Configure log handling settings for engines

Log Handling settings allow you to adjust logging when the log spool on the Firewall, IPS, Layer 2 Firewall, or Master NGFW Engine fills up.

Logs are spooled locally when the Log Server is not available. The Master NGFW Engine spools its own logs and the logs sent by the Virtual NGFW Engines that the Master NGFW Engine hosts.

You can also configure Log Compression to save resources on the engine. By default, each generated Antispoofing and Discard log entry is logged separately and displayed as a separate entry in the Logs view. Log Compression allows you to define the maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information on the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are once more logged and displayed separately.

The general Log Compression settings you define in the Engine Editor are applied as default settings on all interfaces. You can also define Log Compression and override the global settings in each interface’s properties.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall, IPS, Layer 2 Firewall, or Master NGFW Engine element and select Edit <element type>.
    The Engine Editor opens.
  2. In the navigation pane on the left, browse to Advanced Settings > Log Handling.
    The Log Handling pane opens on the right.
  3. Select the Log Spooling Policy to define what happens when the engine’s log spool becomes full.
  4. (Optional) In the Log Compression table, enter values for Antispoofing entries (Firewall only) and for Discard entries.
    Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
  5. Click Save and Refresh to transfer the configuration changes.

Engine Editor – Advanced Settings – Log Handling

Use this branch to change log handling settings for the engine. You can use log handling settings to adjust logging when the log spool on the engine fills up.

Option Definition
Log Spooling Policy

(Not Virtual NGFW Engines)

Defines what happens when the engine’s log spool becomes full.
  • Stop Traffic — The engine stops processing traffic and goes offline.
  • Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The engine keeps processing traffic.
Log Compression

(Antispoofing Log Event Type for Firewalls only)

The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are logged and displayed separately.
Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default Returns Log Compression changes to the default settings.