Log File | Comments |
Alert | The Alert log documents network traffic that triggers IPS filters configured with the following action sets: - Permit +Notify - Permit + Notify + Trace - Trust + Notify - Rate Limit + Notify |
Audit | The audit log tracks user activity that may have security implications, including user attempts (successful and unsuccessful) to do the following: - Change user information - Change IPS, routing or network configuration - Gain access to controlled areas (including the audit log) - Update system software and attack protection filter packages - Change filter settings |
Block | The IPS Block log documents packets that trigger IPS filters configured with any action that includes a Block + Notify or Block + Notify + Trace action, including Quarantine and TCP Reset action sets. |
Packet-trace | The packet-trace log contains a list of all captured packets. |
Quarantine | The Quarantine log records the IP addresses that have been added to and removed from quarantine. |
System | The System Log contains information about the software processes that control the IPS device, including startup routines, run levels, and maintenance routines. |
Note: The packet-trace log contains a list of all captured packet, not the packet themselves. Packet trace files are stored in the "/usr" partition.
The Logs provide information on system events and traffic-related events triggered by the filters that are configured on the device. The IPS device maintains an historical log file and a current log file for each log. When the current log file reaches the default size (4MB), the log is de-activated and saved as the historical file, and a new log file is started as the current log. If a historical file already exists, that file is deleted. When the log is rolled over, the system generates a message in the Audit log. If you want to save log all data and create a backup, you can configure the system to offload log messages to a remote system log.