Logging Overview
Log files record regular operations, as well as exceptions, for activity on the system. Use the logs for monitoring the Cisco Content Security appliance, troubleshooting, and evaluating system performance.
Most logs are recorded in plain text (ASCII) format; however, tracking logs are recorded in binary format for resource efficiency. The ASCII text information is readable in any text editor.
Logging Versus Reporting
Use logging data to debug message flow, reveal basic day-to-day operational information such as FTP connection details, HTTP log files, and for compliance archiving.
You can access this logging data directly on the Email Security appliance or send it to any external FTP server for archival or reading. You can either FTP to the appliance to access the logs or push the plain text logs to an external server for backup purposes.
To view reporting data, use the Report pages on the appliance GUI. You cannot access the underlying data in any way, and this data cannot be sent to anything but a Cisco Content Security Management appliance.
Note |
The Security Management appliance pulls information for all reporting and tracking with the exception of spam quarantine data. This data is pushed from the ESA. |
Log Retrieval
Log files can be retrieved with the file transfer protocols described in the following table. You set the protocol when you
create or edit a log subscription in the GUI, or by using the logconfig
command in the CLI.
FTP Poll |
With this type of file transfer, a remote FTP client accesses the appliance to retrieve log files by using the user name and passphrase of an administrator-level or operator-level user. When configuring a log subscription to use the FTP poll method, you must supply the maximum number of log files to retain. When the maximum number is reached, the system deletes the oldest file. |
FTP Push |
With this type of file transfer, the Cisco Content Security appliance periodically pushes log files to an FTP server on a remote computer. The subscription requires a user name, passphrase, and destination directory on the remote computer. Log files are transferred based on the configured rollover schedule. |
SCP Push |
With this type of file transfer, the Cisco Content Security appliance periodically pushes log files to an SCP server on a remote computer. This method requires an SSH SCP server on a remote computer using the SSH2 protocol. The subscription requires a user name, SSH key, and destination directory on the remote computer. Log files are transferred based on the configured rollover schedule. |
Syslog Push |
With this type of file transfer, the Cisco Content Security appliance sends log messages to a remote syslog server. This method conforms to RFC 3164. You must submit a hostname for the syslog server and use either UDP or TCP for log transmission. The port used is 514. A facility can be selected for the log; however, a default for the log type is preselected in the drop-down menu. Only text-based logs can be transferred using syslog push. |
Filename and Directory Structure
AsyncOS creates a directory for each log subscription based on the log name specified in the log subscription. The filenames of logs in the directory consist of the filename specified in the log subscription, the timestamp when the log file was started, and a single-character status code. The following example shows the convention for the directory and filename:
/<Log_Name>/<Log_Filename>.@<timestamp>.<statuscode>
Status codes may be .c (signifying “current”) or .s (signifying “saved”). You should only transfer log files with the saved status.
Log Rollover and Transfer Schedule
When you create a log subscription, you specify the trigger(s) for when the logs roll over, the old file is transferred, and a new log file is created.
Choose between the following triggers:
- File size
- Time
-
At a specified interval (in seconds, minutes, hours, or days)
Follow the example on the screen when entering values.
To enter a composite interval, such as two-and-a-half hours, follow the example 2h30m .
or
-
Every day, at the time(s) you specify
or
-
On the days of the week that you select, at the time(s) you specify
-
When you specify times, use the 24-hour format, for example 23:00 for 11pm.
To schedule multiple rollover times in a day, separate times with a comma. For example, to roll over logs at midnight and noon, enter 00:00, 12:00
Use an asterisk (*) as a wildcard. For example, to roll over logs exactly at every hour and half-hour, enter *:00, *:30
When the specified limit is reached (or the first limit is reached, if you have configured both size- and time-based limits), the log file is rolled over. Log subscriptions based on the FTP poll transfer mechanism create files and store them in the FTP directory on the appliance until they are retrieved or until the system needs more space for log files.
Note |
If a rollover is in progress when the next limit is reached, the new rollover is skipped. An error will be logged and an alert sent. |
Timestamps in Log Files
The following log files include the beginning and ending date of the log itself, the version of AsyncOS, and the GMT offset (provided in seconds at the beginning of the log):
- Mail log
- Safelist/blocklist log
- System log
Logs Enabled by Default
The Security Management appliance is preconfigured with the following log subscriptions enabled.
Log Name |
Log Type |
Retrieval Method |
---|---|---|
cli_logs |
CLI audit logs |
FTP Poll |
euq_logs |
Spam quarantine logs |
FTP Poll |
euqgui_logs |
Spam quarantine GUI logs |
FTP Poll |
gui_logs |
HTTP logs |
FTP Poll |
mail_logs |
Text mail logs |
FTP Poll |
reportd_logs |
Reporting logs |
FTP Poll |
reportqueryd_logs |
Reporting query logs |
FTP Poll |
slbld_logs |
Safelist/blocklist logs |
FTP Poll |
smad_logs |
SMA logs |
FTP Poll |
system_logs |
System logs |
FTP Poll |
trackerd_logs |
Tracking logs |
FTP Poll |
All preconfigured log subscriptions have the logging level set to Information. For more information about log levels, see Setting the Log Level.
You can configure additional log subscriptions depending on the license keys that you have applied. For information about creating and editing log subscriptions, see Log Subscriptions.