Remote Logging

All GTA Firewalls provide remote logging of events. The Remote Logging facility provides a means to configure how and where log information is sent. GNAT Box System Softwareís GTAsyslog uses the syslog TCP/IP protocol for recording logs remotely. Recent events are kept locally in a buffer on the firewall system and can be accessed using the function System Activity/View Log Messages. Log messages can also be viewed from the LogView utility  as a log file in a text utility such as Notepad or TextEdit, or using the GTA Reporting Suite application (available separately).

Enable Remote Logging, then select the source IP address object from the BINDING INTERFACE dropdown box, and enter the server IP address and port number in the SYSLOG SERVER field .

Enable Enable remote logging. Disabled by default.

Binding interface Address from which logging is sourced, Auto by default. Selecting Auto will indicate the firewallís usual source IP address to the Syslog server location. To force the logging packets to have a specific source IP address, choose the Interface object from the dropdown list.

Syslog server  IP address or host name of a system that will accept the remote logging data. Data can be accepted by the supplied GTAsyslog facility or any program that accepts the syslog protocol. The port is 514 by default. To enter a different port number, use the standard format, e.g., 192.168.71.2:514 or example.gta.com:514.

GTAsyslog

GTAsyslog is GTAís syslog server. The configuration screen within the DBmanager utility allows the user to select logging optionsñhow the GTAsyslog and LogView utilities operate, and how the optional standalone program GTA Reporting Suite accesses recorded data. GTAsyslog does not have a user interface separate from DBmanager.

The GTAsyslog automatically writes log data to a circular file which contains up to 1,024 log entries. With additional licensing, GTAsyslog sends the log information to a server for GTA Reporting Suite.

Unix Facilities

A syslog service (daemon) that can accept and record the log data is a standard feature on all Unix/Linux based systems. GNAT Box System Software logging provides the unix syslog facilities: auth, authpriv, console, cron, daemon, ftp, kern, lpr, mail, news, ntp, security, user, uucp and local0 - local7.

Since the syslog protocol is used, a facility and priority must be defined for log streams generated by the GNAT Box System. The facility is used in the syslog configuration file host to direct a log stream to a log file or other facility. The priority (set on each filter definition) is used by the remote log host to determine if and where the information in the log stream should be displayed/stored.

Filter Facility Filter log messages are generated due to a filter rule, either explicit or automatic. Filter messages are logged by default to the ìlocal1î facility.

NAT Facility Network Address Translation log messages are generated due to a NAT action. These actions can be both outbound traffic and inbound tunnel traffic. All NAT messages are logged by default to the ìlocal0î facility. By default, NAT session closes are logged at priority Notice, and NAT session opens are not logged.

WWW Facility WWW log messages are generated when an outbound http access occurs. The complete URL is logged. All http URLs are logged by default to the ìlocal2î facility. Log messages are sent at priority ìNotice.î

WELF (WebTrends Enhanced Log Format)

GNAT Box System Software version 3.3 and later supports WELF in log entries. The fields available in the format are listed below. For more information about WELF, see www.netiq.com/partners/technology/welf.asp. See the Log Messages section of the Appendix for examples of WELF in GNAT Box System Software.

id

Type of record.

time

Shows the local date and time of the event.

fw

Firewall logging the event.

pri

Event priority: 0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=information, 7=debug.

rule

Index (rule) number of the item that triggered the entry.

proto

Protocol or service used by the event.

duration

Time required to perform the event operation, in seconds.

sent

Number of bytes transferred from source to destination.

rcvd

Number of bytes transferred from destination to source.

src

IP address that generated the event.

srcport

Number of the port where the event was generated.

nat

IP address where NAT was performed for the event.

nat_port

Port number where NAT was performed for the event.

dst

IP address that received the event.

dstport

Number of the port where the event was generated.

interface

The network interface where the event occurred.

user

User name.

op

For HTTP and FTP, an operation such as GET or POST.

arg

For HTTP and FTP, this is the URL.

vpn

Identifies a specific VPN (VPN object.) Used to discover the most used connections.

cat_type

Category to which this event belongs: e.g., Local Accept or Deny List IP address/name, or Surf Sentinel category, e.g., Drug Culture or Pornography.

cat_action

Action performed by the filter: Block or Pass.

fil_type

Description of the filter: Default; Outbound (OF), IP Pass Through (PTF) or Remote Access (RAF.)

fil_action

Action performed by the filter: Block or Accept. See WELF log term "attribute" for GNAT Box Filter Action.

msg

Details specified events such as a VPN starting, the configuration changing, or a port scan being detected. The ³msg² field will also capture the index (rule) number of filter (or the facility) that generated the event.

attribute

An action as defined in GNAT Box System Software. Indicates what action was taken by the system when the event triggered the filter, e.g., Alarm, Email, Stop.

¨ Note

The Remote Logging service is not used by GB-Commander.

Return to Services