Guidelines for Logging

This section includes guidelines and limitations that you should review before configuring logging.

IPv6 Guidelines

  • IPv6 is supported. Syslogs can be sent using TCP or UDP.

  • Ensure that the interface configured for sending syslogs is enabled, IPv6 capable, and the syslog server is reachable through the designated interface.

  • Secure logging over IPv6 is not supported.

Additional Guidelines

  • Do not configure management center as a primary syslog server. The management center can log some syslogs. However, it does not have adequate storage provision to accommodate voluminous information from connection events for every sensor, especially when multiple sensors are used and all send syslogs.

  • The syslog server must run a server program called syslogd. Windows provides a syslog server as part of its operating system.

  • The syslog server operates based on the syslog-ng process of the firewall system. Do not use external configuration files, like the scwx.conf file from SecureWorks. Such files are not compatible with the device. Using them will lead to parsing error and eventually the syslog-ng process will fail.

  • To view logs generated by the threat defense device, you must specify a logging output destination. If you enable logging without specifying a logging output destination, the threat defense device generates messages but does not save them to a location from which you can view them. You must specify each different logging output destination separately.

  • If you use TCP as the transport protocol, the system opens 4 connections to the syslog server to ensure that messages are not lost. If you are using the syslog server to collect messages from a very large number of devices, and the combined connection overhead is too much for the server, use UDP instead.

  • It is not possible to have two different lists or classes being assigned to different syslog servers or same locations.

  • You can configure up to 16 syslog servers.

  • The syslog server should be reachable through the threat defense device. You should configure the device to deny ICMP unreachable messages on the interface through which the syslog server is reachable and to send syslogs to the same server. Make sure that you have enabled logging for all severity levels. To prevent the syslog server from crashing, suppress the generation of syslogs 313001, 313004, and 313005.

  • The number of UDP connections for syslog is directly related to the number of CPUs on the hardware platform and the number of syslog servers you configure. At any point in time, there can be as many UDP syslog connections as there are CPUs times the number of configured syslog servers. This is the expected behavior. Note that the global UDP connection idle timeout applies to these sessions, and the default is 2 minutes. You can adjust that setting if you want to close these session more quickly, but the timeout applies to all UDP connections, not just syslog.

  • When the threat defense device sends syslogs via TCP, the connection takes about one minute to initiate after the syslogd service restarts.