The appliance uses log evidence and rolling packet captures
to gather evidence about security events. Learn where to configure
these features and about their behavior.
Log evidence
Evidence logging copies a packet
that triggers an event to a log file so you can determine exactly
what an intruder did or attempted to do. Evidence logging captures
packets that summarize web protection events, security events, user-defined
events, connection events, and response filters.
Where to
configure. You can configure options for log evidence in the following
areas:
- Event or filter page: Define the scope of packet capture
for the event or filter. For example, choose to capture specific traffic
or choose to capture all traffic passing through an interface at the
same time the event occurs.
- Log Evidence tab in the Responses area:
Define how many log evidence files the appliance stores, the size
of the capture files, and the file format.
- Tuning Parameters page: Add or edit
the parameter engine.logevidence.file.timeout.
This parameter defines how long evidence logging captures packets
when the suspicious traffic is idle. The default value is 15 minutes,
the minimum value is 5 minutes, and the maximum value is 30 minutes.
Note: Consider possible performance issues when choosing log
evidence options. Log evidence options that are too general or too
large might affect performance.
Relationship between
log evidence options on the event/filter page, the Log
Evidence tab and the Tuning Parameters page. All
log evidence options work together to define the log evidence feature.
For example, if you set the appliance to capture a Connection on
the event or filter page, then the appliance captures all suspicious
traffic that matches the connection criteria. The appliance also applies
the maximum values from the log evidence tab to the packet capture
and sets a time limit for the capture. If the packet capture meets
any of the maximum values before the time limit is reached, then the
appliance stops the packet capture operation. Also, if the suspicious
connection session remains open, sends no suspicious packets for 15
minutes, and meets none of the maximum values, the packet capture
operation stops.
Table 1. Log evidence examplesPacket capture controlled by the log evidence
tab |
Packet capture controlled by the log evidence
tuning parameter |
- Log evidence tab maximum values set
- Event or filter page log evidence option set to Connection
- Log evidence tuning parameter set to 15 minutes
- A suspicious event occurs
- Appliance applies maximum values to the packet capture
- Appliance captures all traffic that matches the connection
- Appliance applies a time limit to the packet capture
- Suspect connection traffic continues to occur for 12 minutes;
however, it exceeds the number of packets per event maximum value
- Appliance stops the packet capture, even though the connection
traffic is still occurring and the packet capture file has not recorded
for 15 minutes
- Log evidence file is available to download from the Logs
and Packet Capture page
|
- Log evidence tuning parameter set to 15 minutes
- Log evidence tab maximum values set
- Event or filter page log evidence option set to Connection
- A suspicious event from an SSH session occurs
- Appliance applies time limit to the packet capture
- Appliance applies maximum values to the packet capture
- Appliance captures all traffic that matches the connection
- Suspicious SSH session remains open but has not sent any packets
for 15 minutes
- Appliance stops the packet capture, even though the suspicious
session remains open and the packet capture has not met any of the
maximum values
- Log evidence file is available to download from the Logs
and Packet Capture page
|
Rolling packet capture
The rolling packet
capture feature captures events according to a specified interface.
Configure this feature on the Rolling Packet Capture page.
You can define how many rolling packet capture files the appliance
stores and the size of the files. Also configure the interface from
where the appliance captures packets and the packet capture file format.