Web UI Configuration Reference for Outputting Logs

This section describes how to configure the output of various logs on the web UI.

Prerequisites

The system time setting is correct during the initial configuration. Changing system time during device running results in incorrect timestamps in existing logs.

To output policy matching logs and session logs to log hosts, choose Policy > Security Policy and enable Record Policy Matching Log and Record Session Log.

Configuring System Log Output

System log is a syslog format log. You need to configure the syslog host for system logs and service logs in syslog format. After the syslog host is configured, the FW sends generated syslogs to the host for it to perform analysis and management.

Choose System > Log Configuration > Log Configuration.

Configure the syslog sending function.

Parameter	Description
Log Host IP Address	IP address of the log host that receives syslogs from the FW This IP address must be the actual IP address of the log host.
Destination Port	Port number of the log host that receives syslogs from the FW This port number must be the actual port number configured on the log host. The default port number on the log host is 514.
Language	Language in which syslogs are sent to a log host To ensure that the log collector of the log host correctly analyzes logs, select the language that the log collector supports.
Send Interface	Source interface that sends information to a syslog host If you do not specify this parameter, the source interface is the interface that sends logs. This interface must exist on the FW and have an IP address.

Click and repeat the preceding steps to add more log hosts.
If multiple log hosts are configured, the FW sends the same syslogs to different log hosts for syslog backup.
Click Apply.
If the Operation succeeded dialog box is displayed, the syslog sending function has been configured.

Configuring Session Log Output

After you configure the session log host, the FW sends the session logs to the session log host for log analysis and management.

Choose System > Log Configuration > Log Configuration.

Configure the session log.

Parameter	Description
Log Format	Log format: Binary Syslog Netflow
Syslog Type	Syslog content format: Default A log in the default format contains a prefix and value, such as: SourceIP=10.1.1.1,DestinationIP=1.1.1.1,SourcePort=4408,DestinationPort=80...... MTN A log in the MTN format contains a complete sentence, such as: 10.1.1.1:4439[1.1.1.1:4439] (trust) to 1.1.1.1:80[10.1.1.1:80] (trust)...... User-defined The content of logs outputted in template format is user-defined. You can set the log fields to be contained, their sequence, and whether they contain prefixes. For example: 10.1.1.1:4408 -> 1.1.1.1:80...... To configure a user-defined syslog format, select this item and reference the syslog template. NOTE: Session logs include session logs and URL session logs in the syslog format. If the session log content is in the default or MTN format, the content format of the URL session log can be the same as that of the session log. You can also reference a syslog template to configure a user-defined format. If the session log content is in the user-defined format, the content of the URL session log can be in the user-defined or default format.
Log Session Content Format	Select a netflow session log content format: Default The content of logs output in the default format is fixed and cannot be modified. User-defined For logs output in the template format, their content is user-defined. Users can determine which log fields are used and in which sequence log fields are arranged. If you need to define netflow log content format, select this option and reference the netflow log template.
Send Binary Logs to All Log Servers	If Send Logs Concurrently is selected, session logs are sent to all log hosts. If not, the device sends logs to all log hosts in turn based on the specified log host IDs.
Log Source IP Address	Source IP address for sending session logs
Source Port	Source port of session logs. The default port is 1617.
Log Host IP Address	IP address of the log host that receives session logs
Port	Port of the log host that receives session logs. The default port number depends on the log format. The mappings between them are as follows: Binary: 9002 Syslog: 514 Netflow: 9996
Encrypted Transmission	If Enable is selected, logs will be encrypted. You are advised to enable the log encrypted transmission for security reasons.
Enhanced Encryption	After this function is enabled, logs are encrypted in enhanced mode for secure transmission. Encryption enhancement features a higher security and is recommended. Before enabling enhanced encryption, ensure that the connected log server supports this function. Otherwise, the log server will fail to parse logs. Encryption enhancement is supported in eLog V2R5C00SPC200 or a later version.
Password	Password for the encryption. You must set the same password on the log server.
Confirm Password	Password for the encryption.
Heartbeat Detection	After this option is selected, the FW periodically sends heartbeat detection packets to the log host to monitor the connection status of the log host in real time and ensure the reliability of log sending. In Connection Status of Log Source IP Address, you can directly view the connection status of the log host. By default, the heartbeat detection function is disabled. NOTE: The FW can be enabled to send heartbeat detection packets to the eLog log host but not to a third-party log host.
Sending Interval	Interval for sending heartbeat detection packets to a log host, which is 1 second by default
Timeout Times	Number of times the log host fails to respond to heartbeat detection packets

Click and repeat the preceding steps to add more log hosts.
Click Apply.
If the Operation succeeded dialog box is displayed, the session log sending function has been configured.