Symantec™ Security Gateways Reference Guide - Sawmill

102 Monitoring security gateway trafficView logsnow looks like this:“Jun 27, 2003 14:45:16.864 felix rtspd[590] 117 INFORMATIONAL: Daemon starting, Program Name=rtspd,Operation=Initialize, Resource=rtspd, Status=Success, State=Starting”This new format consolidates similar messages, and improves on the information presented in a message.For example, it should now be clear whether or not a service or daemon started successfully. This newformat is also compatible with the format used by the Symantec Enterprise Security Architecture (SESA)environment.Additionally, if you are familiar with text format log files, notice that log files are now stored in binary. Thelogging engine writes log files in binary format, and offers some significant advantages over their textcounterparts; identical log messages are now consolidated and the binary log format lets log files be parsedby a translator service and localized.Because log files are stored in binary by default, third-party utilities like tail or text editors can no longer beused to view them without changing the default logging method. Enabling text logging instructs thesecurity gateway to write out two separate versions of the log file, one in binary, and the other in text.However, there is a performance impact as the security gateway now has to write two log files instead ofjust one. Alternatively, the flatten8 utility is used to convert a binary log file into a text log file. The flatten8utility also lets you tail the log file (view the last n lines, where n is any positive number), and follow the logfile (view the last n lines that dynamically update when new entries arrive).Collecting statistics on connectionsThe security gateway produces many different types of messages in response to system and networkactivity. Each message consists of a message number, the message text, and a list of parameters thatgenerated the message. For example, if you want to collect specific information on individual connections,you might look for log message 121, which indicates a statistics message. Log messages categorized as 121provide information on the duration, type of service, source, and destination for every connection throughthe security gateway. If your company billed for the time active connections use, 121 messages give acomplete record of usage. The information captured by 121 messages depends upon the type of connectionand the data passed through the security gateway on the connection.Most connections lasting longer than two minutes are logged after two minutes and every hour thereafter.Telnet connections are not subject to this rule, since Telnet sessions frequently last for hours. The securitygateway logs a message for Telnet immediately. If a Telnet connection lasts longer than an hour (3600seconds), the security gateway logs a message at every hour mark and another message when theconnection is closed.ChangelogThe security gateway uses a program called changelog to backup the current log file and start a new one.After running changelog, the old file is stored in a folder for that day, sorted first by year and then month.Clicking Browse in the View Logs window brings up the list of old log files. A second changelog operationthe same day adds the suffix (1) to the log file name; a third adds (2), and so forth.Note: If you run the changelog binary from the command-line while the SGMI is still open, the log file willchange correctly, but the log file shown in the SGMI log file view will not update. Closing the SGMI andreconnecting will update the view to the correct log file.Managing the log file sizeIf left unchecked, log files can grow very large in size. It is critical that you are aware of the amount of spacetaken up by both the current log file, and any back up files. Files that grow in size, using up all availablespace on the disk, cause performance problems.