Limitations and Precautions for Logs

Hardware Requirements

Supported by all models.

License Requirements

• The audit log function requires the content security component license and dynamic loading of the content security component package.
• The remote log query function in the URL filtering log function requires the URL remote query license and dynamic loading of the URL remote query component package.
• The intrusion prevention log function requires the intrusion prevention license.
• The antivirus log function requires the antivirus license.
• Other log functions are not license-controlled.
• The URL session log function is dependent on the content security component package. However, it does not require the content security component package be manually loaded. The content security component package is directly placed in the software package and automatically loaded during device startup.

For details about the component package, see Dynamic Loading.

Restrictions on Log Configuration

• The encoding style of syslogs output by the FW shall be consistent with that supported by the log host. The default encoding style of output syslogs is GBK. If the encoding style of the log host is UTF-8, run the firewall log charset utf-8 command to switch the encoding style of syslogs output by the FW to UTF-8.
• In a scenario where the application identification mode is intelligent identification, the FW performs application identification on traffic that matches a policy only when the policy has application identification or content security detection configured. If the application identification mode is full identification, the FW performs application identification on all traffic. If the service traffic has no application information, configure the application in the policy or set Application Identification Mode to Full Identification. Otherwise, reports from the application dimension are not generated. You can use the sa force-detection enable command to configure the application identification mode.
• The format of packet discarding logs is determined by the format of session logs. If session logs are in syslog format, packet discarding logs are in syslog format. If session logs are in binary format, packet discarding logs are in binary format. If session logs are in Netflow format, packet discarding logs cannot be output.

• Next table lists the mapping between log formats and log servers. Select a log server as required.

  Table 1 Mapping between log formats and log servers

  Log Format	Log Server
  Binary	eLog
  Netflow	eLog and a third-party log server.
  Syslog	Session logs and packet discard logs are output to eLog server or a third-party log server. Service logs and system logs are output to eLog server or a third-party log server. The Dataflow format is recommended to output service logs to the eLog.
  Dataflow	eLog

  Different types of logs may or may not be controlled by security policies.

  • Session logs and packet loss logs are not controlled by security policies.
  • System logs are controlled by security policies.
  • Service logs in dataflow format are not controlled by security policies. Service logs in syslog format ( except policy matching logs )are controlled by security policies. Policy matching logs in syslog format are not controlled by security policies.
• When you run the info-center loghost command in the information center to configure the FW to send service logs to log hosts, note the following points:
  • The FW cannot send service logs to log hosts with DNS domain names.
  • The FW cannot send service logs to log hosts with IPv6 addresses.
• When the information center is used to output service logs, the time format of service logs cannot be set using the info-center timestamp command.
• The information center allows the firewall to send system logs and service logs to the log host connected to a VPN instance. You can run the info-center loghost ip-address vpn-instance vpn-instance-name command to configure this function, which is, however, not supported on the web UI.
• Session logs cannot be sent in IPSec-based DSVPN scenarios.
• The firewall sends WeChat online logs based on the uni field in the extracted packets. The firewall sends logs only when detecting that the packet contains the uni field. The sending time is not fixed, which cannot meet the requirement of real-time log sending. In addition, the behavior of WeChat packets changes, and the uni field is carried irregularly. As a result, the update of moments sometimes does not carry the uni field. As a result, the online logs cannot be sent.

Restrictions on Viewing and Exporting Logs on the Web UI

You can view service logs and alarm information under Monitor > Logs > Service Log List and Monitor > Logs > Alarm Information respectively only when no SD card is installed in the USG6510E/6510E-POE. The service logs or alarm information is displayed for devices without SD cards. When an SD card is installed, you can view threat logs, content logs, and policy matching logs under Monitor > Logs. You can also view alarm information under Dashboard > Alarm Information.

When a hard disk or SD card is available, you can view and export logs on the web UI. For devices of certain models, you can view only certain logs on a log node on the web UI even if no hard disk or SD card is available. These logs come from the log data stored in the device memory. After the device is restarted, the log data is lost. Log display and export depend on the hard disk or SD card. For details about the hard disk or SD card, see Hardware Guide. The following table lists the logs that can be viewed and exported on the web UI when the hard disk or SD cardis available or unavailable.

Other Limitations

• When the outbound interface of logs is an Eth-Trunk interface, all log traffic will be aggregated on the same member interface, which may cause packet loss due to insufficient bandwidth. In this case, you are advised to configure per-packet load balancing (using the load-balance packet-all command) on the Eth-Trunk interface.
• In the case of virtual systems and hot standby, for details on the support for log output, see log output in Function Availability for Virtual Systems and List of Configurations Supporting Backup and Not Supporting Backup.
• The FW can record IPv6 service logs, IPv6 packet discard logs, and IPv6 session logs. The FW can send session logs, dataflow service logs, and system logs to IPv6 address log hosts.
• The device can record URL session logs for HTTP packets only.
• When the FW and log server are deployed in different region, the FW can send Session logs to the log server through IPSec tunnels and GRE tunnels, and can send policy matching logs and threat logs to the log server through IPSec tunnels.
• The log server does not support the fragment reassembly log packets. Ensure that the MTUs of the network devices on the log transmission path are greater than 1500.
• If the FW and log server communicate through an intermediate device (such as a switch), the size of the session log in syslog format cannot exceed 1024 bytes. Otherwise, the intermediate device will discard the corresponding packet, and the log cannot be queried on the log server.
• The USG6510E/6510E-POE/6530E do not support user source tracing.

Precautions

• By default, the FW outputs only session aging logs. If the FW is configured to output session creation logs, the eLog will receive a large number of logs, consuming storage space. Exercise caution when configuring the FW to output session creation logs.
• When a large number of logs are generated, hard disks are recommended to prevent old logs from being overwritten by new logs.
• For logs stored in hard disks, if logs on new connections are of a large volume, log data may be lost.
• For the USG6515E/6550E/6560E/6580E and USG6525E/6555E/6565E/6575E-B/6585E/6605E-B without a disk, log data is stored in the device memory. If the log volume is large, logs are frequently updated. Therefore, you cannot view log details.
• For the USG6510E/6510E-POE/6530E, if the SD card goes offline when you are querying logs on the web UI, no logs are displayed on the web UI. For devices except the USG6510E/6510E-POE/6530E, when the hard disk goes offline, the log database restarts. If you are viewing logs on the web UI, exit the log query page. You can log in again after 1 minute and continue to view logs.
• When you search for and export a type of logs on the web UI, the system may display a message indicating that the export times out due to excessive log information. In this case, you are advised to configure the device to connect to the log server, and then view and export logs on the log server.
• Traffic logs support only the dataflow format, not the syslog format. Other service logs support both the dataflow and syslog formats.