Log Message Distribution - D-Link NetDefend DFL-210 User Manual

2.2.3. Log Message Distribution

By default, NetDefendOS sends all messages of level Info and above to configured log servers. The
Debug category is intended for troubleshooting only and should only be turned on if required when
trying to solve a problem. All log messages of all severity levels are found listed in the
NetDefendOS Log Reference Guide.
2.2.3. Log Message Distribution
To distribute and log the event messages generated, it is necessary to define one or more event
receivers that specify what events to capture, and where to send them.
NetDefendOS can distribute event messages in the following ways:
Memlog NetDefendOS has a built in logging mechanism known as the Memory Log. This retains
all event log messages in memory and allows direct viewing of log messages through the
Web Interface.
Syslog The de-facto standard for logging events from network devices. If other network devices
are already logging to Syslog servers, using syslog with NetDefendOS messages can
simplify overall administration.
2.2.3.1. Logging to Memlog
Memlog is an optional NetDefendOS feature that allows logging direct to memory in the NetDefend
Firewall instead of sending messages to an external server. Memlog messages can be examined
through the standard user interfaces.
The Memlog memory is limited to a fixed predetermined size since hardware resources are limited.
When the allocated memory is filled up with log messages, the oldest messages are discarded to
make room for newer incoming messages. This means that MemLog holds a limited number of
messages since the last system initialization and once the buffer fills they will only be the most
recent. This means that when NetDefendOS is creating large numbers of messages in systems with,
for example, large numbers of VPN tunnels, the Memlog information becomes less meaningful
since it reflects a limited recent time period.
2.2.3.2. Logging to Syslog Hosts
Overview
Syslog is a standardized protocol for sending log data although there is no standardized format for
the log messages themselves. The format used by NetDefendOS is well suited to automated
processing, filtering and searching.
Although the exact format of each log entry depends on how a Syslog receiver works, most are very
much alike. The way in which logs are read is also dependent on how the syslog receiver works.
Syslog daemons on UNIX servers usually log to text files, line by line.
Message Format
Most Syslog recipients preface each log entry with a timestamp and the IP address of the machine
that sent the log data:
Feb 5 2000 09:45:23 firewall.ourcompany.com
This is followed by the text the sender has chosen to send.
Feb 5 2000 09:45:23 firewall.ourcompany.com EFW: DROP:
Subsequent text is dependent on the event that has occurred.
Chapter 2. Management and Maintenance
54