Symantec™ Security Gateways Reference Guide - Sawmill

Monitoring security gateway trafficSESA event gating103When a log file exceeds 200 Mb, or the amount of disk space available for logging drops below 5 MB, actionis taken to increase the amount of space available. The security gateway either switches to a new log file byrunning changelog, or deletes an old log file. The security gateway deletes a log file only if it has not beenmodified within the last 24 hours. If the security gateway cannot get space for logging by runningchangelog or deleting an old log file, the system stops.Flatten utilityThe flatten8 utility is shipped on the included CD and lets you perform simple log file management fromthe command-line. The flatten8 utility reads in the log message information from the system’s XML files,and then parses in real-time the binary log file, substituting the actual error text message for its binarycounterpart.Most often, this utility is used to convert the binary log file to a more usable format for a third party utility,such as an ASCII text editor. This utility is also used to review the most recent messages, or directed toshow just statistics messages.usage: flatten8 [-h] [-r|-s|-D] [-f] [-u seconds] [-t n] [-x xmlpath] log file ...Where:-h Print this message and exit.-r Only has an effect when -s is used. Do reverse lookups on IP addresses.-s Output stats only.-D Do not print out error information.-f Follow output. (Binary files, default interval 2 seconds).-u Follow update interval in seconds. (Implies -f).-t Tail the last 'n' log messages.-x Next argument specifies path to XML dictionary files. This argument should not need to be used, as the XML filesare placed in the default location during installation.SESA event gatingOne of the strengths of the Symantec security gateways is that they are capable of reporting events toSymantec’s SESA architecture. By doing so, you can correlate events from many security gateways into asingle report. The SESA event gating option appears in the local SGMI because you configure the messagesto report to SESA prior to joining the security gateway to the SESA environment. The SESA architecture isbeyond the scope of this book. Additional information on the SESA architecture, and its advantages can befound in the Symantec Enterprise Security Architecture Administrator’s Guide and the Symantec AdvancedManager for Security Gateways, Symantec Event Manager for Security Gateways Administrator’s Guide.All security gateway log messages have been classified into SESA event classes and subclasses.Additionally, each log message has been tagged with one of three possible values, which include always,sometimes, or never being logged to SESA. Events marked as always being logged to SESA are alwayslogged, regardless of whether or not their associated class or subclass has been selected under the SESAGating option. Similarly, messages marked as never being logged to SESA are never logged. Messagesmarked as never being logged to SESA are low-level messages that are only of interest to a localadministrator. The SESA Gating option focuses on only those messages that are marked as sometimesbeing logged to SESA. If selected, they are logged to SESA.