The Logs and Reports Menu

In the logs and reports section of the 4i Edge X there are different possibilities to look at and to analyse the log files.

The sub-menu on the left-hand side of the screen contains the following items:

  • Live Logs–get quick, live view of the latest log entries as they are being generated.

  • Summary–get daily summaries of all logs.

  • Services–logs from the intrusion detection system (IDS), OpenVPN, and antivirus.

  • System–system logs (/var/log/messages) filtered by source and date.

  • Firewall–logs from iptables rules.

  • VPN–logs of VPN services (OpenVPN server and client, IPsec).

  • Log settings–customise all the log options.

In a nutshell, there are two modalities to access the log from the GUI:live and by-service. The first is represented by the live mode, in which the log files are visualised as soon as they are created, while in the by-service mode only the logs produced by one service at a time are displayed.

Live Logs

In this module it is possible to show the log file of the 4i Edge X in real time as they are produced.

Live Log viewer

When entering in the Live Logs section, the list of the log files available for real time viewing is shown. Any number of logs to watch can be chosen by ticking the corresponding checkbox; they will be displayed in a new window upon clicking on the Show selected logs button on the bottom of the table.

To watch all the log file at once, tick the Select all checkbox on the left-hand side of the Service label and click on the Show selected logs button.

A single log files can be viewed by simply clicking on the icon in the Actions column on the right-hand side of the corresponding log file.

The window that opens contains two boxes, Settings at the top and Live logs at the bottom.

Warning

The list of log entries can become nearly unreadable if many logs are showed at once, due to the possible high number of log entries produced, for example by the firewall or VPN log, which can generate multiple log entries per second, especially in case of heavy traffic.

Settings

This box allows to modify the settings of the log viewer, including which of the log files to show, their colour and options to highlight or find specific keywords.

On the right-hand side of the box appears the list of the logs that are currently displayed, and the colour with which they are highlighted, while on the left-hand side some additional control elements are shown, that help limit the output:

Filter

Only the log entries that contain the expression in this field are shown.

Additional filter

Like the filter above, but applied to the output of the first filter. In other words, only log entries containing both expressions are shown in the log.

Pause output

Clicking on this button will prevent new log entries from appearing on the live log. However, after clicking the button once more, all new entries will appear at once, quickly scrolling the old ones.

Highlight

All the log entries that contain this expression will be highlighted in the chosen colour. The difference with the filtering option is that all the content is still displayed and the log entries containing the expression will be highlighted with a coloured background.

Highlight color

A click on the coloured square gives the choice to select the colour that will be used for highlighting.

Autoscroll

This option is only available if the Sort in reverse chronological order option in the Menubar ‣ Logs ‣ Settings section is turned off. This causes all the new entries to be shown at the bottom of the page: If this option is enabled, the list is scrolled upwards to show the latest entries at the bottom of the page, otherwise only the older entries are show and the scrollbar on the right should be used to see the new ones.

To change the log to be watched, click on the Show more link right below the list of the log files on the top right corner. The box will be replaced by the list of log files; here, tick the checkbox of the log to be shown and untick the checkbox of those that should not appear.

To change the colour of a log file, click on the colour palette -between the checkbox and the service name- of that log type and then choose a new colour. To close the list of logs and show the settings again, click on Close either below the services or below the list of the displayed log files.

Live logs

The logs chosen for viewing are shown in this box, which consists of a table divided in three columns.

Left column

This column contains the log name, that is, the daemon or service producing the log entry.

Middle column

The time stamp (date and time) of the event that has been recorded.

Right Column

The actual message generated by the service or daemon and recorded in the log files.

Note

Some log messages -especially Firewall entries- span more than one line. To show the whole message, click on it or on the expand button at the right of the message.

Finally, there is also the chance to increase or decrease the window size by clicking on the Increase height or Decrease height buttons, respectively, which are situated on the top right heading of the box.

Type to Filter…

Type a pattern that will be used to retrieve only the log messages containing it.

Date Selector

Show log entries only on the selected date. Click on the current date to open a dialog window that allows to choose other dates. Only dates in which log files have been produced are selectable; the other are greyed out. To search for previous months or years, click on the month or year.

Note

Log files are rotated daily during the night. If at that time the 4i Edge X is powered off, no rotation takes place and all the entries in the log file will be considered as today’s entries, even if they were generated on the previous day(s).

Older, Newer

These two buttons allow to browse older or newer entries of the search results by clicking on them.

Export

A click on this button will download the log file.

Note

The name of the downloaded file includes the 4i Edge X’s hostname, the path to the log file, and the day on which it was exported; its suffix will be .log. Example: efw-endian_var_log_messages_20190627.

At the bottom of the page, two additional controls are available, one on the left-hand side, the other on the right-hand side.

Total, Items/page

The total number of lines in the log file is shown, together with the current pagination value, that can be changed to display less or more messages per pages.

Jump to Page

If log file becomes quite long, or the pagination value is low, or both, the log file will be displayed in multiple pages. Click on the number of the page or on one on the arrows to go to the previous or next page.

Hint

The arrows appear only when needed, i.e., if the currently selected page has a previous or next page.

Summary

This page presents summaries for the logs produced by the 4i Edge X, separated by days. The summary refers to log files that have been generated until the previous day; a red message will be displayed to inform that the previous day no log file has been produced or that there where no log files at all, for example because the 4i Edge X was just started for the first time, or it was reinstalled.

Unlike the other parts of the log section, it has its own settings to control the level of details shown. The following control elements are available at the top of the page.

Date

Select from this drop-down menu the day and month in which the log messages were generated.

Hint

in the calendar widget, days in bold contain logs, while greyed out do not contain any log entry and are not selectable.

Older, Newer

Browse the history, moving to the previous or next day. The content of the page will be automatically refreshed.

Export

When clicking on this button, a text version of the summary is shown and can be saved on a local filesystem.

Update

Immediately refresh the content of the page when the month/day combination has been changed.

Below the settings box, a variable number of boxes appears, depending on the running services that have log entries. The Disk Space box should at least be visible, showing the available disk space on the chosen date, while other boxes that can show up include Firewall and Systemd.

Note that the summaries are not available for the current day, as they are generated nightly from the log files generated the day before.

Services

Changed in version 6.0: The OpenVPN service has been moved to its own page.

Changed in version 6.0: New widgets to search within log files.

In this section appear the log entries for the IDS service. The following options are available, to search within the log files.

Type to Filter…

Type a pattern that will be used to retrieve only the log messages containing it.

Date Selector

Show log entries only on the selected date. Click on the current date to open a dialog window that allows to choose other dates. Only dates in which log files have been produced are selectable; the other are greyed out. To search for previous months or years, click on the month or year.

Note

Log files are rotated daily during the night. If at that time the 4i Edge X is powered off, no rotation takes place and all the entries in the log file will be considered as today’s entries, even if they were generated on the previous day(s).

Older, Newer

These two buttons allow to browse older or newer entries of the search results by clicking on them.

Export

A click on this button will download the log file.

Note

The name of the downloaded file includes the 4i Edge X’s hostname, the path to the log file, and the day on which it was exported; its suffix will be .log. Example: efw-endian_var_log_messages_20190627.

At the bottom of the page, two additional controls are available, one on the left-hand side, the other on the right-hand side.

Total, Items/page

The total number of lines in the log file is shown, together with the current pagination value, that can be changed to display less or more messages per pages.

Jump to Page

If log file becomes quite long, or the pagination value is low, or both, the log file will be displayed in multiple pages. Click on the number of the page or on one on the arrows to go to the previous or next page.

Hint

The arrows appear only when needed, i.e., if the currently selected page has a previous or next page.

System

In this section appears the log viewer for the system log file, /var/log/messages and will contain all the entries since the last time it was rotated. The following options are available.

Section

Choose from the drop-down menu which logs should be displayed, either All or only those related to a given service or daemon. Among others, they include kernel and system messages, SSH, NTP, and DHCP.

Type to Filter…

Type a pattern that will be used to retrieve only the log messages containing it.

Date Selector

Show log entries only on the selected date. Click on the current date to open a dialog window that allows to choose other dates. Only dates in which log files have been produced are selectable; the other are greyed out. To search for previous months or years, click on the month or year.

Note

Log files are rotated daily during the night. If at that time the 4i Edge X is powered off, no rotation takes place and all the entries in the log file will be considered as today’s entries, even if they were generated on the previous day(s).

Older, Newer

These two buttons allow to browse older or newer entries of the search results by clicking on them.

Export

A click on this button will download the log file.

Note

The name of the downloaded file includes the 4i Edge X’s hostname, the path to the log file, and the day on which it was exported; its suffix will be .log. Example: efw-endian_var_log_messages_20190627.

At the bottom of the page, two additional controls are available, one on the left-hand side, the other on the right-hand side.

Total, Items/page

The total number of lines in the log file is shown, together with the current pagination value, that can be changed to display less or more messages per pages.

Jump to Page

If log file becomes quite long, or the pagination value is low, or both, the log file will be displayed in multiple pages. Click on the number of the page or on one on the arrows to go to the previous or next page.

Hint

The arrows appear only when needed, i.e., if the currently selected page has a previous or next page.

Firewall

The firewall log viewer contains the messages that record the firewall’s activities.

Each line in the table is a connection recorded by the firewall, together with a number of information:

Time

The timestamp at which the message was generated.

Chain

The chain through which the packet has passed, including the policy applied to the packet.

Iface

The interface through which the packet has passed.

Proto

The protocol of the packet.

Source, Src port

The IP address and port from which the packet has arrived.

MAC address

The MAC address of the source interface.

Destination, Dst port

The IP address and port to which the packet has arrived.

The following options are available, to search within the log files.

Type to Filter…

Type a pattern that will be used to retrieve only the log messages containing it.

Date Selector

Show log entries only on the selected date. Click on the current date to open a dialog window that allows to choose other dates. Only dates in which log files have been produced are selectable; the other are greyed out. To search for previous months or years, click on the month or year.

Note

Log files are rotated daily during the night. If at that time the 4i Edge X is powered off, no rotation takes place and all the entries in the log file will be considered as today’s entries, even if they were generated on the previous day(s).

Older, Newer

These two buttons allow to browse older or newer entries of the search results by clicking on them.

Export

A click on this button will download the log file.

Note

The name of the downloaded file includes the 4i Edge X’s hostname, the path to the log file, and the day on which it was exported; its suffix will be .log. Example: efw-endian_var_log_messages_20190627.

At the bottom of the page, two additional controls are available, one on the left-hand side, the other on the right-hand side.

Total, Items/page

The total number of lines in the log file is shown, together with the current pagination value, that can be changed to display less or more messages per pages.

Jump to Page

If log file becomes quite long, or the pagination value is low, or both, the log file will be displayed in multiple pages. Click on the number of the page or on one on the arrows to go to the previous or next page.

Hint

The arrows appear only when needed, i.e., if the currently selected page has a previous or next page.

VPN

New in version 6.0: This section has been moved from under the Logs and Reports ‣Services menu and logs for OpenVPN server, client, and IPsec are separated.

This section contains the log files for the OpenVPN server, OpenVPN client, and IPsec services, each in its own subsection. In all the sections, the following options are available.

Type to Filter…

Type a pattern that will be used to retrieve only the log messages containing it.

Date Selector

Show log entries only on the selected date. Click on the current date to open a dialog window that allows to choose other dates. Only dates in which log files have been produced are selectable; the other are greyed out. To search for previous months or years, click on the month or year.

Note

Log files are rotated daily during the night. If at that time the 4i Edge X is powered off, no rotation takes place and all the entries in the log file will be considered as today’s entries, even if they were generated on the previous day(s).

Older, Newer

These two buttons allow to browse older or newer entries of the search results by clicking on them.

Export

A click on this button will download the log file.

Note

The name of the downloaded file includes the 4i Edge X’s hostname, the path to the log file, and the day on which it was exported; its suffix will be .log. Example: efw-endian_var_log_messages_20190627.

At the bottom of the page, two additional controls are available, one on the left-hand side, the other on the right-hand side.

Total, Items/page

The total number of lines in the log file is shown, together with the current pagination value, that can be changed to display less or more messages per pages.

Jump to Page

If log file becomes quite long, or the pagination value is low, or both, the log file will be displayed in multiple pages. Click on the number of the page or on one on the arrows to go to the previous or next page.

Hint

The arrows appear only when needed, i.e., if the currently selected page has a previous or next page.

Log settings

This page contains global configuration options for the 4i Edge X’s logging facility.

Settings

The available options are grouped into three categories: Log summaries, Remote logging, and Firewall logging.

Changed in version 6.0: The Log viewing options have been removed from here and are now included in each page of the Log and Reports module.

Log summaries

Keep summaries for

How many days the log summaries are stored on disk before their deletion.

Detail level

The detail level for the log summary: the higher the level, the more log entries are saved and showed. The drop-down menu allows three levels of detail: Low, Medium, and High.

Remote logging

Click on the Disabled switch to enable remote logging. A few options allow to define where to send the log messages.

Note

The remote server must support the latest IETF syslog protocol standards.

Remote server address

The IP address of the remote syslog server, to which the logs will be sent.

Remote server port

The port on the remote server that accepts incoming syslog connection.

Hint

By default, syslog listens on port 514 UDP.

Protocol

Select from the drop-down menu if the communication to the remote syslog server should use UDP or TCP.

Firewall logging

Log packets with BAD constellation of TCP flags

If this option is enabled the firewall will log packets with a bad constellation TCP flag (e.g., all flags are set).

Log NEW connections without SYN flag

With this option enabled, all new TCP connections without SYN flag will be logged.

Log refused packets

All the refused packets will be logged by the firewall, if this option is enabled.

Growing Logging Files and Disk Space Management

The log files on the 4i Edge X are stored on a dedicated partition, under the /var/log/ (today’s log files) and /var/log/archives directories. Every night files are rotated -compressed and moved to the /var/log/archives directory. During the rotation, if the the partition is about to run out of space, the older log files are deleted, to make room for the new ones.

However, when the partition runs out of space during the day, for example because log is active for many services and there is a high volume of traffic, no log file will be recorded anymore. This might render the system unstable and may lead to the impossibilities to start new services or even refuse connections.

In case the log archives are important and the partition is always full, it is suggested to regularly copy the log archives from the 4i Edge X to a safe place where to store them and remove them from the 4i Edge X. As an alternative, the setup of a remote syslog server is a viable alternative.

See also

More information about the logging policies can be found in https://help.endian.com/hc/en-us/articles/218146648.

Some guidelines to free space on a 4i Edge X can be found in https://help.endian.com/hc/en-us/articles/218146718.