Configure log handling settings

Log Handling settings allow you to adjust logging when the log spool on the Firewall, IPS, Layer 2 Firewall, or Master NGFW Engine fills up.

Logs are spooled locally when the Log Server is not available. The Master NGFW Engine spools its own logs and the logs sent by the Virtual NGFW Engines that the Master NGFW Engine hosts.

You can also configure Log Compression to save resources on the engine. By default, each generated Antispoofing and Discard log entry is logged separately and displayed as a separate entry in the Logs view. Log Compression allows you to define the maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information on the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are once more logged and displayed separately.

The general Log Compression settings you define in the Engine Editor are applied as default settings on all interfaces. You can also define Log Compression and override the global settings in each interface’s properties.

You can optionally save copies of the most recent log entries locally on the NGFW Engine. You can browse the saved log entries on the command line of the NGFW Engine even if the log entries have already been sent to the Log Server.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall, IPS, Layer 2 Firewall, or Master NGFW Engine element and select Edit <element type>.
  2. In the navigation pane on the left, browse to Advanced Settings > Log Handling.
  3. Configure the options according to your environment.
    Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
  4. Click Save and Refresh to transfer the configuration changes.

Engine Editor > Advanced Settings > Log Handling

Use this branch to change log handling settings for the NGFW Engine. You can use log handling settings to adjust logging when the log spool fills up.

Option Definition
Log Spooling Policy

(Not Virtual NGFW Engines)

Defines what happens when the log spool becomes full.
  • Stop Traffic — The NGFW Engine stops processing traffic and goes offline.
  • Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The NGFW Engine continues to process traffic.
Log Compression

(Antispoofing Log Event Type for Firewalls only)

The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are logged and displayed separately. Double-click a cell to edit the value.
Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default Returns Log Compression settings to the default settings.
Store a Copy of Recent Log Files on the NGFW Engine When selected, the NGFW Engine stores copies of logs according to the specified settings.
Maximum Time The maximum length of time for which to store copies of logs. Values can be 1–720 hours (the maximum is 30 days), or not specified. If a value is not specified, the NGFW Engine stores copies of logs until the limits specified in the Guaranteed Free Spool Partition or Guaranteed Free Spool Partition Size options are reached.
Guaranteed Free Spool Partition The minimum percentage of the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be 5–80 %, or not specified.
Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits are enforced.
Guaranteed Free Spool Partition Size The minimum amount of file space, in MB, on the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be 50–1000 MB, or not specified.
Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits are enforced.