Browse log and alert entries on the command line of NGFW Engines

If you have saved copies of the most recent log and alert entries locally on the NGFW Engine, you can browse the log and alert entries on the command line of the NGFW Engine.

Before you begin

Enable the storage of log entries on the NGFW Engine on the Advanced Settings > Log Handling branch of the Engine Editor.

Browsing log and alert entries locally on the NGFW Engine allows you to quickly troubleshoot problems that are specific to the location where the NGFW Engine is installed. You can browse log and alert entries even if the log and alert entries have already been sent to the Log Server, or if the connection to the SMC is not available.

Note: The root user and any other users who are allowed to access the NGFW Engine command line can view the saved log and alert entries.

The log and alert files are stored in the /spool/log/archive directory on the NGFW Engine.

You can use the following filtering when you browse log and alert entries on the command line of the NGFW Engine:

  • Time range
  • Facility
  • IP address
  • User name

Browsing log and alert entries on the command line of NGFW Engines has the following limitations:

  • A limited number of log and alert entries are stored on the NGFW Engine for a limited time.
  • In an environment with Master NGFW Engines and Virtual NGFW Engines, you can only browse log and alert entries, including log and alert entries for Virtual NGFW Engines, locally on the command line of Master NGFW Engines. You cannot browse log and alert entries locally on the command line of individual Virtual NGFW Engines.

Steps

  1. Connect to the command line of the NGFW Engine.
  2. To view log and alert entries, enter commands in the following format:
    sg-log-view [options]

    For details about the options, see the information about Forcepoint NGFW Engine commands. To show usage information on the command line of the NGFW Engine, enter the following command:

    sg-log-view -h