Content Logs

Content logs provide statistics on uploaded and downloaded files and data, sent and received emails, and alert and block records on websites. Content logs help you learn risky user behaviors and why access to some URLs is blocked or allowed with an alert record.

Context

Content logs are generated as a result of file blocking, data filtering, and application behavior control.

The FW deployed between an intranet and the Internet generates content logs when any of the following conditions is met:

The transmitted file matches a rule defined in the file blocking profile.
The transmitted file matches a rule defined in the data filtering profile.
Users' HTTP behaviors (including posting, web page browsing, and Internet access using HTTP proxy) are prohibited by a rule in the application behavior control profile, or the size of the file uploaded or download by a user using HTTP exceeds the alert or block threshold defined in the application behavior control profile.
The size of the file uploaded or downloaded by a user using FTP exceeds the alert or block threshold defined in the application behavior control profile, or deleting a specific file using FTP is prohibited by a rule defined in the application behavior control profile.

Before viewing content logs, ensure that you have configured the data filtering, file blocking or application behavior control function on the FW.

Before querying content logs, ensure that the content security license has been installed on the FW and the content security component package has been dynamically loaded. Otherwise, you cannot view content logs.

Before querying logs on the USG6510E/6510E-POE/6530E, run the log type content enable command on the FW to enable the content log function.

Procedure

Choose Monitor > Logs > Content Logs to view content logs.
Choose Customize and select/deselect conditions for log display.
Optional: Click to export content logs in CSV format to the management PC.
Click Add Filter and select search conditions to filter logs.
If the device has no disk, click Advanced Search to filter logs.
Optional: You can click to save the current log query conditions as a log query template for future use.
The next time you want to use these query conditions, you only need to click to select the template name and click OK. Then the system queries logs based on the template conditions. The device administrator can click Template Distribution to view the number of templates created by each user. In addition, you can click to delete a log query template.

Only the user that creates a log query template can view or use this template.

Each log page supports a maximum of 10 log query templates, and a device supports a maximum of 1000 log query templates.

Log Sample

The following figure shows the content logs generated within a specific time range:

The following table lists the fields in a content log.

Field	Description
View	Click . In View Content Log Details, the details of each field in a content log are displayed. In View Content Log Details, click the Source Address/Destination Address/Source User/Application/Security policy/Profile field value. You can view and operate existing field settings.
Time	Time when a content log is generated
Type	Content log types: File Blocking Data Filtering Application Behavior Control
File Name/File Type	Name and type of a file
Source Zone	Source security zone of traffic
Destination Zone	Destination security zone of traffic
Source Region	Source region of the traffic
Destination Region	Destination region of the traffic
Source Address	Source IP address of traffic
Source User	User who generates traffic
Destination Address	Destination IP address of traffic
Source Port/Destination Port	Source/Destination port of traffic
Application	Application type of traffic
Action	Action defined in the file blocking rule, data filtering rule, or application behavior control rule that traffic matches
Security policy	Security policy that traffic matches
Profile	Security profile that traffic matches
Virtual System	Virtual system that generates the traffic

During content log analysis, you can click Advanced Search to view the log information. Based on the logs, you can take the following measures if necessary:

**Table 1** Content log field settings
Field	Setting
Source Address/Destination Address	Click the Source Address/Destination Address field value of a specific content log. Add Blacklist Entry is displayed. The parameters in Add Blacklist Entry are as follows: Type: The source/destination address is automatically blacklisted. Source IP/Destination IP: The source/destination IP address is automatically blacklisted. Protocol: The protocol type is automatically blacklisted. Source Port/Destination Port: The source/destination port is automatically blacklisted. Timeout: You can use either of the following methods to set a timeout period for a blacklist entry: Select Unlimited to permanently blacklist the source/destination address. Enter a timeout period.
Source Region/Destination Region	Click the Source Region/Destination Region of the URL logs to be controlled, access Edit Region, and change the region configuration as required. For details.
Source User	Click the Source User field value of a specific content log. Modify User is displayed.
Application	Click the Application field value of a specific content log. Application Details is displayed. You can view application details and configure port mappings. For details on how to configure port mappings.
Security Policy	Click the Security Policy field value of a specific content log. Modify Security Policy is displayed. You can change the settings of the source address, destination address, user, application, time range, action, and security profile.
Profile	Click the Profile field value of a specific content log. Modify Data Filtering Profile/Modify File Blocking Profile/Modify Application Behavior Control Profile is displayed. Reconfigure security profiles as desired. For example: If a file is mistakenly blocked, change the action of the file blocking rule that the file matches (in the file blocking profile) to alert. If data is mistakenly blocked because the data matches the keyword pattern group in a data filtering rule, delete or change the keyword pattern group. If an oversized file is mistakenly blocked, change the block threshold for uploaded files in the application behavior control profile.