CacheGuard-OS
User's Guide - Version UF-2.3.5

Traffic Logging

Logging provides visibility into allowed and denied traffic exchanged with or via a CacheGuard appliance. As an administrator, you can select which types of traffic should be logged. You may refer to the log command description in the Commands Manual to learn more about the available log types. Logs are stored locally on a CacheGuard appliance and can be saved on trusted remote file servers for inspection. You also have the option to send them in real time to remote log servers using the "syslog" protocol (based on UDP or TCP).

Managing Logs

A daily automatic log rotation during off-peak hours (between 04:00 and 06:59) backs up logs for a period of n days, where n is a value between 1 and 365 configured during the CacheGuard-OS installation. Each rotated log is identified by an integer between 1 and n, known as the log serial number. The most recent log (yesterday’s log) has the number 1, and the oldest has the number n. Note that if the appliance becomes overloaded, log rotation occurs hourly in order to prevent the provisioned log space on the disks from being filled.

To save the current (today’s) log, an explicit log rotation should be performed. The explicit log rotation allows you to avoid waiting for the daily automatic log rotation. To rotate logs and obtain a report on the rotation status, use the following commands:

• log rotate
• log rotate report

Once the log rotation operation is complete, you can save the required log types on a trusted file server. Note that saved logs are in gzip-compressed format. To save the most recent Web access log in a file named "web-access-log.gz" on the TFTP server with the IP address 172.18.2.1, use the following command:

• log save web 1 tftp 172.18.2.1 web-access-log.gz

Logs can be saved only on trusted file servers. To declare a file server as trusted, use the access file command. Logging can also be completely disabled. To disable logging entirely, use the following commands:

• mode log off
• apply

Logging Web Access

All Web accesses in forwarding and reverse modes can be logged. Web access logging enables you to monitor all Web requests in detail and determine which machine accessed which URL at what time. To activate Web access logging in forwarding and reverse modes, use the following commands:

• mode log on
• log type web on
• log type rweb on
• apply

Logging Denied Traffic

Allowed access logging concerns Web traffic only (in web or rweb modes). However, all rejected traffic (Web or non-Web) by services running on a CacheGuard appliance can also be logged. For instance, you can configure the appliance to log all attempts to access forbidden URLs (denied by the URL guarding) and all rejected network traffic at the IP level (denied by the firewall). To achieve this, use the following commands:

• mode log on
• log type guard on
• log type antivirus on
• log type waf on
• log type firewall on
• apply

Syslog Servers

You can optionally send all locally saved logs to remote log servers that support the syslog protocol (UDP or TCP). Before activating the logging of any traffic type on a remote syslog server, that server must be explicitly allowed on the CacheGuard appliance. To configure the appliance to send its URL guarding logs in real time to a syslog server with the IP address 172.20.2.1 using UDP, use the following commands:

• mode log on
• log syslog add udp 172.20.2.1
• log type guard on on
• apply

Multiple syslog servers can be specified on a CacheGuard appliance. In this case, logs are sent to all defined syslog servers in parallel.