm),
  • Authentication: events relating to user authentication (l_auth),
  • Network connections: events relating to connections through and to the firewall (l_connection),
  • Filter policy: events relating to the application of filter functions (l_filter),
  • FTP proxy: events relating to FTP traffic (l_ftp),
  • Statistics: events relating to real-time monitoring (l_monitor),
  • Application connections (plugin): events relating to the treatment of ASQ plugins (l_plugin),
  • POP3 proxy: events relating to message sending (l_pop3),
  • Vulnerability manager: events relating to the application for consulting vulnerabilities on the Stormshield Network Vulnerability Manager network (l_pvm),
  • Sandboxing: events relating to the sandboxing of files if this option has been subscribed and enabled (l_sandboxing),
  • Administration (Serverd): events relating to the firewall administration server: "serverd" (l_server),
  • SMTP proxy: events relating to SMTP traffic (l_smtp),
  • System events: this is the log in which events directly relating to the system are logged: shutdown/startup of the firewall, system error, etc. Shutting down and starting log functions correspond to shutting down and starting the daemons that generate logs (l_system),
  • IPSec VPN: events relating to the establishment of SAs (l_vpn),
  • HTTP proxy: events relating to HTTP traffic (l_web),
  • SSL VPN: events relating to the establishment of the SSL VPN (l_xvpn),
  • SSL proxy: events relating to SSL traffic (l_ssl),

The files share a common storage area with other log files.

For each log menu (Alarms, Authentication, Network connections, Filter policy, FTP proxy, Statistics, Application connections (plugin), POP3 proxy, Applications and vulnerabilities (SEISMO), Server, SMTP proxy, System events, IPSec VPN, HTTP proxy, SSL VPN), you can restrict the size of the log file by selecting the size of the file as a percentage of the total space reserved for log files.

The table sets out the following columns:

On

Allows enabling/disabling the log file. If this line is unselected, the percentage will be 0. In this case, the type of log will not be stored on the disk. If the line is selected, the default percentage indicated will be 1%.

Family

Name of the log file

Percentage

Current percentage of space occupied. By clicking in a box, the percentage can be modified.

Disk space quota

Proportion of the disk space that each file occupies on the disk, which varies according to the percentage specified.

 

The total percentage is shown at the bottom right side of the table. If the total exceeds 100%, a warning line will be indicated in red at the bottom of the table. (Example: “Warning, incorrect distribution: 113% of the available space has been reserved). Modifications are however allowed.

By clicking on Apply, the following message will appear: “The total disk space reserved for logs exceeds this model’s capacity. Apply this configuration?”. ". You can force the save or cancel,.

NOTE

These files can be copied on the Stormshield Network EVENT ANALYZER solution in order to create reports or archive them.