Log settings¶

This page contains global configuration options for the UTM‘s logging facility.

Settings

The available options are grouped into three categories: Log summaries, Remote logging, and Firewall logging.

Changed in version 6.0: The Log viewing options have been removed from here and are now included in each page of the Log and Reports module.

Log summaries

Keep summaries for: How many days the log summaries are stored on disk before their deletion.
Detail level: The detail level for the log summary: the higher the level, the more log entries are saved and showed. The drop-down menu allows three levels of detail: Low, Medium, and High.

Remote logging

Click on the Disabled switch to enable remote logging. A few options allow to define where to send the log messages.

Note

The remote server must support the latest IETF syslog protocol standards.

Remote server address: The IP address of the remote syslog server, to which the logs will be sent.
Remote server port: The port on the remote server that accepts incoming syslog connection.

Hint

By default, syslog listens on port 514 UDP.
Protocol: Select from the drop-down menu if the communication to the remote syslog server should use UDP or TCP.

Firewall logging

Log packets with BAD constellation of TCP flags: If this option is enabled the firewall will log packets with a bad constellation TCP flag (e.g., all flags are set).
Log NEW connections without SYN flag: With this option enabled, all new TCP connections without SYN flag will be logged.
Log refused packets: All the refused packets will be logged by the firewall, if this option is enabled.

Growing Logging Files and Disk Space Management

The log files on the UTM are stored on a dedicated partition, under the /var/log/ (today’s log files) and /var/log/archives directories. Every night files are rotated -compressed and moved to the /var/log/archives directory. During the rotation, if the the partition is about to run out of space, the older log files are deleted, to make room for the new ones.

However, when the partition runs out of space during the day, for example because log is active for many services and there is a high volume of traffic, no log file will be recorded anymore. This might render the system unstable and may lead to the impossibilities to start new services or even refuse connections.

In case the log archives are important and the partition is always full, it is suggested to regularly copy the log archives from the UTM to a safe place where to store them and remove them from the UTM. As an alternative, the setup of a remote syslog server is a viable alternative.