Firewall security policy logs are sent externally, loghost does not perform identification
- 0 Followed
- 0Collected ,372Browsed
Problem Description
Enable quick logging, but the loghost does not display security policy logs (mainly deny policy logs)
Process Analysis
1.select security policy log
command line:
#Enable fast log output function
[H3C] customlog format packet-filter
#Quickly output packet filtering module logs to loghost
[H3C] customlog host 172.31.0.90 export packet-filter(packet-filter:Quickly output packet filtering module logs to loghost, which can be understood as the security policy module
The command aspflog sending-realtime enable is used to enable the real-time log sending function. ReferenceSecCenter CSAP-NTA-AK375 Unable to send security logs to situational awareness - Zhiliao Community
2.Check if the security policy hit count has increased and logs are enabled.
3.Check if security policy logs are generated (Local logs will not be visible if fast logging is used without a drive).
Solution
Delete the configuration under fast logging, including command line configurations such as:
customlog format packet-filter sgcc
customlog format security-policy sgcc
customlog format keepalive sgcc
Without using fast logging, sending directly through the information center (IC), the loghost can perform normal identification