Configuring Service Logs
This section describes how to configure the FW to output service logs in dataflow format to the log server and how to view and analyze service log information on the log server.
Configuring a Log Host
- Access the system view.
system-view
- Set the log host receiving service logs.
firewall log host host-id ip-address port [ vpn-instance vpn-instance-name ] [ secondary ] [ track ip-link link-name ]
vpn-instance is the name of the VPN instance to which the log host belongs. The VPN instance here indicates one configured with the ip vpn-instance vpn-instance-name command for route isolation. In a virtual system scenario, this command does not allow binding a VPN instance with the same name as the virtual system.
If you set the secondary parameter, the log host belongs to the secondary log host group.
The log hosts of service logs in Dataflow format and session logs are configured with the firewall log host host-id ip-address port command. When service logs are outputted in Dataflow format, the FW uses port 9903 to send logs by default, regardless of the port configured in the log host. To satisfy the needs of sending both service logs in Dataflow format and session logs, you are advised to set the port of the log host to be the same as that of the session log in a specified format. For example, to send session logs in binary format and service logs in Dataflow format, you are advised to set the port to 9002.
- Set the source IP address and port for the FW to send service logs.
firewall log source ip-address port
- Optional: Enable the log encryption function.
firewall log password password [ encryption ]
After you run this command, the FW will use the specified encryption password to encrypt the logs before sending. After receiving the binary logs, the log host will use the decryption password to decrypt the logs. This ensures the log transmission security. The encryption password specified on the FW and the decryption password specified on the log host must be the same.
Enabling the Service Log Function
- Access the system view.
system-view
- Enable the function of sending dataflow service logs dataflow enable.
By default, the function of sending dataflow service logs is disabled.
- (Optional) Enable the function of adding ESN extension headers to service logs in dataflow format.
By default, the function of adding ESN extension headers to service logs in dataflow format is disabled.
- This function is supported in V600R007C20SPC602 and later versions,
- All service logs in dataflow format except traffic logs, audit logs, and sandbox logs support this function.
- Enable the function of sending dataflow service logs type.
dataflow type { traffic [ ipv4 | ipv6 ] | url | content | policy | audit | mail-filtering | av | ips | bwt | aapt | ddos } enable
- Enable the traffic log function.
You can enable the traffic log function as follows: One way is to run the log type traffic enable command. By default, the traffic log function is disabled.
The other way is to enable or disable the traffic log function that matches a security policy under the security policy or default security policy.
To enable or disable traffic logging for a specific rule in a security policy, you need to perform the following operations:- Run the traffic logging enable command to enable traffic logging for a rule in a security policy.
- Run the traffic logging disable command to disable traffic logging for a rule in a security policy.
To enable or disable traffic logging for the default security policy, you need to perform the following operations:- Run the default traffic logging enable command to enable traffic logging for the default security policy.
- Run the default traffic logging disable command to disable traffic logging for the default security policy.
The priorities of the global traffic logging command (log type traffic enable) and the security policy-specific traffic logging command are explained in the following table:Table 1 Traffic logging command priorities explained Global Traffic Logging
Security Policy-Specific Traffic Logging
Whether Traffic Matching a Security Policy Is Logged
Enabled
Enabled
Logged
Enabled
Disabled
Not logged
Enabled
Not configured
Logged
Disabled
Enabled
Logged
Disabled
Disabled
Not logged
Disabled
Not configured
Not logged
For example: Three rules are configured in a security policy: abc1, abc2, and abc3. A user run the log type traffic enable command in system view, the traffic logging disable command under rule abc1 and then the traffic logging enable command under rule abc2. The user does not configure traffic logging for rule abc3. Traffic that matches rule abc1 is not logged, traffic that matches rule abc2 is logged, and traffic that matches rule abc3 is also logged because traffic logging is enabled by default.
- Run the following command to enable the function of recording threat logs, content logs, audit logs, mail filtering logs, URL filtering logs, and user activity logs:
log type { url | content | audit | mail-filter | um | threat } enable
By default, the function of recording the preceding types of logs is enabled.
- Enable the service log function.
engine log { app-control | audit | av | data-filter | file-block | ips | url-filter } enable
By default, the service log function is enabled.
- Run the following commands to enable the policy matching log function.
- Run the log type policy enable command to enable the function of generating policy matching logs.
By default, this function is enabled.
- Run the security-policy command to access the security policy view.
- Run the rule name rule-name command to access the security policy rule view.
- Run the policy logging command to enable the policy matching log function.
By default, the policy matching log function is disabled.
- Run the log type policy enable command to enable the function of generating policy matching logs.