< Home

Service Logs

This section describes how to configure the FW to output security service logs and view these logs on the log server through the web UI.

The FW identifies and controls traffic based on applications and services, and records logs.

Based on the service logs, you can take proper measures to monitor the traffic in real time, learn about the vulnerabilities across the network, abnormal user behaviors, and network attacks.

The following table describes service log types classified based on functions.
Table 1 Log classification and function

Log Type

Function

Triggering Condition

Traffic log

Logs generated for traffic that arrives at or passes through the FW. By checking traffic logs, you can learn characteristics of traffic on the network, bandwidth usage, security policies, and validity of the traffic policy configuration.

Traffic logs can be generated either through enabling the global traffic log function or through logging in the security policy.

To enable the global traffic log function, run the log type traffic enable command. For logging in the security policy, run the traffic logging enable command to enable the FW to record traffic logs in the security policy. The differences between the two methods are as follows:
  • By enabling the global traffic log function: When the traffic destined for or passing through the FW matches the permit action of any security policy, a session is generated, and a traffic log is recorded when the session ages.
  • Logging in the security policy: When the traffic destined for or passing through the FW matches the permit action of a specific security policy, a session is generated, and a traffic log is recorded when the session ages.

Threat log

Logs generated for antivirus (AV), intrusion prevention, zombie, Trojan horse, and worm detection, and attack defense. By checking threat logs, you can view detection and defense records for network threats such as AV, intrusion prevention, zombie, Trojan horses, worms and and DDoS, learn historical and ongoing threat events, and adjust security policies or implement active defense in a timely manner.
  • The log type threat enable command is executed to enable the FW to record threat logs.
  • Threat logs are recorded when the traffic destined for or passing through the FW matches the AV, intrusion prevention, or attack defense profile.
  • Each time the traffic matches the AV, intrusion prevention, or attack defense profile, the FW records a threat log and sends the log to the log server.

URL filtering log

Logs generated by URL filtering. By checking URL logs, you can view the URL access situations, for example, URL access permitted, warned, or blocked, and learn the corresponding reasons.
  • The log type url enable command is executed to enable the FW to record URL filtering logs.
  • When the traffic destined for or passing through the FW matches the URL filtering profile, the FW records URL filtering logs.
  • Each time the traffic matches the URL filtering profile, the FW records a URL filtering log and sends the log to the log server.

Content logs

Logs generated by file blocking, data filtering, and application behavior control. By checking content logs, you can view alarms and blocking events generated when a user transfers a file or data, sends or receives a mail, and accesses a website, and learn security risk behaviors of the user and the reasons for the alarms and blocking.
  • The log type content enable command is executed to enable the FW to record data filtering logs.
  • When the traffic destined for or passing through the FW matches the file blocking, data filtering, or application behavior profile, the FW records logs.
  • Each time the traffic matches the profile, the FW records a data filtering log and sends the log to the log server.

User activity logs

Logs generated for various types of user activities (including logging in, going offline, changing passwords, and freezing or unfreezing the user). By checking user activities logs, you can learn the online records of a user, for example, login time, online duration or freezing duration, and IP address used for login, learn user activities on the current network, identify abnormal user login or network access behaviors, and take the corresponding countermeasures.
  • The log type um enable command is executed to enable the FW to record user activity logs.
  • When a user logs in, logs out, changes a password, or is locked or unlocked, the FW records a log and sends the log to the log server.

Policy matching logs

Logs generated when traffic matches a security policy. By checking policy matching logs, you can learn traffic matching policies and determine whether security policies are correctly configured or achieve expected effects, to facilitate fault locating.
  • The policy logging command is executed to enable the FW to record policy matching logs.
  • The log type policy enable command is executed to enable the global policy matching log function.
  • When the traffic destined for or passing through the FW matches the permit or deny action of a security policy, the FW records a policy matching log.
  • Each time a security policy is matched, the FW records a policy matching log and sends the log to the log server.

Mail filtering log

Logs generated by mail filtering. By checking mail filtering logs, you can learn protocols used for mail sending or receiving, number of attachments included in a mail and the attachment size, and reasons for normally blocking mails, and take the corresponding appropriate countermeasures.
  • The log type mail-filter enable command is executed to enable the FW to record mail filtering logs.
  • When the traffic destined for or passing through the FW matches the mail filtering profile, the FW records mail filtering logs.
  • Each time the traffic matches the mail filtering profile, the FW records a mail filtering log and sends the log to the log server.

Audit log

Logs generated by the audit function. By checking audit logs, you can learn FTP behaviors, HTTP behaviors, and mail sending or receiving behaviors, IM behaviors, keyword searching, and validity of audit policies.
  • The log type audit enable command is executed to enable the FW to record audit logs.
  • When the traffic destined for or passing through the FW matches the audit profile, the FW records audit logs.
  • Each time the traffic matches the audit profile and policy, the FW records an audit log and sends the log to the log server.

Sandbox detection log

Logs generated by the sandbox function. By checking sandbox detection logs, you can view sandbox detection information, such as the name, type, source security zone, and destination security zone of files to be detected. Based on the sandbox detection information, you can handle exceptions in a timely manner.
  • When the traffic destined for or passing through the FW matches the anti-APT profile, the FW records sandbox detection logs.
  • Each time the traffic matches the anti-APT profile, the FW records a sandbox detection log and sends the log to the log server.

Service logs can be in dataflow or syslog format. You can view the service logs in dataflow format on the eLog. Service logs in syslog format can be sent to a third-party log server through the information center and viewed on the third-party log server.

This section describes how to view service logs in dataflow format on the log server eLog. For details about how to send service logs in syslog format to a third-party log server through the information center, see Service Logs in Syslog Format. Service logs stored in the memory database can also be displayed as logs and reports on the web UI. For details, see View logs in the Web.

Parent Topic: Configuring the Output of Service Logs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >