Configuring Session Logs

After you enable the FW to send session logs to a log host, you can display and analyze the session logs generated on the FW on the log host.

Setting the Log Output Format

The FW supports outputting session logs to a log server.

Access the system view.
```
system-view
```
Set the output format of session logs.
```
firewall log session log-type { binary | syslog | netflow }
```
The default output format of session logs is binary.

Configuring a Log Host

Access the system view.
```
system-view
```
Run the firewall log host host-id ip-address port [ vpn-instance vpn-instance-name ] [ secondary ] [ track ip-link link-name ] command to configure a log host for receiving session logs.
vpn-instance is the name of the VPN instance to which the log host belongs. The VPN instance here indicates one configured with the ip vpn-instance vpn-instance-name command for route isolation. In a virtual system scenario, this command does not allow binding a VPN instance with the same name as the virtual system.

The eLog receives logs of different formats through specified ports. Therefore, UDP ports used for the FW to send session logs in different log formats to the eLog vary. Table 1 lists the UDP ports used for sending logs in various formats.

Table 1 UDP ports for the eLog to receive logs in different formats
Log Format

Default Port of the eLog for Receiving Logs

Binary

9002

Netflow

9996

Syslog

514
Set the source IP address and port for the FW to send session logs.
```
firewall log source ip-address port
```
Optional: Enable the log encryption function.
firewall log password password [ encryption ]

After you run this command, the FW will use the specified encryption password to encrypt the logs before sending. After receiving the binary logs, the log host will use the decryption password to decrypt the logs. This ensures the log transmission security. The encryption password specified on the FW and the decryption password specified on the log host must be the same.

Only when the FW connects to the eLog server, this function is supported.

**Table 1** UDP ports for the eLog to receive logs in different formats
Log Format	Default Port of the eLog for Receiving Logs
Binary	9002
Netflow	9996
Syslog	514

Enabling the Session Log Function in a Security Policy

The FW can enable the session log function in the security policy to output logs after sessions are aged out.

Access the system view.
```
system-view
```
Access the security policy view.
```
security-policy
```
Access the security policy rule view.
```
rule name rule-name
```
Define the match conditions of the security policy.
The detailed configuration process is omitted.
Set the action of the security policy.
```
action { permit | deny }
```
The session log function takes effect when the policy action is set to permit or deny.
Enable the session log function.
```
session logging
```
By default, the session log function is disabled.

Configuring Log Sending

To make the FW properly output logs to the log server, besides the log host configuration on the FW, you need to enable the functions of generating and sending various types of logs. The sending configuration varies with the log type. The following table lists the details. The following commands are executed in the system view.

Log Type		Configuration Command	Description
IPv4 session logs	Session aging logs	Run the firewall log session aging enable command to enable the function of sending session aging logs.	By default, the function of sending session aging logs is enabled.
	Session creation logs	Run the firewall log session new-session enable command to enable the function of sending session creation logs.	By default, the function of sending session creation logs is disabled.
	Periodic session logs	Run the firewall log session periodic enable command to enable the function of periodically sending session logs. Run the firewall log session periodic time-interval timevalue command to set the interval for periodically sending session logs.	By default, the function of periodically sending session logs is disabled. By default, the interval is 180 minutes.
IPv6 common session logs	Session aging logs	Run the firewall log session aging enable command to enable the function of sending session aging logs.	By default, the function of sending session aging logs is enabled.
IPv6 common session logs	Session creation logs	Run the firewall log session new-session enable command to enable the function of sending session creation logs.	By default, the function of sending session creation logs is disabled.
IPv4 NAT No-PAT session logs (server-map logs)		Run the firewall log nat-nopat enable command to enable the function of sending NAT No-PAT session logs.	By default, the function of sending NAT No-PAT session logs is disabled.
IPv6 DS-Lite session logs	Session aging logs	Run the firewall log session aging enable command to enable the function of sending session aging logs.	By default, the function of sending session aging logs is enabled.
IPv6 DS-Lite session logs	Session creation logs	Run the firewall log session new-session enable command to enable the function of sending session creation logs.	By default, the function of sending session creation logs is disabled.
IPv6 NAT64 session logs	Session aging logs	Run the firewall log session aging enable command to enable the function of sending session aging logs.	By default, the function of sending session aging logs is enabled.
IPv6 NAT64 session logs	Session creation logs	Run the firewall log session new-session enable command to enable the function of sending session creation logs.	By default, the function of sending session creation logs is disabled.
URL session logs		Run the firewall log session url-log enable command to enable the function of sending URL session logs.	By default, the function of sending URL session logs is disabled.
IM session logs		Run the firewall log im enable command to enable the function of sending IM session logs.	Before using this function, you need to generate IM logs. The following conditions must be met to generate IM logs: A security policy has been configured, and the session logging command has been executed in the security policy view to record session logs matching the security policy. In addition, there is traffic matching the policy. IM logs are recorded only when the application type of the traffic is QQ or WeChat. Therefore, the traffic needs to be sent to the IAE for application identification. If either of the following conditions is met, the traffic is sent to the IAE for application identification. In the security policy, configure the application or security policy to reference the content security profile. Run the sa force-detection enable command to set Application Identification Mode to Full Identification. These commands are valid only for IM software (QQ ) of specific versions. In practice, you are advised to use an audit policy instead of this IM logging function to audit and log IM login and logout activities. You are advised to enable IM session logs for the purpose and in the scope that are permitted by the applicable laws, and you need to take necessary measures to secure users' account information. By default, the function of sending IM session logs is disabled.
Semi-connection session logs		Run the firewall log session half-connection enable command to enable the function of sending semi-connection session logs.	By default, the function of sending semi-connection session logs is disabled.