Reducing unnecessary log generation

The primary way to manage logging is to set up the system to create all necessary logs and alerts and a minimum of unnecessary log entries.

The main generator of logs that you can configure are the rules in traffic handling policies. Another major point of configuration is the automatic tester, which you can set up to create alerts on various events. Some other features also generate logs and alerts, but it is not always possible to reduce the generation of logs from these features.

Normal and Alert logs are generated both based on internal conditions in the operation of a component and based on traffic that the engines handle.

Internal conditions that trigger logs or alerts:
  • There is a system error or warning.
  • An engine test fails. You can configure the engine tester in detail and select whether test failures trigger an alert.
  • The status of an engine changes (not active by default).
  • When the values of a monitored item exceed a threshold limit in an Overview (not active by default).
  • Diagnostics are active on a Firewall engine (not active by default).
Traffic conditions that trigger logs and alerts:
  • An IPS engine’s or a Layer 2 Firewall’s limit for the number of times tunneled traffic is rematched has been reached (not active by default).
  • Traffic matches a rule in your policy.
  • Diagnostics are active on an engine (not active by default).

You can also set up Log Servers to receive logs from any devices that can be set up to send syslog.

In addition to activating and deactivating logging and the listed features, you can optimize the number of generated logs on the engines in the following ways:
  • You can configure log compression for Discard logs for Firewalls, IPS engines, and Layer 2 Firewalls.
  • On Firewalls, you can configure log compression also for antispoofing logs.

Log Tasks can export, archive, and delete logs. It is possible to schedule these tasks to run automatically. The greater the volume of log data, the more frequently cleanup operations must run. For example, if the number of stored log entries is constantly high, you might need to export and delete logs daily. The schedules are defined in the Management Client’s local time. The Log Server might have a different time zone.

If administrative Domains are used, Log Tasks are always Domain-specific. You must define and run the Log Tasks in a specific Domain to apply them to the log data in that Domain.