Chapter 18 Logging
18.1 Overview
The Logging mechanism used by the FortiBalancer appliance is Syslog compliant. System error and HTTP access information during proxy application are logged by using the logging subsystem. Syslog is a standard program for Unix and there are also Syslog implementations for Windows. On the Unix platform, syslog is started by the syslogd daemon. The syslogd daemon takes charge of receiving and storing log messages from local machine or remote machine, which listens at UDP 514 port. FortiBalancer appliance supports three remote log servers.
18.2 Understanding Logging
18.2.1 Syslog
Syslog is a protocol that is used for the transmission of event notification message across networks.
Syslog logging has eight valid levels of log message severity: emerg, alert, crit, err, warning, notice, info and debug. And the supported facilities are LOCAL0 to LOCAL7. Users can view the internal log buffer, select the transport protocol, and configure syslog source and destination ports and the alerts on log message string match.
18.2.2 RFC 5424 Syslog
RFC5424 defines the standard format of syslogs. The FortiBalancer appliance supports the RFC 5424 syslog function. When the RFC 5424 syslog function is enabled, the system will generate system logs in the standard format defined by RFC 5424. The format is “<PRI>VER
TIMESTAMP HOSTNAME APPNAME PROCID MSGID STRUCTURED-DATA MSG-CONTENT”. (The PROCID and STRUCTURED-DATA fields are not supported
temporarily and are displayed as “-”.) By default, the RFC 5424 syslog function is disabled. The configuration of “log rfc5424 on” takes effect only when the system logging function has been enabled by using the “log on” command.
18.2.3 HTTP Access Logging
HTTP Access Logging is the logging of information about every HTTP request and its response in a specific predefined format.
HTTP Access Logging supports four standard formats: Combined, WELF (WebTrends Enhanced Log), Common and Squid. And users can define their own logging format by using the “log http custom” command.
Note: The FortiBalancer appliance will record an HTTP access log only after the HTTP communication between the client and the Web server is completed successfully.
18.2.4 Log Filtering
Log filtering is designed to filter logs to different log servers by matching filter strings which are configured in the command “log filter”.
Log filtering in the OS allows administrators to collect only the logs that they are interested in instead of having to capture all the logs. For example, the administrator of “www.site1.com” may want to only collect the HTTP access logs for “www.site1.com”. Knowing if the logs contain a keyword “site1.com”, the administrator can create a filter for a log definition that captures only the logs which match the keyword. The administrator will now have a log file which contains only the desired logs.
If multiple log filters are set on a syslog host, the logs matching one of the filter strings will go to the syslog host.
18.3 Logging Configuration
18.3.1 Configuration Guidelines
Table 18-1 General Settings of Logging
Operation |
Command |
Enable the logging |
log {on|off} |
Enable RFC 5424 Syslog |
log rfc5424 {on|off} |
Configure the remote host |
log host <host_ip> [port] [udp|tcp] [host_id] |
Set log filters |
log filter <host_id> <filter_id> <filter_string> |
Set log level |
log level <level> |
Change log facility |
log facility <facility> |
Set HTTP access logging format |
log http {squid|common|combined|welf} [vip|novip] [host|nohost] log http custom <format> |
18.3.2 Configuration Example via CLI
- Step 1 Enable Logging function The logging system is off by default.
FortiBalancer(config)#log on
- Step 2 Enable the RFC 5424 Syslog function
FortiBalancer(config)#log rfc5424 on
- Step 3 Set the remote host to which log messages will be sent
The remote host IP address must be specified in dotted IP format. The remote port is optional and the default value is 514. The transport protocol for the syslog messages can be either UDP or TCP and the default is UDP. In our example, the host of 10.2.37.1 is listening for log message at UDP 514 port.
FortiBalancer(config)#log host 10.2.37.1 514 udp 1
- Step 4 Set log filters for the configured host
No more than 3 log filters can be set on one syslog host. Log filter canot be set on the syslog host whose ID is 0 (it is configured by the command “log host”). After this command is executed, only the logs matching this filter string go to the syslog host.
FortiBalancer(config)#log filter 1 1 “index”
- Step 5 Change the minimum log level at which messages will be logged
Once a log level is set, messages with level below the configured level will be ignored. The default level is info.
FortiBalancer(config)#log level err
- Step 6 Change the syslog facility The default facility is LOCAL0.
FortiBalancer(config)#log facility LOCAL0
- Step 7 Configure the HTTP access logging format
HTTP access information can be logged in one of the standard formats Squid, WELF, Common and Combined, or it can be logged in a custom format specified by the user.
FortiBalancer(config)#log http squid
- Step 8 Generate a test log
You can run the command “log test” to generate an emerg-level log.
FortiBalancer(config)#log test
- Step 9 View and clear logs
You can run the following command “show log buff {forward|backward} [match_str]” to view logs in the log buffer. The parameters “backward” and “forward” are used to display the logs that are latest and first generated respectively.
FortiBalancer(config)#show log buffer backward start of buffer
<128>1 2012-07-17T06:35:26Z FortiBalancer – – 100021002 – Fortinet test message |
You can run the command “clear log buff” to clear logs from the log buffer.
FortiBalancer(config)#clear log buffer