CacheGuard-OS
User's Guide - Version UF-2.2.2

Traffic Logging

The logging gives you visibility into allowed or denied traffic exchanged with or via a CacheGuard appliance. As an administrator, you have the possibility to select which type of traffic should be logged. You can refer to the log command description in the Commands Manual to learn more about available log types. Logs are stored locally on a CacheGuard appliance and can be saved on trusted remote file servers for inspection. You have also the possibility to send them in real time to remote log servers using the "syslog" protocol (based on UDP or TCP).

Managing Logs

An daily automatic log rotation during off-peak hours (between 04:00 AM and 06:59) backups logs for a period of n days where n is a value between 1 and 365 configured during the CacheGuard-OS installation. Each rotated log is identified by an integer between 1 and n called the log serial number. The most recent log (yesterday log) has the number 1 and oldest one has the number n. Note that in case where the appliance is overloaded, logs rotation occurs hourly in order to avoid to fill the provisioned log space on disks.

To save the current (today's) log, an explicit log rotation should be forced. The explicit log rotate allows you to do not have to wait for the daily automatic logs rotation. To rotate logs and have a report on the status of the log rotation, use the following commands:

• log rotate
• log rotate report

Once the log rotation operation is finished, you can save the desired log types on a trusted file server. Note that saved logs are in a gzip compressed format. To save the most recent Web access log in a file named "web-access-log.gz" located on the TFTP server having the IP address 172.18.2.1, use the following command:

• log save web 1 tftp 172.18.2.1 web-access-log.gz

Note that logs can be saved on trusted file servers only. To declare a file server as trusted use the access file command. The logging can also be completely disabled. To completely disable the logging, use the following commands:

• mode log off
• apply

Logging Web Accesses

All Web accesses in forwarding and reverse modes can be logged. The Web access logging allows you to observe all Web access in detail and know which machine accesses which URL at which time. To activate the Web access logging in forwarding and reverse modes, use the following commands:

• mode log on
• log type web on
• log type rweb on
• apply

Logging Denied Traffic

Allowed access logging concerns Web traffic only (in web or rweb modes). However, all rejected traffic (Web or non Web) by services running on a CacheGuard appliance can be logged. For instance, you have the possibility to configure the appliance to log all attempts to access forbidden URLs (denied by the URL guarding) and all rejected network traffic at the IP level (denied by the firewall). To this end, you must use the following commands:

• mode log on
• log type guard on
• log type antivirus on
• log type waf on
• log type firewall on
• apply

Syslog Servers

You can optionally send all locally saved logs to remote log servers that support the syslog protocol (UDP or TCP). Prior to activate the logging of a traffic type on a remote syslog server, the remote syslog server must be allowed on a CacheGuard appliance. To configure the appliance to send in real time its URL guarding logs to the syslog server having the IP address 172.20.2.1 and configured to use UDP, use the following commands:

• mode log on
• log syslog add udp 172.20.2.1
• log type guard on on
• apply

More than a syslog server can be specified on a CacheGuard appliance. In this case, logs are send to all specified syslog servers in parallel.