Navigation

The Logs Menu

In this page you find:

In the logs section of the Endian UTM Appliance the logs can be extensively viewed and their management can be done.

The sub-menu on the left-hand side of the screen contains the following items:

  • Live - get quick, live view of the latest log entries as they are being generated utm4i
  • Summary - get daily summaries of all logs utm4i
  • System - system logs (/var/log/messages) filtered by source and date utm4i
  • Service - logs from the intrusion detection system (IDS), OpenVPN, and antivirus utm4i
  • Firewall - logs from iptables rules utm4i
  • Proxy - logs from the HTTP, SMTP, and content filter proxies utm
  • Settings - customise all the log options utm4i
  • Trusted Timestamping - securely time stamp the log files to verify they have not been altered. utm4i

New in version 2.4: Trusted Timestamping has been added to the 2.4 update release of 28 Sept. 2011.

In a nutshell, there are two modalities to access the log from the GUI: Live and “by-service”: In the live mode the log files are visualised as soon as they are created, while in the “by-service” mode only the logs produced by one daemon or service are displayed.

Live utm4i

When entering in the Logs section, or clicking on the Live entry on the sub-menu, the Live log viewer is shown, a box showing the list of all the log files available for real time viewing. Any number of logs to see can be chosen by ticking the corresponding checkboxes, that are displayed in a new window upon clicking on the Show selected logs button. To watch all the log files at once, simply tick the Select all checkbox right above the Show selected logs button and then click on the latter button. Otherwise, to view only one log file, simply click on the Show this log only link.

The window that opens contains two boxes, Settings at the top and Live logs at the bottom.

Warning

The list of log entries can become nearly unreadable if many logs are showed, due to the possible high number of log entries produced (especially by the firewall or proxy log, which can generate several log entries per second in case of heavy traffic). In this cases, the logs to be displayed can be configured in the Settings box.

Settings

This box allows to modify the settings of the log viewer, including which of the log files to show, their colour and options to highlight or find specific keywords.

On the right-hand side of the box appears the list of the logs that are currently displayed, and the colour with which they are highlighted, while on the left-hand side some additional control elements are shown, that help limit the output:

Filter
Only the log entries that contain the expression in this field are shown.
Additional filter
Like the filter above, but applied to the output of the first filter. In other words, only log entries containing both expressions are shown in the log.
Pause output
Clicking on this button will prevent new log entries from appearing on the live log. However, after clicking the button once more, all new entries will appear at once, quickly scrolling the old ones.
Highlight
All the log entries that contain this expression will be highlighted in the chosen colour. The difference with the filtering option is that all the content is still displayed and the log entries containing the expression will be highlighted with a coloured background.
Highlight color
Clicking on the coloured square gives the choice to select the colour that will be used for highlighting.
Autoscroll
This option is only available if the Sort in reverse chronological order option in the Menubar ‣ Logs ‣ Settings section is turned off. This causes all the new entries to be shown at the bottom of the page: If this option is enabled, the list is scrolled upwards to show the latest entries at the bottom of the page, otherwise only the older entries are show and the scrollbar on the right should be used to see the new ones.

To add or remove some log from the display, click on the Show more link right below the list of the log files on the top right. The controls will be replaced by a table from which the desired log files can be selected by ticking or unticking their respective checkboxes. To change the colour of a log file, click on the colour palette of that log type and then choose a new colour. To show the controls again, click on one of the Close links below the table or below the list of the displayed log files.

Live logs

The logs chosen for viewing are shown in this box, which consists of a table divided in three columns.

Left column
This column contains the log name, that is, the daemon or service producing the log entry.
Middle column
The time stamp (date and time) of the event that has been recorded.
Right Column

The actual message generated by the service or daemon and recorded in the log files.

Note

Some log messages -especially Firewall entries- span more than one line, denoted by the expand button at the right of the message. To show the whole message, click on it or on the button.

Finally, there is also the chance to increase or decrease the window size by clicking on the Increase height or Decrease height buttons, respectively, which are situated on the heading of the box.

Common actions utm4i

The sub-menu entries System, Service, Firewall, and Proxy show log files for different services and daemons, grouped by similar characteristics. Several controls are available to search within the log, or view only some entries of the log, many of which are the same in all the services and daemons, with only the System menu item and the HTTP report tab under Proxy that have some additional control. These sub-menu entries have also a common structure of their pages, organised in two boxes: Settings at the top and Log at the bottom.

Filter
Only the lines that contain the entered expression are shown.
Jump to Date
Directly show log entries from this date.
Jump to Page
Directly show log entries from this page in the result set. The number of entries shown per page can be modified on the Menubar ‣ Logs ‣ Settings page.
Update
After changing any of the settings above, a click on this button refreshes the page content. The page is not refreshed automatically.
Export
When clicking on this button the log entries are exported to a text file.
Sign log
When clicking on this link, the current log is signed. This button is only available if Trusted Timestamping is enabled.
Older, Newer
These two buttons are present in the Log box and show up whenever the number of entries grows too much and are divided into two or more parts. They allow to browse older or newer entries of the search results by clicking on them.

Note

A message at the top of the page informs if on a given date there are no logs available: This can happen either if the daemon or service were not running, or if they did not produce any message.

In the remainder of this section, all the services and their peculiar settings are presented.

Summary utm4i

This page presents summaries for the logs produced by the Endian UTM Appliance, separated by days and generated by the logwatch log monitoring software. Unlike the other parts of the log section, it has its own settings to control the level of details shown. The following control elements are available in the first box at the top of the page.

Month
Select from this drop-down menu the month in which the log messages were generated.
Day
The second drop-down menu allows to pick the day in which the log messages were generated.
<<, >>
Browse the history, moving from one day (or part of it when too many messages have been generated) to another. The content of the page will be automatically refreshed.
Update
Immediately refresh the content of the page when the month/day combination has been changed.
Export
When clicking on this button, a text version of the summary is shown and can be saved on a local filesystem.

Below the Settings box, a variable number of boxes appears, depending on the running services that have log entries. The Disk Space box should at least be visible, showing the available disk space on the chosen date, while other boxes that can show up include Postfix (mail queue) and Firewall (accepted and dropped packets)

Note that the summaries are not available for the current day, as they are generated every night from the log files generated the day before.

System utm4i

In this section appears the log viewer for the various system log files. The upper box, Settings, defines the criteria to display the entries in the lower box. Besides the common actions, one additional control is available:

Section
The type of logs that should be displayed, either All or only those related to a given service or daemon. Among others, they include kernel messages, SSH access, NTP, and so on.

Following the choice of the section, click on the Update button to refresh the logs displayed in the Log box at the bottom of the page, in which the Older and Newer buttons allow to browse the pages.

Service utm4i

In this section appear the log entries for three of the most important services provided by the Endian UTM Appliance: IDS, OpenVPN, and the anti-virus, each in its own tab. Only the common actions are available.

Note

Endian 4i Edge do not have the anti-virus tabs.

Firewall utm4i

The firewall log viewer contains the messages that record the firewall’s activities. Only the common actions are available.

Information shown in the table are:

Time
The timestamp at which the message was generated.
Chain
The chain through which the packet has passed.
Iface
The interface through which the packet has passed.
Proto
The prototype of the packet.
Source, Src port
The IP address and port from which the packet has arrived.
MAC address
The MAC address of the source interface.
Destination, Dst port
The IP address and port to which the packet had to arrive.

Proxy utm

The proxy log viewer shows the logs for the four daemons that use the proxy. Each of them has its own tab: squid (HTTP), dansguardian (Content filter), sarg (HTTP report), and smtpd (SMTP, email proxy).

HTTP and Content filter utm

In addition to the common actions, the log viewer for squid and dansguardian allow these values to be specified:

Source IP
Show only the log entries containing the selected source IP Address, chosen from a drop-down menu.
Ignore filter
A regular expression that filters out all the log entries that contain it.
Enable ignore filter
Tick this checkbox to temporarily disable the ignore filter.
Restore defaults
Clicking on this button will restore the default search parameters.

HTTP Report utm

The HTTP report tab has only one option: To enable or not the proxy analysis report generator, by ticking the Enable checkbox and clicking on the Save button afterwards. Once the report generator is activated, a click on the Daily report, Weekly report, and Monthly report links shows detailed HTTP reports.

SMTP utm

Only the common actions are available in the tab of the postfix daemon.

Settings utm4i

This page contains all the global configuration items for the Endian UTM Appliance‘s logging facilities, organised into four boxes: Log viewing options, Log summaries, Remote logging, and Firewall logging

Log viewing options

Number of lines to display
The pagination value, i.e., how many lines are displayed per log-page.
Sort in reverse chronological order
If this checkbox is ticked, then the newest log entries will be displayed first.

Log summaries

Keep summaries for __ days
How long should the log summaries be stored on disk before deletion.
Detail level
The detail level for the log summary: the higher the level, the more log entries are saved and showed. The drop-down menu allows three levels of detail: Low, Medium, and High.

Remote logging

Enabled (Remote Logging)
Ticking this box allows to enable remote logging. The next option allows to enter the hostname of the syslog server.
Syslog server
The hostname of the remote server, to which the logs will be sent. The server must support the latest IETF syslog protocol standards.

Firewall logging

Log packets with BAD constellation of TCP flags
If this option is enabled the firewall will log packets with a bad constellation TCP flag (e.g., all flags are set).
Log NEW connections without SYN flag
With this option enabled, all new TCP connections without SYN flag will be logged.
Log accepted outgoing connections
To log all the accepted outgoing connections this checkbox must be ticked.
Log refused packets
All the refused packets will be logged by the firewall, if this option is enabled.

Growing Logging and disk space management

The standard policy for storing log files on Endian UTM Appliance has been the following. Every night, log files are rotated and saved as daemonname.nnn.gz, while newer messages are written in a new log file. nnn is a progressive number, starting from 1. On some appliances, especially on the New Mini ARM, disk space may be quickly filled up, especially if many daemons are actively logging.

This policy has been changed after the 2.5 release. Until the 2.4 version, indeed, the log’s storage policy of the Endian UTM Appliance was to keep up to 365 log files for each service, i.e., one year of saved logs, and only after one year older files were deleted. The new policy, after the release of the 2.5 version is to delete older log files, to make room for newer ones, when the partition storing the logs is about to run out of space. To be more precise, the packages in which first the policy changed are: efw-syslog-2.6.5-1.endian9.noarch.rpm (2.4-ARM), efw-syslog-2.9.8-1.endian9.noarch.rpm (2.5).

The new policy can be modified or even reverted, to suite different needs.

See also

More information about the policies about logging can be found in this article.

Trusted Timestamping utm4i

Trusted timestamping is a process that log files (but in general any document) undergo in order to track and certify their origin and compliance to the original. In other words, trusted timestamping allows to certify and verify that a log file has not been modified in any way by anyone, not even the original author. In the case of log files, trusted timestamping proves useful for example, to verify the accesses to the system or the connections from the VPN users, even in cases of independent audits.

Trusted timestamping is not enabled by default, but its activation only requires a click on the grey switch. When it turns green, some configuration options will show up.

Timestamp server URL

The URL of the timestamp server (also called TSA) is mandatory, since it will be this server that signs the log files.

Note

A valid URL of a valid TSA is needed to be able to use trusted timestamping. Several Companies can supply this kind of service.

HTTP authentication
If the timestamp server requires to authenticate, tick the box below the HTTP authentication label.
Username
The username used to authenticate on the timestamp server.
Password.
The password used to authenticate on the timestamp server.
Public key of the timestamping server
To ease and to make the communication with the server more secure, the server’s public key can be imported. the certificate file can be searched on the local computer by clicking on the Browse... button, and then uploaded to the Endian UTM Appliance by clicking on the Upload button. After the certificate has been stored, next to the Public key of the timestamping server label, a Download link will appear, that can be clicked to retrieve the certificate, for example if it should be installed on another Endian UTM Appliance.

After clicking on the Save button, the settings are stored and, on the next day, a new button will appear in the Logs section, on the right-hand side of the Settings box:

Verify log signature
When clicked it will show a message in a yellow callout to inform about the status of the log.

See also

The official OpenSSL timestamping documentation and RFC 3161, the original definition of the Time Stamp Protocol.

Table Of Contents

Previous topic

Client Access to the Hotspot

Next topic

Glossary

Documentation archive

Version 2.4
Version 2.3
Version 2.2
Version 2.1

Navigation

© Copyright 2011-2012, Endian S.r.l.. Documentation revision #6, last updated on Apr 11, 2014.