System Logs

The system logs page is used to display simple logging information for the internal system services.

Choose a log type from the Section drop-down menu:

• Authentication - Log messages from the SmoothAuth sub-system, including service status messages and user authentication audit trail.
• Web filter - Log messages from the Guardian sub-system, including service status messages.
• Update transcript - Log messages from applied updates.
• Routing service - Log messages from the SmoothRouting sub-system, including service status messages.
• SmoothD - Log messages from the SmoothD super server.
• SmoothMonitor - Log messages from the SmoothMonitor sub-system, including service status and alert / report distribution audit trail.
• SmoothWall - Simple system log messages, including startup, shutdown, reboot and service status messages.
• SNMP - Logs messages from the SNMP sub-system.
• SSH - Log messages from the SSH sub-system, including service status and successful / failed login attempts.
• UPS - Log messages from the UPS sub-system, including service status messages.
• Kernel - Log messages from the core SmoothWall operating system.
• L2TP - Log messages from the SmoothTunnel sub-system, for L2TP service status messages.
• L2TP PPP - Log messages from the SmoothTunnel sub-system, for L2TP PPP transport negotiation messages.
• IPSec - Log messages from the SmoothTunnel sub-system, including service status and transport negotiation for all types of VPN tunnel.
• NTP - Log messages from the network time sub-system, including service status and internal and external synchronisation requests.
• PPP - Log messages from the SmoothFirewall sub-system, for external modem or dial-up connections.
• ISDN - Log messages from external connections using a local ISDN device.

Choose the date of the log entries to be viewed using the Month and Day drop-down menus. Click the Update button to display the log.

Note - The availability of some of these logging sections depends on the modules that are currently installed.

Choose a log type and view it using the Update button. To export the log, click the Export button.

Choose a log type and view it using the Update button. To export the log entries for all recorded dates, click the Export all dates button.

Firewall

The firewall log page is used to display all data packets that have been dropped or rejected by the firewall.

Choose the relevant part of the firewall log using the Section drop-down menu.

• Main - All rejected data packets.
• Incoming audit - All direct incoming traffic from the external network - if Direct incoming traffic is enabled on the Networking | advanced configuration page.
• Forward audit - All traffic forwarded between all internal and external network interfaces - if Forwarded traffic is enabled on the Networking | advanced configuration page.
• Outgoing audit - All direct outgoing traffic to the external network - if Direct outgoing traffic is enabled on the Networking | advanced configuration page.
• Port forwards - All data packets from the external network that were port forwarded.
• SmoothRule - rejects - All data packets from the internal network zones that were rejected by a SmoothRule outbound access rule.
• SmoothRule - stealth - All data packets from the internal network zones that were logged (but not rejected) by a SmoothRule outbound access rule.

Choose the date of the firewall log to be viewed using the Month and Day drop-down menus. Click the Update button to display the firewall log.

Each firewall log entry displayed in the Log region contains the following information:

• Time - The time that the firewall event occurred.
• In - The interface at which the data packet arrived.
• Out - The interface at which the data packet left.
• Proto - The network protocol used by the data packet.
• Source - The IP address of the data packet's sender.
• Src Port - The outbound port number used by the data packet.
• Destination - The IP address of the data packet's intended destination.
• Dst port - The inbound port number used by the data packet.

The firewall log can display a more useful subset of log entries by using the filter controls in the Settings region:

• Source - This drop-down menu is populated with a list of all source IP addresses contained in the firewall log. Choose a particular IP address and click the Update button to display log entries originating from just one address.
• Src port - This drop-down menu is populated with a list of all source ports contained in the firewall log. Choose a particular port and click the Update button to display log entries originating from just one port.
• Destination - This drop-down menu is populated with a list of all destination IP addresses contained in the firewall log. Choose a particular IP address and click the Update button to display log entries destined for just one address.
• Dst port - This drop-down menu is populated with a list of all destination ports contained in the firewall log. Choose a particular port and click the Update button to display log entries destined for just one port.

The firewall log can be compressed by 'ghosting' repetitious log entries, thereby improving log readability. To do this, select the Compression tick-box and click the Update button to refresh the display of the firewall log.

To perform a 'whois' lookup on an source IP address of a firewall log entry, select the entry's Mark tick-box control and click the Lookup button. This will transfer the chosen source IP to the Tools | whois configuration page and run a 'whois' lookup query. For more information, see the help page for the Tools | whois configuration page.

To add the source IP address of a firewall log entry to the IP block list, select one or more log entries using their tick-box controls and click the Add to IP block list button. This will transfer the selected source IPs to the Networking | ip block configuration page and automatically create appropriate IP block rules. For more information, see the help page for the Networking | ip block configuration page.

To export the currently displayed firewall log, click the Export button.

To export the currently displayed firewall log for all recorded dates, click the Export all dates button.

IDS Logs

The IDS logs page is used to display suspicious network activity detected by the IDS service.

Choose the month, day and year of the proxy log entries to be viewed using the Month, Day and Year drop-down menus. Choose the number of entries to display on a page using the Entries per page drop-down menu. Click the Update button to display the log.

Each IDS log entry displayed in the Log region contains the following information:

• Date - The time and date of the IDS incident.
• Name - The recognised name of the IDS incident.
• Priority - The severity of the IDS incident (1 is high).
• Type - The general type of the IDS incident.
• IP info - The source and destination IP addresses of the IDS incident.
• References - An external link to an independent website describing the nature of this event.

Note - SmoothWall Ltd is not responsible for the content of the references. All links are provided for general guidance only.

To understand more about the nature of an IDS log entry, click its Reference link to launch a browser window containing a description. Note - SmoothWall Ltd is not responsible for the content of the references. All links are provided for general guidance only.

To export the currently displayed IDS log, click the Export button.

To export the currently displayed IDS log for all recorded dates, click the Export all dates button.

IPSec Log Viewer

This ipsec logs page is used to view diagnostic information for VPN tunnels.

Choose the tunnel you are interested in by using the Tunnel name control. To view the logs for all of the tunnels at once, choose ALL as the tunnel name. After making a change, press the Update button. You can also Export the logs for saving to your desktop.

To export and download all log entries generated by the current settings, click the Export button.

To export and download all log entries generated by the current settings, for all dates available, click the Export all dates button.

The following columns are displayed in the Web log region:

• Time - The time the tunnel activity occurred.
• Name - The name of the tunnel concerned.
• Description - Log entries generated by the VPN sub-system.

Log entries are displayed over a manageable number of pages. To view a particular page, click its Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.

To sort the log entries in ascending or descending order on a particular column, click its Column title hyperlink. Clicking the currently selected column reverses the sort direction.

Web Filter

The web filter page is used to provide detailed analysis of Guardian web proxy and filtering activity. This page allows web filter or proxy logs to be viewed, with customised content by IP address, request type, authenticated username and domain.

Here you can view the usage logs of your web proxy server and the web content filtering engine. You can select what you want to view with the options at the top of the page. You may select the day, month, year and the source IP (the machine within your network) to view the logs for. You can use regular expressions to filter certain lines from the log and also filter to show only a single user, domain or category. The default has been set to strip all images, etc.

The Settings region contains the following controls that are used to specify the types of log entries that are displayed in the Web log region:

• View mode - Used to choose the subset of web or filter logs that are displayed:
• Web Filter Logs - Used to display all web filter log entries including blocked and exception log entries.
• Web Filter Logs (only denied pages) - Used to display all log entries where the request was blocked by the filter.
• Web Filter Logs (only denied and exception) - Used to display all log entries where the request was blocked or let through due to an exception rule.
• Web Proxy Logs - Used to display all web proxy log entries.
• Month - Used to choose the month that filter logs are displayed for.
• Day - Used to choose the day that filter logs are displayed for.
• Year - Used to choose the year that filter logs are displayed for.
• Ignore filter - Used to enter a regular expression that excludes matching log entries. The default value excludes common log entries for image, javascript, CSS style and other file requests. To enable the ignore filter, the Enable ignore filter tick-box must be selected.
• Enable ignore filter - Used to activate the ignore filter.
• User filter - Used to display log entries recorded against a particular username. For example, john will display log entries for the user john. However, this will not match johnathan. It is possible to include regular expressions within the filter - for example, john.* will match john, johnny, johnathan etc. To activate the user filter, the Enable user filter tick-box must be selected.
• Enable user filter - Used to activate the user filter.
• Domain filter - Used to display log entries recorded against a particular domain. Matching will occur on the start of the domain part of the URL. For example, www.abc will match www.abc.com, www.abc.net but not match abc.net etc. It is possible to include regular expressions within the filter - for example (www.)?abc.com will match both abc.com and www.abc.com. To activate the domain filter, the Enable domain filter tick-box must be selected.
• Enable domain filter - Used to activate the domain filter.
• Category type - Used to choose the filter rule category that is displayed. The pull down list will automatically contain only those categories that appear within the specified date range selected. For this reason, a date must be picked before selecting a category.
• Restore defaults - Used to restore the default settings.
• Update - Used to display an updated log in the Web log region, according to the chosen settings.
• Export - Used to export all log entries generated by the current settings.
• Export all dates - Used to export all log entries generated by the current settings, for all available dates.

To view web proxy and log entries, choose or enter appropriate settings using the controls in the Settings region. For further details about these controls, see the Using the log settings section of this help page. Click the Update button to display the log entries in the Web log region.

Note - the web proxy logs will all show IP 127.0.0.1 as the source IP but the web filter logs will show the true source IP. The reason for this is that Guardian intercepts the communication between a client web browser and the caching web proxy. The client browser does not connect directly to the proxy, but to the filter. The filter then connects via loopback (IP 127.0.0.1) to the proxy to fetch the page requested.

To export and download all log entries generated by the current settings, click the Export button.

To export and download all log entries generated by the current settings, for all dates available, click the Export all dates button.

The Web log region contains the following additional controls that can be used to modify the Guardian filter engine:

• Select group - Used to select the authentication group that will have new filter rules assigned to it.
• Add to allowed domains - Used to add the domains from the marked log entries in the current Web log to the Always allow these domains list on the Guardian | url filter page.
• Add to allowed URLs - Used to add the URLs from the marked log entries in the current Web log to the Always allow these URLs list on the Guardian | url filter page.
• Add to grey domains - Used to add the domains from the marked log entries in the current Web log to the Allow but filter these (grey) domains list on the Guardian | url filter page.
• Add to grey URLs - Used to add the URLs from the marked log entries in the current Web log to the Allow but filter these (grey) URLs list on the Guardian | url filter page.
• Add to blocked domains - Used to add the domains from the marked log entries in the current Web log to the Block these domains list on the Guardian | url filter page.
• Add to blocked URLs - Used to add the domains from the marked log entries in the current Web log to the Block these URLs list on the Guardian | url filter page.

To create a filter rule using the domain or URL of a particular log entry, select its adjacent Mark tick-box control and click the appropriate Add button. Once added, you will need to restart the proxy and filter engine by going to one of the Guardian configuration pages and clicking the Restart Proxy or Soft Restart Proxy button.

The following columns are displayed in the Web log region:

• Time - The time the web request was made.
• Source IP - The source IP address the web request originated from.
• User - The username of the user the web request originated from.
• Website - The URL of the requested web resources.
• Points - The accumulated content filter score (if applicable).
• Mark - Used to select log entries for creating filter rules (see the Creating filter rules section of this help page.

Log entries are displayed over a manageable number of pages. To view a particular page, click its Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.

To sort the log entries in ascending or descending order on a particular column, click its Column title hyperlink. Clicking the currently selected column reverses the sort direction.

To restore the default view settings, click the Restore defaults button in the Settings region.

Filter Reports

The filter reports page is used to generate reports from the nightly processed log files, or have a realtime report created for you.

Guardian provides the following real-time generated filter reports that can be customised using the Custom reports and Usage reports regions:

• Custom reports - Allows a report to be created for a specified time period, displaying the top domains, categories, IPs, messages, URLs or users. The report can be ordered by bandwith usage or number of occurences, and log entries only containing a particular domain, category, IP, message, URL or user can be selected.
• Usage reports - Allows daily or hourly graphed reports to be created for a specified time period, displaying the average number of hits per hour, or the total number of occurrences per day.

The following pre-calculated filter reports are available:

• Top visited domains - This shows the most visited domains by all the users.
• Top domains by bandwidth - This shows the domains that used the most bandwidth.
• Top messages - This shows the most common messages which include exception and blocking message.
• Top page visits by users - This shows the users who visited the most web pages.
• Top users by bandwidth - This shows the users who used the most bandwidth.
• Top page visits by IP - This shows the IPs which visited the most web pages.
• Top IPs by bandwidth - This shows the IPs which used the most bandwidth.
• Top offending users - This shows the users who received the most blocked pages and images.
• Top offending IPs - This shows the IPs which received the most blocked pages and images.

The Available from and To date information fields displays the earliest and latest dates that each report can be generated within.

To view a particular report, select its Mark radio-button. Next, select the start and end dates for the report using the Month, Day and Year controls in the Options region. Choose the number of summary lines to produce using the Top drop-down menu.

If you are generating a custom report, the following controls can be used to determine the report's content:

• Top type - Used to select whether the report contains the most popular categories, domains, IPs, messages, URLs or users.
• Ordered by - Used to select how the custom report is ordered:
• Bandwidth - Ordered according to the highest amount of bandwidth consumption by the selected Top type option.
• Occurrence - Ordered according to the highest number of requests by the selected Top type option.
• Filter by - Used to select whether the report contains entries from only certain categories, domains, IPs, messages, URLs or users.
• Filter value - Used to enter the matching value for the filter selected in the Filter by drop-down menu.

If you are generating a usage report, choose whether you wish to display daily or hourly graphs using the Usage type drop-down menu.

Finally, click the Compile button to generate and display the report.

Custom reports are slower to display than precalculated reports because they are generated on-demand, as opposed to processing summary files that have already been generated.

When displaying a report, each entry is a hyperlink that returns to the Filter Reports page with the Filter by and Filter value pre-entered. This is useful for continuous navigation around the many reports and discovering information as required.

When the Top type is set to Domains or URLs, the number listed next to each item will be a hyperlink to the web page itself.

Logging Options

The logging options page allows the configuration of an external syslog server, automated log purging and rotation options to be configured.

To send logs to a remote syslog server, select the Remote syslog tick-box and enter the IP address or hostname of the syslog server into the Syslog server text field. Click the Save button to activate the changes.

Note - Not all logs can be transmitted to a syslog server due to the large volume of data that would have to be transferred.

To automatically delete log files, select the Delete old logs when free space is low tick-box control. Choose a free space threshold between 50% and 95% at which log deletion should be triggered using the Free space threshold drop-down menu. Click the Save button to activate the configuration changes.

To set the maximum time a log file will be retained, choose a time value using the controls provided. The length of time a particular set of logs can be retained for can be specified between 1 day and 1 year. Click the Save button to activate the configuration changes.