Local storage tab
The configuration of logs allows allocating disk space for each type of log on the firewall. This menu also allows modifying the firewall’s behavior when saving these logs.
This screen is divided into 2 sections:
- Top: a menu setting out the various options
- Bottom: a table
This tab will be grayed out if the firewall is a model that does not have a hard disk. In this case, when the module is opened, the Syslog tab will appear.
|This button makes it possible to enable or disable log storage on the hard disk or on an SD card (S series firewalls).|
|Storage device||You have the option of using as a storage medium:|
When storage device is saturated, the most recent logs will erase the oldest logs.
Refreshes the list of storage media
Formats the storage medium in a specific format
Whenever the medium is full (no more space available), logs will automatically be rotated, so the most recent logs will erase the oldest ones.
When the firewall is in high availability, actions relating to the SD card are only valid for the card inserted into the active firewall. To perform operations on the passive firewall’s SD card, you will need to switch the remote firewall to active mode using the Maintenance module, then go back to the menu Logs–Syslog to be able to make changes to the SD card.
Configuration of the space reserved for logs
The firewall manages a certain number of log files intended for collecting events detected by the log functions. The files involved in security events are:
- Alarms: events relating to the application of intrusion prevention features (l_alarm),
- Authentication: events relating to user authentication (l_auth),
- Network connections: events relating to connections through and to the firewall (l_connection),
- Filter policy: events relating to the application of filter functions (l_filter),
- FTP proxy: events relating to FTP traffic (l_ftp),
- Statistics: events relating to real-time monitoring (l_monitor),
- Application connections (plugin): events relating to the treatment of ASQ plugins (l_plugin),
- POP3 proxy: events relating to message sending (l_pop3),
- Vulnerability manager: events relating to the application for consulting vulnerabilities on the Stormshield Network Vulnerability Manager network (l_pvm),
- Sandboxing: events relating to the sandboxing of files if this option has been subscribed and enabled (l_sandboxing),
- Administration (Serverd): events relating to the firewall administration server: "serverd" (l_server),
- SMTP proxy: events relating to SMTP traffic (l_smtp),
- System events: this is the log in which events directly relating to the system are logged: shutdown/startup of the firewall, system error, etc. Shutting down and starting log functions correspond to shutting down and starting the daemons that generate logs (l_system),
- IPSec VPN: events relating to the establishment of SAs (l_vpn),
- HTTP proxy: events relating to HTTP traffic (l_web),
- SSL VPN: events relating to the establishment of the SSL VPN (l_xvpn),
- SSL proxy: events relating to SSL traffic (l_ssl),
The files share a common storage area with other log files.
For each log menu (Alarms, Authentication, Network connections, Filter policy, FTP proxy, Statistics, Application connections (plugin), POP3 proxy, Applications and vulnerabilities (SEISMO), Server, SMTP proxy, System events, IPSec VPN, HTTP proxy, SSL VPN), you can restrict the size of the log file by selecting the size of the file as a percentage of the total space reserved for log files.
The table sets out the following columns:
|On||Allows enabling/disabling the log file. If this line is unselected, the percentage will be 0. In this case, the type of log will not be stored on the disk. If the line is selected, the default percentage indicated will be 1%.|
|Family||Name of the log file|
|Percentage||Current percentage of space occupied. By clicking in a box, the percentage can be modified.|
|Disk space quota||Proportion of the disk space that each file occupies on the disk, which varies according to the percentage specified.|
The total percentage is shown at the bottom right side of the table. If the total exceeds 100%, a warning line will be indicated in red at the bottom of the table. (Example: “Warning, incorrect distribution: 113% of the available space has been reserved). Modifications are however allowed.
By clicking on Apply, the following message will appear: “The total disk space reserved for logs exceeds this model’s capacity. Apply this configuration?”. ". You can force the save or cancel,.
These files can be copied on the Stormshield Network EVENT ANALYZER solution in order to create reports or archive them.