Manual Chapter : Managing Logging Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.5.0
Manual Chapter

About logging profiles

The Logging Profiles panel in Shared Security lists logging profiles, scaled so that a subset of profiles is visible in the panel at any given time.

A logging profile records requests to the virtual server. A logging profile determines where events are logged, and which items (such as which parts of requests, or which type of errors) are logged. Events can be logged either locally by the system and viewed in the Event Logs screens, or remotely by the client’s server. The system forwards the log messages to the client’s server using the Syslog service.

The logging profile can be associated with multiple virtual servers from multiple devices. Multiple logging profiles can be associated with a virtual server, but the multiple logging profiles cannot have an overlap subset configured. For example, two logging profiles with application security configured and enabled cannot be associated with the same virtual server.The application security and protocol security cannot be configured on the same logging profile or associated with the same virtual server. BIG-IQ Security supports importing logging profiles with spaces in the name. An imported logging profile with spaces in the name can be modified on the BIG-IQ Security system and deployed back to a BIG-IP device. However, the BIG-IQ system does not support creating logging profiles with spaces in the name.

The logging publisher cannot be created or modified by the BIG-IQ Security system. The logging publisher specified by the BIG-IQ logging profile should be the same as that configured on the BIG-IP device.

To close the New Logging Profile properties panel without saving, click Cancel.

To get help on any panel, click the (?) icon in the upper right corner.

Adding logging profiles

Hover over the Logging Profiles header, click the + icon when it appears, and click New Logging Profile. The panel expands to display the New Logging Profile properties.

Editing logging profiles

Hover over the header of the logging profile you want to edit and when the gear icon appears, click it and select Properties to expand the panel.

Adding logging profiles

Use the New Logging Profile screen to configure a new logging profile.

Note: Depending on the settings you configure, you may see only some of the screen elements described here.

Adding logging profiles

  1. Hover over the Logging Profiles header, click the + icon when it appears, and click New Logging Profile. The panel expands to display the New Logging Profile properties.
  2. In the New Logging Profiles screen, review and add or modify the properties as appropriate.
    Property Description
    Name Specify a unique user-provided name for the logging profile. Required.
    Description Specify the optional description for the logging profile.
    Partition Specify the partition to which the logging profile belongs. Only users with access to a partition can view the objects (such as the logging profile) that it contains. If the logging profile resides in the Common partition, all users can access it. Although this field is pre-populated with Common (default), you can set the partition when creating logging profiles by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
  3. Select Enabled to the right of one or more logging types to enable those types. A configuration tab is added dynamically when a logging type is selected. Click the tab to configure the logging type.
    Property Description
    Application Security When enabled, specifies that the system logs traffic to the web application. When Application Security is enabled, Protocol Security cannot be selected at the same time. Click Application Security to configure the application security log.
    Protocol Security When enabled, specifies that the system logs any dropped, malformed, and/or rejected requests sent through the given protocol. When Protocol Security is enabled, Application Securitycannot be selected at the same time. Protocol Security includes processing one or more of the following:
    • HTTP, FTP, and SMTP security
    • DNS security
    • SIP security
    Network Firewall When enabled, specifies that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall. Includes processing one or more of the following:
    • Network Firewall
    • IP Intelligence
    • Traffic Statistics
    DoS Protection When enabled, specifies that the system logs detected DoS attacks, and where DoS events are logged. Includes processing one or more of the following:
    • DoS Application Protection
    • DNS DoS Protection
    • SIP DoS Protection
    • Network DoS Protection
  4. Configure the logging types by clicking the matching logging type tab and supplying any necessary property values. (Properties are grouped by logging type and screen area in the following tables.)

    In the Application Security Configuration section, you configure settings determining where to log traffic and which traffic to log.

    Application Security - Configuration Description
    Local Storage Specifies when checked (enabled), that the system stores all traffic in the system.
    Guarantee Local Logging Specifies, when checked (enabled), that the system logs all requests, even though this may slow your web application. When cleared (disabled), specifies that the system logs requests as long as it does not slow your web application. The default is disabled. In either case, the system does not drop requests.
    Response Logging Specifies whether the system logs HTTP responses.
    • Off: Specifies that the system does not log responses. This is the default setting.
    • For Illegal Requests Only: Specifies that the system logs responses to illegal requests.
    • For All Requests: Specifies that the system logs all responses if the Request Type setting in the Storage Filter area of this screen is set to All Requests.
    Remote Storage Specifies when checked (enabled), that the system stores all traffic on a remote logging server.

    In the Application Security Storage Filter section, you configure settings for the type of requests the system, or server logs.

    Application Security - Storage Filter Description
    Logic Operation Specifies whether requests must meet one or all criteria in the Storage Filter area for the system, or server, to log the requests.
    • OR: Specifies that requests must meet at least one of the criterion in the Storage Filter settings in order for the system, or server, to log the requests. This is the default.
    • AND: Specifies that requests must meet all of the criteria in the torage Filter settings in order for the system, or server, to log the requests.
    Request Type Specifies which kind of requests the system, or server, logs.
    • Illegal requests only: Specifies that the system, or server, logs only illegal requests. This is the default.
    • Illegal requests, and requests that include staged attack signatures: Specifies that the system, or server, logs illegal requests, and logs requests that include attack signatures in staging (even though the system considers those requests legal).
    • All requests: Specifies that the system, or server, logs all requests.
    Protocols Specifies whether request logging is dependent on the protocol.
    • All: Specifies that the system, or server, logs requests using the HTTP and HTTPS protocols. This is the default.
    • Only: Specifies that the system, or server, logs requests using only one specific protocol. Select HTTP or HTTPS.
    Response Status Codes Specifies whether request logging is dependent on the response status code. This filter setting applies only to requests that are not blocked by the system.
    • All: Specifies that the system, or server, logs all requests that generate all response status codes. This is the default.
    • Only: Specifies that the system, or server, logs only requests that generate specific response status codes. When selected, isplaysadditional options where you specify the type of response status code to log. Unused status codes are in the Available list, selected status codes are in the Selected list. Use the Move arrow buttons to transfer the selected items between the Available list and the Selected list.
    HTTP Methods Specifies whether request logging is dependent on the HTTP method.
    • All: Specifies that the system, or server, logs requests using all HTTP methods. This is the default.
    • Only: Specifies that the system, or server, only logs requests using a specific HTTP method. When selected, displaysoptions where you specify the type of HTTP method to log. Unused HTTP methods are in the Available list, selected HTTP methods are in the Selected list.
    Request Containing String Specifies whether the request logging is dependent on a specific string.
    • All: Specifies that the system logs all requests, regardless of string. This is the default.
    • Search in: Specifies that the system logs only requests containing a specific string in a particular part of the request.
      • Select the part of the request to search from the list (Request, URI, Query String, Post Data, or Headers.
      • Type the string to search for in the request in the field to the right. The search is case-sensitive.

    In the Protocol Security HTTP, FTP, and SMTP Security area, you configure where the system logs requests using the HTTP, FTP, and SMTP protocols.

    Protocol Security - HTTP, FTP, and SMTP Security Description
    Publisher Specifies where the system sends log messages. Select a publisher from the list, or accept the default of None.

    In the Protocol Security DNS Security area, you configure where the system logs any dropped, malformed, rejected, and malicious DNS requests.

    Protocol Security - DNS Security Description
    Publisher Specifies the name of the log publisher used for logging DNS security events. Select a log publisher from the list, or accept the default of None.
    Log Dropped Requests Specifies, when enabled, that the system logs dropped DNS requests.
    Log Filtered Dropped Requests Specifies, when enabled, that the system logs dropped DNS requests.
    Log Malformed Requests Specifies, when enabled, that the system logs malformed DNS requests.
    Log Rejected Requests Specifies, when enabled, that the system logs rejected DNS requests.
    Log Malicious Requests Specifies, when enabled, that the system logs malicious DNS requests.
    Storage Format Specifies the format type for log messages. You can configure the following options:
    • None Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List Specifies that the system uses a set of fields, set in a specific order, to log messages. When Field-List is selected, specify the field list as follows.
      • Specify the delimiter string in the Delimiter field. The default delimiter is the comma character (,).
        Note: You may not use the $ character because it is reserved for internal usage.
      • Select the fields to use. Unused fields are in the Available list, selected fields are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.
    • User-Defined Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the Available list, selected items are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

    In the Protocol Security SIP Security section, you configure where the system logs any dropped and malformed malicious SIP requests, global and request failures, redirected responses, and server errors.

    Protocol Security - SIP Security Description
    Publisher Specifies the name of the log publisher used for logging SIP protocol security events. Select a log publisher configured in your system.
    Log Dropped Requests Specifies, when enabled, that the system logs dropped requests.
    Log Global Failures Requests Specifies, when enabled, that the system logs global failures.
    Log Malformed Requests Specifies, when enabled, that the system logs malformed requests.
    Log Redirection Responses Requests Specifies, when enabled, that the system logs redirection responses.
    Log Request Failures Specifies, when enabled, that the system logs request failures.
    Log Server Errors Specifies, when enabled, that the system logs server errors.
    Storage Format Specifies the format type for log messages. You can configure the following options:
    • None Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List Specifies that the system uses a set of fields, set in a specific order, to log messages. When Field-List is selected, specify the field list as follows.
      • Specify the delimiter string in the Delimiter field. The default delimiter is the comma character (,).
        Note: You may not use the $ character because it reserved for internal usage.
      • Select the fields to use. Unused fields are in the Available list, selected fields are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.
    • User-Defined Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the Available list, selected items are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

    In the Network Firewall section, you configure which network firewall events the system logs, and where they are logged.

    Network Firewall Security - Network Firewall Description
    Publisher Specifies the name of the log publisher used for logging Network events. Select a log publisher configured in your system.
    Aggregate Rate Limit Defines a rate limit for all combined network firewall log messages per second. Beyond this rate limit, log messages are not logged. You can select a Rate Limit value of Indefinite, which sets the rate limit to the maximum of 4294967295, or you can select Specify to specify a lower rate limit as an integer between 0 and 4294967295.
    Log Rule Matches Specifies, when enabled, that the system logs packets that match the ACL rules. When specifying the Rate Limit with one of the match types, a value of Indefinite sets the rate limit to the maximum of 4294967295, and a value of Specify allows you to specify a lower rate limit as an integer between 0 and 4294967295.
    • Accept Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Accept. When enabled, you can specify a rate limit for all network firewall log messages with this action. If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor Specify.
    • Drop Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Drop. When enabled, you can specify a rate limit for all network firewall log messages with this action. If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor Specify.
    • Reject Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Reject. When enabled, you can specify a rate limit for all network firewall log messages with this action. If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor Specify.
    Log IP Errors Specifies, when enabled, that the system logs IP error packets. When enabled, you can specify a rate limit for all network firewall log messages of this type. If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite, which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log TCP Errors Specifies, when enabled, that the system logs TCP error packets. If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log TCP Events Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions). If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log Translation Fields Specifies, when enabled, that translation values are logged if and when a network firewall event is logged.
    Always Log Region Specifies, when enabled, that the geographic location should be logged when a geolocation event causes a network firewall event.
    Storage Format Specifies the format type for log messages. You can configure the following options:
    • None Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List Specifies that the system uses a set of fields, set in a specific order, to log messages. When Field-List is selected, specify the field list as follows.
      • Specify the delimiter string in the Delimiter field. The default delimiter is the comma character (,).
        Note: You may not use the $ character because it reserved for internal usage.
      • Select the fields to use. Unused fields are in the Available list, selected fields are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.
    • User-Defined Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the Available list, selected items are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

    In the Network Firewall Security IP Intelligence section, you configure where IP intelligence events are logged. If the IP intelligence feature is enabled and licensed, you can configure the system to log source IP addresses that match an IP intelligence blacklist or whitelist category, as determined by the database of preconfigured categories, or as determined from an IP intelligence feed list.

    Network Firewall Security - IP Intelligence Description
    Publisher Specifies the name of the log publisher used for logging IP address intelligence events. Select a log publisher configured in your system.
    Aggregate Rate Limit Defines a rate limit for all combined IP intelligence log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log Translation Fields Specifies, when enabled, that translation values are logged if and when a network firewall event is logged.

    In the Network Firewall Security Traffic Statistics section, you configure logging of traffic statistics.

    Network Firewall Security - Traffic Statistics Description
    Publisher Specifies the name of the log publisher used for logging traffic statistics. Select a log publisher configured in your system.
    Log Timer Events
    • Active Flows - When enabled, logs the number of active flows each second.
    • Reaped Flows - When enabled, logs the number of reaped flows, or connections that are not established because of system resource usage levels.
    • Missed Flows - When enabled, logs the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
    • SYN Cookie (Per Session Challenge) - When enabled, logs the number of SYN cookie challenges generated each second.
    • SYN Cookie (White-listed Clients) - When enabled, logs the number of whitelisted SYN cookie clients each second.

    In the DoS Protection sections, you configure where DoS events are logged.

    DoS Protection - DoS Application Protection Description
    Local Publisher Specifies, when enabled, that the system logs DoS events to the local database.
    Remote Publisher Specifies the name of the log publisher used for logging DoS events. Select a log publisher configured in your system.
    DoS Protection - DNS DoS Protection Description
    Publisher Specifies the name of the log publisher used for logging DNS DoS events. Select a log publisher configured in your system.
    DoS Protection - SIP DoS Protection Description
    Publisher Specifies the name of the log publisher used for logging SIP DoS events. Select a log publisher configured in your system.
    DoS Protection - Network DoS Protection Description
    Publisher Specifies the name of the log publisher used for logging Network DoS events. Select a log publisher configured in your system.
  5. When finished, click Add.

Editing logging profiles

Use the expanded Logging Profile panel to edit logging profiles.

Editing logging profile properties

Click Properties to edit the logging profile description and change which security levels are enabled.

  1. Click Properties to ensure that it is selected.
  2. Click Edit to establish the lock and make it possible to edit the properties.
  3. In the Logging Profiles screen, review and add or modify the properties as appropriate.
    Property Description
    Name Specify a unique user-provided name for the logging profile. Required.
    Description Specify the optional description for the logging profile.
    Partition Specify the partition to which the logging profile belongs. Only users with access to a partition can view the objects (such as the logging profile) that it contains. If the logging profile resides in the Common partition, all users can access it. Although this field is pre-populated with Common (default), you can set the partition when creating logging profiles by typing a unique name for the partition.
    Note: The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
  4. Select Enabled to the right of one or more logging types to enable those types. A configuration tab is added dynamically when a logging type is selected. Click the tab to configure the logging type.
    Property Description
    Application Security When enabled, specifies that the system logs traffic to the web application. When Application Security is enabled, Protocol Security cannot be selected at the same time. Click Application Security to configure the application security log.
    Protocol Security When enabled, specifies that the system logs any dropped, malformed, and/or rejected requests sent through the given protocol. When Protocol Security is enabled, Application Securitycannot be selected at the same time. Protocol Security includes processing one or more of the following:
    • HTTP, FTP, and SMTP security
    • DNS security
    • SIP security
    Network Firewall When enabled, specifies that the system logs ACL rule matches, TCP events, and/or TCP/IP errors sent to the network firewall. Includes processing one or more of the following:
    • Network Firewall
    • IP Intelligence
    • Traffic Statistics
    DoS Protection When enabled, specifies that the system logs detected DoS attacks, and where DoS events are logged. Includes processing one or more of the following:
    • DoS Application Protection
    • DNS DoS Protection
    • SIP DoS Protection
    • Network DoS Protection
  5. Configure the logging types by clicking the matching logging type tab and supplying any necessary property values. (Properties are grouped by logging type and screen area in the following tables.)

    In the Application Security Configuration section, you configure settings determining where to log traffic and which traffic to log.

    Application Security - Configuration Description
    Local Storage Specifies when checked (enabled), that the system stores all traffic in the system.
    Guarantee Local Logging Specifies, when checked (enabled), that the system logs all requests, even though this may slow your web application. When cleared (disabled), specifies that the system logs requests as long as it does not slow your web application. The default is disabled. In either case, the system does not drop requests.
    Response Logging Specifies whether the system logs HTTP responses.
    • Off: Specifies that the system does not log responses. This is the default setting.
    • For Illegal Requests Only: Specifies that the system logs responses to illegal requests.
    • For All Requests: Specifies that the system logs all responses if the Request Type setting in the Storage Filter area of this screen is set to All Requests.
    Remote Storage Specifies when checked (enabled), that the system stores all traffic on a remote logging server.

    In the Application Security Storage Filter section, you configure settings for the type of requests the system, or server logs.

    Application Security - Storage Filter Description
    Logic Operation Specifies whether requests must meet one or all criteria in the Storage Filter area for the system, or server, to log the requests.
    • OR: Specifies that requests must meet at least one of the criterion in the Storage Filter settings in order for the system, or server, to log the requests. This is the default.
    • AND: Specifies that requests must meet all of the criteria in the torage Filter settings in order for the system, or server, to log the requests.
    Request Type Specifies which kind of requests the system, or server, logs.
    • Illegal requests only: Specifies that the system, or server, logs only illegal requests. This is the default.
    • Illegal requests, and requests that include staged attack signatures: Specifies that the system, or server, logs illegal requests, and logs requests that include attack signatures in staging (even though the system considers those requests legal).
    • All requests: Specifies that the system, or server, logs all requests.
    Protocols Specifies whether request logging is dependent on the protocol.
    • All: Specifies that the system, or server, logs requests using the HTTP and HTTPS protocols. This is the default.
    • Only: Specifies that the system, or server, logs requests using only one specific protocol. Select HTTP or HTTPS.
    Response Status Codes Specifies whether request logging is dependent on the response status code. This filter setting applies only to requests that are not blocked by the system.
    • All: Specifies that the system, or server, logs all requests that generate all response status codes. This is the default.
    • Only: Specifies that the system, or server, logs only requests that generate specific response status codes. When selected, isplaysadditional options where you specify the type of response status code to log. Unused status codes are in the Available list, selected status codes are in the Selected list. Use the Move arrow buttons to transfer the selected items between the Available list and the Selected list.
    HTTP Methods Specifies whether request logging is dependent on the HTTP method.
    • All: Specifies that the system, or server, logs requests using all HTTP methods. This is the default.
    • Only: Specifies that the system, or server, only logs requests using a specific HTTP method. When selected, displaysoptions where you specify the type of HTTP method to log. Unused HTTP methods are in the Available list, selected HTTP methods are in the Selected list.
    Request Containing String Specifies whether the request logging is dependent on a specific string.
    • All: Specifies that the system logs all requests, regardless of string. This is the default.
    • Search in: Specifies that the system logs only requests containing a specific string in a particular part of the request.
      • Select the part of the request to search from the list (Request, URI, Query String, Post Data, or Headers.
      • Type the string to search for in the request in the field to the right. The search is case-sensitive.

    In the Protocol Security HTTP, FTP, and SMTP Security area, you configure where the system logs requests using the HTTP, FTP, and SMTP protocols.

    Protocol Security - HTTP, FTP, and SMTP Security Description
    Publisher Specifies where the system sends log messages. Select a publisher from the list, or accept the default of None.

    In the Protocol Security DNS Security area, you configure where the system logs any dropped, malformed, rejected, and malicious DNS requests.

    Protocol Security - DNS Security Description
    Publisher Specifies the name of the log publisher used for logging DNS security events. Select a log publisher from the list, or accept the default of None.
    Log Dropped Requests Specifies, when enabled, that the system logs dropped DNS requests.
    Log Filtered Dropped Requests Specifies, when enabled, that the system logs dropped DNS requests.
    Log Malformed Requests Specifies, when enabled, that the system logs malformed DNS requests.
    Log Rejected Requests Specifies, when enabled, that the system logs rejected DNS requests.
    Log Malicious Requests Specifies, when enabled, that the system logs malicious DNS requests.
    Storage Format Specifies the format type for log messages. You can configure the following options:
    • None Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List Specifies that the system uses a set of fields, set in a specific order, to log messages. When Field-List is selected, specify the field list as follows.
      • Specify the delimiter string in the Delimiter field. The default delimiter is the comma character (,).
        Note: You may not use the $ character because it reserved for internal usage.
      • Select the fields to use. Unused fields are in the Available list, selected fields are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.
    • User-Defined Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the Available list, selected items are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

    In the Protocol Security SIP Security section, you configure where the system logs any dropped and malformed malicious SIP requests, global and request failures, redirected responses, and server errors.

    Protocol Security - SIP Security Description
    Publisher Specifies the name of the log publisher used for logging SIP protocol security events. Select a log publisher configured in your system.
    Log Dropped Requests Specifies, when enabled, that the system logs dropped requests.
    Log Global Failures Requests Specifies, when enabled, that the system logs global failures.
    Log Malformed Requests Specifies, when enabled, that the system logs malformed requests.
    Log Redirection Responses Requests Specifies, when enabled, that the system logs redirection responses.
    Log Request Failures Specifies, when enabled, that the system logs request failures.
    Log Server Errors Specifies, when enabled, that the system logs server errors.
    Storage Format Specifies the format type for log messages. You can configure the following options:
    • None Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List Specifies that the system uses a set of fields, set in a specific order, to log messages. When Field-List is selected, specify the field list as follows.
      • Specify the delimiter string in the Delimiter field. The default delimiter is the comma character (,).
        Note: You may not use the $ character because it reserved for internal usage.
      • Select the fields to use. Unused fields are in the Available list, selected fields are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.
    • User-Defined Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the Available list, selected items are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

    In the Network Firewall section, you configure which network firewall events the system logs, and where they are logged.

    Network Firewall Security - Network Firewall Description
    Publisher Specifies the name of the log publisher used for logging Network events. Select a log publisher configured in your system.
    Aggregate Rate Limit Defines a rate limit for all combined network firewall log messages per second. Beyond this rate limit, log messages are not logged. You can select a Rate Limit value of Indefinite, which sets the rate limit to the maximum of 4294967295, or you can select Specify to specify a lower rate limit as an integer between 0 and 4294967295.
    Log Rule Matches Specifies, when enabled, that the system logs packets that match the ACL rules. When specifying the Rate Limit with one of the match types, a value of Indefinite sets the rate limit to the maximum of 4294967295, and a value of Specify allows you to specify a lower rate limit as an integer between 0 and 4294967295.
    • Accept Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Accept. When enabled, you can specify a rate limit for all network firewall log messages with this action. If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor Specify.
    • Drop Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Drop. When enabled, you can specify a rate limit for all network firewall log messages with this action. If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor Specify.
    • Reject Specifies, when enabled, that the system logs packets that match ACL rules configured with action = Reject. When enabled, you can specify a rate limit for all network firewall log messages with this action. If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor Specify.
    Log IP Errors Specifies, when enabled, that the system logs IP error packets. When enabled, you can specify a rate limit for all network firewall log messages of this type. If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite, which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log TCP Errors Specifies, when enabled, that the system logs TCP error packets. If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log TCP Events Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions). If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log Translation Fields Specifies, when enabled, that translation values are logged if and when a network firewall event is logged.
    Always Log Region Specifies, when enabled, that the geographic location should be logged when a geolocation event causes a network firewall event.
    Storage Format Specifies the format type for log messages. You can configure the following options:
    • None Specifies that the system uses the default format type to log the messages to a Remote Syslog server. This is the default setting.
    • Field-List Specifies that the system uses a set of fields, set in a specific order, to log messages. When Field-List is selected, specify the field list as follows.
      • Specify the delimiter string in the Delimiter field. The default delimiter is the comma character (,).
        Note: You may not use the $ character because it reserved for internal usage.
      • Select the fields to use. Unused fields are in the Available list, selected fields are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.
    • User-Defined Specifies that the format the system uses to log messages is in the form of a user-defined string. Select the items for the server to log. Unused items are in the Available list, selected items are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

    In the Network Firewall Security IP Intelligence section, you configure where IP intelligence events are logged. If the IP intelligence feature is enabled and licensed, you can configure the system to log source IP addresses that match an IP intelligence blacklist or whitelist category, as determined by the database of preconfigured categories, or as determined from an IP intelligence feed list.

    Network Firewall Security - IP Intelligence Description
    Publisher Specifies the name of the log publisher used for logging IP address intelligence events. Select a log publisher configured in your system.
    Aggregate Rate Limit Defines a rate limit for all combined IP intelligence log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.
    Log Translation Fields Specifies, when enabled, that translation values are logged if and when a network firewall event is logged.

    In the Network Firewall Security Traffic Statistics section, you configure logging of traffic statistics.

    Network Firewall Security - Traffic Statistics Description
    Publisher Specifies the name of the log publisher used for logging traffic statistics. Select a log publisher configured in your system.
    Log Timer Events
    • Active Flows - When enabled, logs the number of active flows each second.
    • Reaped Flows - When enabled, logs the number of reaped flows, or connections that are not established because of system resource usage levels.
    • Missed Flows - When enabled, logs the number of packets that were dropped because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.
    • SYN Cookie (Per Session Challenge) - When enabled, logs the number of SYN cookie challenges generated each second.
    • SYN Cookie (White-listed Clients) - When enabled, logs the number of whitelisted SYN cookie clients each second.

    In the DoS Protection sections, you configure where DoS events are logged.

    DoS Protection - DoS Application Protection Description
    Local Publisher Specifies, when enabled, that the system logs DoS events to the local database.
    Remote Publisher Specifies the name of the log publisher used for logging DoS events. Select a log publisher configured in your system.
    DoS Protection - DNS DoS Protection Description
    Publisher Specifies the name of the log publisher used for logging DNS DoS events. Select a log publisher configured in your system.
    DoS Protection - SIP DoS Protection Description
    Publisher Specifies the name of the log publisher used for logging SIP DoS events. Select a log publisher configured in your system.
    DoS Protection - Network DoS Protection Description
    Publisher Specifies the name of the log publisher used for logging Network DoS events. Select a log publisher configured in your system.
  6. Click Save to save your changes.
  7. When you are finished, click Save and Close to save your changes, clear the lock, and exit the panel.