Applicable to Version – 9.5.4 build 66 onwards

This article describes the steps to enable various logs and forward them to syslog server.

Prerequisite

Cyberoam configured to use syslog server. Refer How To - Add Syslog server, if Cyberoam is not configured to use syslog server

Step 1. Enable logging

Firewall Log

It records invalid traffic, local ACL traffic, DoS attack, ICMP redirected packets, source routed and fragmented traffic. Firewall rule logs can be enabled at the time of creation of firewall rule or later from the rule itself.

Invalid Traffic Log
It records the dropped traffic that does not follow the protocol standards, invalid fragmented traffic and traffic whose packets Cyberoam is not able to relate to any connection.

Local ACL Log
It records the entire (allowed and dropped) incoming traffic and traffic for the firewall.

DoS attack Log

It records attacks detected and prevented by the Cyberoam i.e. dropped TCP, UDP and ICMP packets.

To generate log, go to Firewall ® Denial of Service ® DoS Settings and click ‘Apply Flag’ against SYN Flood, UDP flood, TCP flood, and ICMP flood individually

Dropped ICMP Redirected Packet Log

It records all the dropped ICMP redirect packets.

To generate log, go to Firewall ® Denial of Service ® DoS Settings and click ‘Apply Flag’ against ‘Disable ICMP redirect Packets' 

 

Dropped Source Routed Packet Log

It records all the dropped source routed packets.

To generate log, go to Firewall ® Denial of Service ® DoS Settings and click ‘Apply Flag’ against ‘Drop Source Routed Packets’

Dropped Fragmented traffic
It records the dropped fragmented traffic 

IDP reports

It records detected and dropped attacks based on unknown or suspicious patterns (anomaly) and signatures.

Antivirus Logs

It records virus detected in HTTP, SMTP, FTP, POP3 and IMAP4 traffic. Enabling logging for SMTP will also enable logging for POP3 and IMAP4 on local server.

Antispam Logs

It records SMTP, POP3, IMAP4 spam and probable spam mails. Enabling logging for SMTP will also enable logging for POP3 and IMAP4 on local server.

Content Filtering Log
It records all the sites, files or applications allowed or denied as per the Internet Access policy

Traffic Discovery Log
Traffic discovery log can be stored locally only.

Step 2. Configure logging location

 Go to System ® Logging ® Log configuration and click to enable logging against the each log.

You can choose between on-appliance (local) logging, Syslog logging or disabling logging temporarily. If multiple syslog servers are configured logs can be send on different servers also. 

Log Type		Local (On-appliance)	Syslog
Firewall	Firewall Rules	No	Yes
	Invalid Traffic	No	Yes
	Local ACLs	No	Yes
	Dos Attack	No	Yes
	Dropped ICMP Redirected packets	No	Yes
	Dropped Source Routed packets	No	Yes
	Dropped Fragmented traffic	No	Yes
IDP	Anomaly	Yes	Yes
	Signature	Yes	Yes
Anti Virus	HTTP	No	Yes
	FTP	No	Yes
	SMTP	Yes	Yes
	POP3 Enabling/Disabling logging for SMTP will also enable/disable logging for POP3	Yes	Yes
	IMAP4 Enabling/Disabling logging for SMTP will also enable/disable logging for IMAP4	Yes	Yes
Anti Spam	SMTP	Yes	Yes
	POP3 Enabling/Disabling logging for SMTP will also enable/disable logging for POP3	Yes	Yes
	IMAP4 Enabling/Disabling logging for SMTP will also enable/disable logging for IMAP4	Yes	Yes
Content Filtering	HTTP	Yes	Yes
Traffic Discovery		Yes	No

 

 

 Document version – 1.0-27/06/2008