Cisco Support Community
SA500 Series Security Appliances can be configured to log activities such as the traffic (Unicast or Broadcast) which passes through it or discarded packets. Logs also provide information regarding service attacks. One importance of logged events is that they are helpful to identify network issues. The device can be configured to log and e-mail notifications for denial of service attacks, general attack information, login attempts, dropped packets etc. to a specified email address or a Syslog server.
This document describes how to enable or disable local logging on SA540 Security Appliance.
Note: To view all the logs, please refer to the article View All Logs on SA540 Security Appliance.
Local Logging Configuration
Step 1. Log in to the Security Appliance configuration utility and choose Administration > Logging > Logging Config. The Local Logging Config page opens:
Routing logs assign the types of packets logged; either accepted packets or dropped, by the type of traffic.
Step 1. To Enable Routing Logs, match the appropriate firewall rules for the source and destination.
• Accepted Packets — Check the accepted packets check-box to log packets that were successfully transferred through network segment. For example, if accept packets from Local Area Network (LAN) to Wide Area Network (WAN) is enabled and there is a firewall rule to allow telnet traffic from LAN, then whenever a LAN PC tries to make a telnet connection, those packets will be accepted and a message will be logged.
• Dropped Packets — Check the dropped packets check-box to log packets that were blocked from being transferred through network segment. For example, if dropped packets from LAN to WAN is enabled and there is a firewall rule to block telnet traffic from LAN, then whenever a LAN PC tries to make a telnet connection, those packets will be dropped and a message will be logged.
Step 1. Check or uncheck the check box of the option you want to enable or disable on the System Logs feature. System Logs identify the type of system event to be logged.
• All Unicast Traffic — Unicast traffic is the data sent only to one recipient in a network. This option logs all unicast traffic that passes through the device.
• All Broadcast/Multicast Traffic — Broadcast traffic is the data sent to all the hosts in a network or a subnetwork. Multicast traffic is the data sent to specific multiple recipients on a network or a subnetwork. This option logs all the broadcast or multicast traffic that passes through the device.
Other Events Logs
Step 1. Check or uncheck the check box of the option you want to enable or disable on the Other Events Logs feature. Other Events Logs is used for the following events:
• Output Blocking Event Log — This option creates logs at instances where there is an event in the ProtectLink web reputation, or URL filtering. It displays logs for packets which are blocked due to Protective Link Service. The protective link service restricts the user from having access to unsecured websites.
Note: Refer to the article ProtectLink Web Protection Configuration on the SA540 Security Appliance for more information on ProtectLink and URL filtering.
• Source MAC Filter — Logs the packets which are discarded due to MAC filtering. MAC filtering is a security access control procedure used to determine access to a network based on MAC addresses of devices and their interfaces.
Note: Refer to the article Configuration of MAC Filtering on SA540 Security Appliance for the Source MAC Filter check box.
• Bandwidth Limit — Logs the packets that were dropped in a given transmission because the total packet size of the transmission exceeded the available bandwidth.
Step 2. Click Apply to save the settings.