Overwrite old log or audit entries when log storage is full
By default, Log Servers stop receiving log entries when the log storage is full, and Management Servers shut down when the audit storage is full. You can optionally overwrite old log entries when the log storage is full.
When you configure Log Servers or Management Servers to overwrite old log entries or audit entries when the log or audit storage is full, the Log Server or Management Server writes new log entries or audit entries over the existing entries, starting with the oldest entries, until more disk space is available.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Select Configuration, then browse to Network Elements.
- Browse to Servers, right-click a Log Server or Management Server element, then select Properties.
-
Configure the option to overwrite old log or audit entries depending on the type of server.
- Log Server — From the Log Storage Full drop-down list, select Overwrite Oldest.
- Management Server — From the Audit Storage Full drop-down list, select Overwrite Oldest Audit Entries.
- Click OK.
Management Server Properties dialog box
Use this dialog box to define Management Server properties.
Option | Definition |
---|---|
General tab | |
Name | The name of the element. |
IPv4 Address | Specifies the IPv4 address of the server. The server can have both an IPv4 and an IPv6 address. |
IPv6 Address | Specifies the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address. |
Resolve | Automatically resolves the IP address of the server. |
Location | Specifies the location for the server if there is a NAT device between the server and other SMC components. |
Contact Addresses |
|
Log Server | Specifies the Log Server to which the Management Server sends its logs. |
RADIUS Method
(Optional) |
Specifies a RADIUS authentication method for authenticating administrators.
|
TACACS Method
(Optional) |
Specifies a TACACS+ authentication method for authenticating administrators.
|
TLS Credentials (Optional) |
Specifies the TLS Credentials element that is used for certificate-based authentication of administrators. |
TLS Profile (Optional) |
Specifies the TLS Profile element that is used for certificate-based authentication of administrators. |
Include in Database Replication
(Multiple Management Servers only) |
When selected, the Management Server is included in database replication between Management Servers for high availability. CAUTION: Leave
this option selected unless you have a specific reason to deselect it. Deselecting this option makes the Management Server's database incompatible with the databases of
the other Management Servers.
|
Audit Storage Full |
Specifies the action when the Management Server detects that the audit storage is full.
|
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds commands to the element right-click menu.Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
Notifications tab | |
> E-mail section — Specifies email notification details. | |
SMTP Server | Select the SMTP Server that is used to send the alert notifications as email. |
Select | Opens the Select Element dialog box. |
Sender Name | Enter the name to be used in the From field of the email. If this setting is left blank, the Default Sender Name defined in the SMTP Server Properties is used. |
Sender Address | Enter the email address to be used in the From field of the email. If this setting is left blank, the Default Sender Address defined in the SMTP Server Properties is used. |
> SMS section | |
Name | Shows the name of the channel. |
Channel Type | Shows the type of the channel.
You can add multiple SMS Channels Types. If the first SMS Channel fails, the subsequent SMS channels are used in the order in which they are listed. Use the Up and Down buttons to change the order of the channels if necessary. |
Host/URL/Script | Shows the server, URL, or script used for SMS notification. |
Up | Moves the channel up the list. |
Down | Moves the channel down the list. |
Add |
Selects the Channel Type and opens the Channel Properties dialog box. |
Edit | Opens the Channel Properties dialog box for the selected entry. |
Remove | Removes the selected entry. |
SNMP section | |
Gateways | Enter the host name or IP address of the SNMP Gateways to which the alert notifications are sent as SNMP traps. You can specify a list of gateways separated by semicolons. If your SNMP gateway port is not the default port 162, specify the port number by typing a colon and the port after the host name (for example, snmp-gw:4390). |
Custom Alert Scripts section | |
Root Path | Enter the root path on the Management Server where custom alert scripts are executed. The default location is Do not define the script name here. Add the script name in the Alert Chain at each place you want to call a particular script. You can use multiple scripts. |
Option | Definition |
---|---|
Web Start tab | |
Enable | Enables Web Start options. |
Host Name
(Optional) |
Enter the Host Name that the Web Start service uses. |
Port Number
(Optional) |
Enter the TCP Port Number that the service listens to. By default, standard HTTP ports are used. Port 80 is used on Windows. Port 8080 is used on Linux
(which does not allow the use of reserved ports for this type of service).
Note: Make sure that the listening port is not in use on the server.
|
Listen Only on Address
(Optional) |
If the Management Server has several addresses and you want to restrict access to one address, specify the IP address to use. |
Generate Server Logs
(Optional) |
Select if you want to log all file load events for further analysis with external web statistics software. |
Option | Definition |
---|---|
SMC API tab | |
Enable | Enables SMC API options. |
Host Name | Enter the name that the SMC API service uses. Note: API requests are served only if the API request is made
to this host name. To allow API requests to any host name, leave this field blank.
|
Port Number
(Optional) |
Enter the TCP Port Number that the SMC API service listens to. By default, port 8082 is used. In Linux, the value of this parameter must always be higher than 1024. |
Listen Only on Address
(Optional) |
If the Management Server has several addresses and you want to restrict access to one address, specify the IP address to use. |
Server Credentials
(Optional) |
The TLS Credentials element that is used in HTTPS connections to the SMC API. Click Select to select an element. |
Generate Server Logs
(Optional) |
Select if you want to log all file load events for further analysis with external web statistics software. |
Use SSL for session ID
(Optional) |
Track sessions to the Management Server in your web application. Do not select this option if your network requires you to use cookies or URIs for session tracking. |
Option | Definition |
---|---|
ECA Evaluation tab | |
Enable | To easily deploy Forcepoint Endpoint Context Agent (ECA) to a limited set of users for evaluation purposes, enable the ECA Evaluation feature. For more information, see Knowledge Base article 16193. |
Option | Definition |
---|---|
Announcement tab | |
Display announcement to Web Portal Users | Enables you to display announcements to the administrators who log on to the Web Portal. Enter the announcement in the field. The length is limited to 160 characters. You can add formatting to the announcement with standard HTML tags (which are also included in the character count). |
Option | Definition |
---|---|
Connection tab | |
Proxy Settings | |
Use proxy server for HTTPS connection | Select if the connection from the Management Server to the Forcepoint servers requires a proxy server. |
Proxy address | Defines the address of the HTTP proxy. |
Proxy port | Defines the port of the HTTP proxy. |
Authenticate to the proxy server | Select if the proxy server requires user authentication. |
Proxy user name | Enter the user name for the proxy user. |
Proxy user password | Enter the password for the proxy user. |
Hide | When selected, prevents the password from being shown as plain text. Deselect this option to show the password. Selected by default. |
Option | Definition |
---|---|
Audit Forwarding tab | |
Target Host | The Host element that represents the target host to which the audit data is forwarded. Double-clicking this cell opens the Select Host dialog box. |
Service | The network protocol for forwarding the audit data. Click the cell, then select the Service from the drop-down list.
Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Service you select is also used as the Service in the
Access rule.
|
Port | The Port that is used for audit forwarding. Double-click to edit the cell. The default port is 2055.
Note: You might have to define an Access rule that
allows traffic to the target host. In this case, make sure that the Port you select is also used as the Port in the Access rule.
|
Format | Click the cell, then select the audit data forwarding format from the drop-down list.
|
Filter
(Optional) |
An optional local filter that defines which audit data is forwarded. The local filter is only applied to the audit data that matches the Audit Forwarding rule. Double-clicking this cell opens the Local Filter Properties dialog box. |
TLS Profile | Allows you to select a TLS Profile element that contains settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Double-clicking this cell opens the Select Element dialog box. The TLS Profile is only available if you have selected TCP with TLS as the Service. |
TLS Server Identity
(Optional, only if a TLS Profile is selected) |
Select the identity of a TLS server to secure the TLS-protected traffic from the Management Server to an external syslog server. Double-clicking this cell opens the TLS Server Identity dialog box. |
Add | Adds a row to the table. |
Remove | Removes the selected row. |
Management Server TLS Certificate Used for Forwarding Logs | Select the certificate for TLS-protected audit data forwarding.
|
Option | Definition |
---|---|
NAT tab | |
Firewall | Shows the selected firewall. |
NAT Type | Shows the NAT translation type: Static or Dynamic. |
Private IP Address | Shows the Private IP Address. |
Public IP Address | Shows the defined Public IP Address. |
Port Filter | Shows the selected Port Filters. |
Comment | An optional comment for your own reference. |
Add NAT Definition | Opens the NAT Definition Properties dialog box. |
Edit NAT Definition | Opens the NAT Definition Properties dialog box for the selected definition. |
Remove NAT Definition | Removes the selected NAT definition from the list. |
Log Server Properties dialog box
Use this dialog box to define Log Server properties.
Option | Definition |
---|---|
General tab | |
Name | The name of the element. |
IPv4 Address | Enter the IPv4 address of the server. The server can have both an IPv4 and an IPv6 address. |
IPv6 Address | Enter the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address. |
Resolve | Automatically resolves the IP address of the server. |
Location | Specifies the location for the server if there is a NAT device between the server and other SMC components. |
Location | Specifies the location for the server if there is a NAT device between the server and other SMC components. |
Contact Addresses section | |
Default | Used by default when a component that belongs to another Location connects to this server. |
Exceptions | Allows you to define exceptions to the default contact address. Opens the Exceptions dialog box. |
Port
(Optional) |
Enter the Log Server's TCP Port Number.
We recommend that you always use the default port 3020 if possible. |
Log Storage Full |
Specifies the action when the log storage on the Log Server is full.
|
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds commands to the element right-click menu.Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
Exclude from Log Browsing, Statistics and Reporting
(Optional) |
Select this option if you do not want the Log Server to gather statistical information for monitoring and you do not want its logging data to be included in Reports. In most situations, it is better to leave this option deselected. |
Option | Definition |
---|---|
High Availability tab | |
Secondary Log Servers | Shows the secondary Log Servers. Click Add to add an element to the list, or Remove to remove the selected element. |
Option | Definition |
---|---|
Monitoring tab | |
Log Server | The Log Server that monitors the status of the element. |
Status Monitoring | When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view. |
Probing Profile | Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element. |
Log Reception | Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected. |
Logging Profile | Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element. |
Time Zone | Selects the time zone for the logs. |
Encoding | Selects the character set for log files. |
SNMP Trap Reception | Enables the reception of SNMP traps from the third-party device. |
NetFlow Reception | Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10). |
Option | Definition |
---|---|
Log Forwarding tab | |
Target Host | The Host element that represents the target host to which the log data is forwarded.
Double-clicking this cell opens the Select Host dialog box. |
Service | The network protocol for forwarding the log data. Click the cell, then select the
Service from the drop-down list.
Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Service you select is also used as the Service in the Access rule.
|
Port | The port that is used for log forwarding. The default port used by IPFIX/NetFlow data collectors is 2055. Double-click to edit the cell.
Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the port you select is also used as the port in the Access rule.
|
Format | Click the cell, then select the log forwarding format from the drop-down list.
|
Filter
(Optional) |
An optional local filter that defines which log data is forwarded. The local filter is only applied to the log data that matches the Log Forwarding rule. Double-clicking this cell opens the Select Local Filter Properties dialog box. |
TLS Profile | Allows you to select a TLS Profile element that contains, for example, the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Double-clicking this cell opens the Select a TLS Profile dialog box. The TLS Profile is only available if you have selected TCP with TLS as the Service. |
TLS Server Identity
(Optional, only if a TLS Profile is selected) |
Select the identity of a TLS server to secure the TLS-protected traffic from the Log Server to an external syslog server. Double-clicking this cell opens the TLS Server Identity dialog box. |
Data Type | The type of log data that is forwarded. Click the cell, then select the log data type from the drop-down list. Click Add to add a row to the table, or Remove to remove the selected row. |
Log Server TLS Certificate Used for Forwarding Logs | Select the certificate for TLS-protected log forwarding.
|
Option | Definition |
---|---|
NAT tab | |
Firewall | Shows the selected firewall. |
NAT Type | Shows the NAT translation type: Static or Dynamic. |
Private IP Address | Shows the Private IP Address. |
Public IP Address | Shows the defined Public IP Address. |
Port Filter | Shows the selected Port Filters. |
Comment | An optional comment for your own reference. |
Add NAT Definition | Opens the NAT Definition Properties dialog box. |
Edit NAT Definition | Opens the NAT Definition Properties dialog box for the selected definition. |
Remove NAT Definition | Removes the selected NAT definition from the list. |