Storing, Sending, and Viewing Logs

This section describes the paths for storing logs, destinations for the FW to send logs, and how to view logs.

When packets pass through the FW, and corresponding log generation and recording conditions are met, the log module of the FW performs assembly according to the configured log format. Then, the FW sends logs to the log server or other storage paths. End users can view the logs in the paths where the logs are stored.

The FW provides multiple log storage paths. The paths for storing logs of various types are different.

Hard disk or SD card: The device memory database can store service logs (including traffic logs, policy matching logs, and threat logs), running logs generated during system running, and operation logs about administrator login and logout and device configuration. The data stored in the memory database is eventually stored in the hard disk or SD card after being processed.
The FW does not support outputting logs in the hard disk or SD card. When the space of the service log disk is full, the FW overwrites earlier logs by default. You can manually adjust the processing mode of new logs. In addition, the FW allocates the default disk space to the logs of each module. When the storage space of a type of logs is insufficient or the storage space of a certain type of logs needs to be reduced, you can customize the disk space. For details, see Customizing the Space of a Log Disk.

For devices without hard disks, some logs are stored in the device memory database. After the device is restarted, these logs are lost.
Log buffer (Logbuffer): The Logbuffer is a fixed space reserved in the flash memory. It can be used to store a small number of service logs and system logs.
If the number of logs in the Logbuffer reaches the upper limit, new logs will replace the existing logs in a time order until all the new logs are stored. That is, the log put into the Logbuffer earliest is replaced first.
Log file: The log information is saved in the log.log format on the FW. A small number of service logs and system logs in syslog format can be stored. Log files are usually used for troubleshooting.
Log server: Log servers are classified into Huawei eLog log servers and third-party log servers. All types of logs can be stored on the log server. After receiving the log information from the FW, the log server processes the data and displays the data in various logs and reports, so that the administrator can easily view logs.
The log server has large storage space and can store log data for a long period of time. Therefore, the log server is recommended. For details about how to send logs of different formats to various types of log servers, see the log server related content in Limitations and Precautions for Logs > Restrictions on Log Configuration.

The principles for sending different types of logs on the FW are different. Figure 1 shows the details.

Figure 1 Log output principles

As shown in Figure 1, some logs cannot be stored on the FW and need to be sent to the log server. Some logs are sent to the log server through the information center. The methods of storing, sending, and viewing logs of each type are described as follows:

**Table 1** Storing, sending, and viewing logs
Log Type	Storage and Sending	Viewing Method
Session log	Session logs are not stored to the device. Instead, the FW directly sends session logs to the log server through an independent channel.	Session logs support Syslog, binary and netflow formats. You can view session logs in binary and netflow formats on the eLog log server.
Packet discard log	Session logs are not stored to the device. Instead, the FW directly sends session logs to the log server through an independent channel.	Packet discard logs support Syslog and netflow formats. You can view packet discard logs in binary format on the eLog log server.
Port pre-allocation log	Session logs are not stored to the device. Instead, the FW directly sends session logs to the log server through an independent channel.	Port pre-allocation logs support Syslog format. You can view port pre-allocation logs on the log server eLog.
System log	System logs are stored in the log buffers or log files through the information center and can be sent to the log server, console (console user interfaces), or terminals (VTY user interfaces).	System logs support Syslog format. View logs on the log server. For system logs stored in log files, you can run the display logfile hda1:/log/log.log command in the diagnose view to view log contents. For system logs stored in the log buffer, choose Dashboard > Logs and Alarms and click the System Log List tab on the web UI or run the display logbuffer command to view them. Log in to the FW in console, Telnet, or STelnet mode. Run the terminal monitor and terminal logging commands on the CLI to enable the function of displaying logs on the terminal.
Service logs	Service logs can be stored in the hard disk or SD card of the device. Service logs can be stored in the log buffer. Service logs in the dataflow format are not stored and can be sent to the log server through an independent channel. Service logs in syslog format can be stored in log files through the information center and can be sent to the log server, console (console user interfaces), or terminals (VTY user interfaces).	Data stored in hard disks or SD cards is processed by the log query module and then displayed on the web UI as logs and reports. For details, see View logs in the Web. For devices without hard disks or SD cards, some logs are stored in the memory database and can be view on the web UI. After the device is restarted, these logs are lost. For service logs stored in the log buffer, choose Dashboard > Logs and Alarms and click the Service Log List tab on the web UI or run the display logbuffer command to view them. NOTE: Traffic logs are a type of service logs. Traffic logs are usually large in number. Because the space of the log buffer is limited, traffic logs cannot be stored. For service logs in syslog format stored in log files, you can run the display logfile hda1:/log/log.log command in the diagnose view to view log contents. To view service logs in syslog format: Log in to the FW in console, Telnet, or STelnet mode. Run the terminal monitor and terminal logging commands on the CLI to enable the function of displaying logs on the terminal. Service logs support Syslog and dataflow formats. Service logs in dataflow format can be viewed on the eLog log server.