Cisco Cisco Content Security Management Appliance M1070 Mode D'Emploi
15-2
AsyncOS 9.5.x for Cisco Content Security Management Appliances User Guide
Chapter 15 Logging
Logging Overview
Log Retrieval
Log files can be retrieved with the file transfer protocols described in
. You set the protocol
when you create or edit a log subscription in the GUI, or by using the
logconfig
command in the CLI.
Filename and Directory Structure
AsyncOS creates a directory for each log subscription based on the log name specified in the log
subscription. The filenames of logs in the directory consist of the filename specified in the log
subscription, the timestamp when the log file was started, and a single-character status code. The
following example shows the convention for the directory and filename:
subscription. The filenames of logs in the directory consist of the filename specified in the log
subscription, the timestamp when the log file was started, and a single-character status code. The
following example shows the convention for the directory and filename:
/<Log_Name>/<Log_Filename>.@<timestamp>.<statuscode>
Status codes may be
.c
(signifying “current”) or
.s
(signifying “saved”). You should only transfer log
files with the saved status.
Log Rollover and Transfer Schedule
When you create a log subscription, you specify the trigger(s) for when the logs roll over, the old file is
transferred, and a new log file is created.
transferred, and a new log file is created.
Choose between the following triggers:
•
File size
•
Time
–
At a specified interval (in seconds, minutes, hours, or days)
Follow the example on the screen when entering values.
To enter a composite interval, such as two-and-a-half hours, follow the example
2h30m
.
Table 15-1
Log Transfer Protocols
FTP Poll
With this type of file transfer, a remote FTP client accesses the appliance to retrieve log
files by using the user name and password of an administrator-level or operator-level user.
When configuring a log subscription to use the FTP poll method, you must supply the
maximum number of log files to retain. When the maximum number is reached, the system
deletes the oldest file.
files by using the user name and password of an administrator-level or operator-level user.
When configuring a log subscription to use the FTP poll method, you must supply the
maximum number of log files to retain. When the maximum number is reached, the system
deletes the oldest file.
FTP Push
With this type of file transfer, the Cisco Content Security appliance periodically pushes log
files to an FTP server on a remote computer. The subscription requires a user name,
password, and destination directory on the remote computer. Log files are transferred
based on the configured rollover schedule.
files to an FTP server on a remote computer. The subscription requires a user name,
password, and destination directory on the remote computer. Log files are transferred
based on the configured rollover schedule.
SCP Push
With this type of file transfer, the Cisco Content Security appliance periodically pushes log
files to an SCP server on a remote computer. This method requires an SSH SCP server on
a remote computer using the SSH2 protocol. The subscription requires a user name, SSH
key, and destination directory on the remote computer. Log files are transferred based on
the configured rollover schedule.
files to an SCP server on a remote computer. This method requires an SSH SCP server on
a remote computer using the SSH2 protocol. The subscription requires a user name, SSH
key, and destination directory on the remote computer. Log files are transferred based on
the configured rollover schedule.
Syslog
Push
Push
With this type of file transfer, the Cisco Content Security appliance sends log messages to
a remote syslog server. This method conforms to RFC 3164. You must submit a hostname
for the syslog server and use either UDP or TCP for log transmission. The port used is 514.
A facility can be selected for the log; however, a default for the log type is preselected in
the drop-down menu. Only text-based logs can be transferred using syslog push.
a remote syslog server. This method conforms to RFC 3164. You must submit a hostname
for the syslog server and use either UDP or TCP for log transmission. The port used is 514.
A facility can be selected for the log; however, a default for the log type is preselected in
the drop-down menu. Only text-based logs can be transferred using syslog push.