Cisco Cisco Web Security Appliance S170 사용자 가이드
24-39
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 24 Logging
Traffic Monitor Log
Traffic Monitor Log
The L4 Traffic Monitor log file provides a detailed record of monitoring activity. You can view L4 Traffic
Monitor log file entries and track updates to firewall block lists and firewall allow lists. Consider the
following example log entries:
Monitor log file entries and track updates to firewall block lists and firewall allow lists. Consider the
following example log entries:
Example 1
172.xx.xx.xx discovered for blocksite.net (blocksite.net) added to firewall block list.
In this example, where a match becomes a block list firewall entry. The L4 Traffic Monitor matched an
IP address to a domain name in the block list based on a DNS request which passed through the
appliance. The IP address is then entered into the block list for the firewall.
IP address to a domain name in the block list based on a DNS request which passed through the
appliance. The IP address is then entered into the block list for the firewall.
Example 2
172.xx.xx.xx discovered for www.allowsite.com (www.allowsite.com) added to firewall allow
list.
In this example, a match becomes an allow list firewall entry. The L4 Traffic Monitor matched a domain
name entry and added it to the appliance allow list. The IP address is then entered into the allow list for
the firewall.
name entry and added it to the appliance allow list. The IP address is then entered into the allow list for
the firewall.
Example 3
Firewall noted data from 172.xx.xx.xx to 209.xx.xx.xx (allowsite.net):80.
In this example, the L4 Traffic Monitor logs a record of data that passed between an internal IP address
and an external IP address which is on the block list. Also, the L4 Traffic Monitor is set to monitor, not
block.
and an external IP address which is on the block list. Also, the L4 Traffic Monitor is set to monitor, not
block.
Troubleshooting
AsyncOS for Web sends a critical email message to the configured alert recipients when the internal
logging process drops web transaction events due to a full buffer.
logging process drops web transaction events due to a full buffer.
By default, when the Web Proxy experiences a very high load, the internal logging process buffers events
to record them later when the Web Proxy load decreases. When the logging buffer fills completely, the
Web Proxy continues to process traffic, but the logging process does not record some events in the access
logs or in the Web Tracking report. This might occur during a spike in web traffic.
to record them later when the Web Proxy load decreases. When the logging buffer fills completely, the
Web Proxy continues to process traffic, but the logging process does not record some events in the access
logs or in the Web Tracking report. This might occur during a spike in web traffic.
However, a full logging buffer might also occur when the appliance is over capacity for a sustained
period of time. AsyncOS for Web continues to send the critical email messages every few minutes until
the logging process is no longer dropping data.
period of time. AsyncOS for Web continues to send the critical email messages every few minutes until
the logging process is no longer dropping data.
The critical message contains the following text:
Reporting Client: The reporting system is unable to maintain the rate of data being
generated. Any new data generated will be lost.
If AsyncOS for Web sends this critical message continuously or frequently, the appliance might be over
capacity. Contact Cisco IronPort Customer Support to verify whether or not you need additional Web
Security appliance capacity.
capacity. Contact Cisco IronPort Customer Support to verify whether or not you need additional Web
Security appliance capacity.