In This Section: |
This chapter includes information that is directly related to Multi-Domain Management, with some general background information and basic procedures. See the R80.20 Logging & Monitoring Administration Guide for the full set of conceptual information and procedures.
With R80, logging, event management, reporting, and monitoring, are more tightly integrated than ever before. Security data and trends are easy to understand at a glance, with Widgets and chart templates that optimize visual display. Logs are now tightly integrated with the Policy rules so that you can access all logs associated with a specific rule by simply clicking on that rule. Free-text search also lets you enter specific search terms to retrieve results from millions of logs in seconds.
One-click exploration makes it easy to move from high-level overview to specific event details such as type of attack, timeline, application type and source. After you investigate an event, it is easy to act on it. Depending on the severity of the event, you can choose to ignore it, act on it later, or block it immediately. You can also easily toggle over to the rules associated with the event to refine your Policy. Send reports to your manager or auditors that show only the content that is relevant to each stakeholder.
In R80.x, SmartReporter and SmartEvent functionality is integrated into SmartConsole.
Using rich and customizable views and reports, R80 introduces a new experience for log and event monitoring.
The new views are available from two locations:
Where Server IP is IP address of the Multi-Domain Server or Multi-Domain Log Server.
Note - Include the final backward slash: /
A Domain Log Server is a dedicated host for Domain log files. A Multi-Domain Log Server is a dedicated container for Domain Log Servers. Domain Log Servers also handle these log management activities:
It is a best practice to use Multi-Domain Log Servers and Domain Log Servers to handle logs for a Multi-Domain Management environment because of the large volume of logs.
To see the logs for a Domain and its Security Gateways, click Logs & Monitor in SmartConsole for that Domain. To see logs for all Domains in one view, click Logs & Monitor in the Multi-Domain Server SmartConsole. You can filter the logs for specified Security Gateways, Domain Management Servers, or Domain Log Servers.
This section shows you how to create a new Multi-Domain Log Server and its related Domain Log Servers.
Important: Before you start this procedure, make sure that you define the physical servers as the correct server type (Secondary Multi-Domain Server or Multi-Domain Log Server) during installation. An incorrect definition can cause deployment failure.
To create a new Multi-Domain Log Server:
Follow the procedures in the R80.20 Installation and Upgrade Guide.
Make sure to define this server as a Multi-Domain Log Server in the First Time Configuration Wizard.
Enter the same Activation Key you entered during the First Time Configuration Wizard of the Multi-Domain Log Server.
To create Domain Log Servers:
Wait for the cell to show the new Domain Log Server.
The Domain Log Servers synchronize automatically.
The new Multi-Domain Log Server automatically synchronizes with all existing Multi-Domain Servers. The synchronization operation can take many minutes to complete, during which a notification indicator shows in the task information area.
Logs are not automatically forwarded to a Log Server. You must manually configure each relevant Security Gateway to send its logs to the new Domain Log Server.
To configure Domain Security Gateways to send logs to a Log Server:
You can delete or ignore other Log Servers in the list as necessary.
To delete a Domain Log Server in SmartConsole:
Disk cleanup deletes the oldest log files when the available disk space is less than a specified value. Disk cleanup settings are controlled at the Multi-Domain Server level and apply to all Domains and Domain Management Servers. Disk cleanup settings configured at the Domain Management Server level are ignored.
These other log management activities, when configured on a Multi-Domain Server, apply only to that Multi-Domain Server:
Configure these activities individually for each Domain Management Server and Log Server.
To configure log settings for a Multi-Domain Server:
This parameter applies to the Multi-Domain Server and its Domain Management Servers.
Enter the minimum disk space and unit of measure (Default = 3 GB).
Enter the minimum disk space and unit of measure (Default = 100 MB).
Enter the maximum log file size. (Default = 1 GB).
Security Gateways generate logs. The Security Policy on each Security Gateway controls which rules generate log entries. In a Multi-Domain Management environment, the Security Gateways send logs to a Domain Management Server or to Domain Log Servers.
Domain Management Servers and Multi-Domain Servers also generate audit logs. The system typically saves audit logs on a Multi-Domain Server, which automatically synchronizes to other Multi-Domain Servers in a High Availability deployment.
You can use one of these strategies to deploy Domain Log Servers in a Multi-Domain Management environment:
Best Practice - Use this strategy in large, geographically distributed environments.
This is an example of the Log view.
Item |
Description |
---|---|
1 |
Queries - Predefined and favorite search queries. |
2 |
Time Period - Search with predefined custom time periods. |
3 |
Query search bar - Define custom queries in this field. You can use the GUI tools or manually enter query criteria. Shows the query definition for the most recent query. |
4 |
Log statistics pane (Tab hidden) - Top results of the most recent log query. |
5 |
Log Servers - All Multi-Domain Log Servers, Domain Log Servers, and other Log Server objects in the Multi-Domain Management deployment. Select one or more Log Servers from this list to include in a query. |
6 |
Results pane - All log entries for the most recent query. |
R80.x includes many powerful, integrated features that let monitor your Multi-Domain Management environment directly in SmartConsole. Additionally, you can use the SmartView Monitor client application to work with advanced monitor features, such as:
To see status and general information for Multi-Domain Servers or Multi-Domain Log Servers, select Multi-Domain in the SmartConsole Multi-Domain Management window. This information shows in the System Information area:
You can use SmartView Monitor to see other, detailed status information, such as:
Use the SmartConsole Logs & Monitor view to see Domain and Domain Management Server status. You can also show the combined statistics, in real time, for all Security Gateways in the Domain:
You can apply filters and show different types of graphical displays. You can also save the results to your local computer in these formats:
To see Security Gateway status and monitoring information:
The Monitor Information window opens.
You can use the SmartConsole Logs & Monitor view to see Security Gateway status and show operational statistics in real time:
You can apply filters and show different types of graphical presentation. You can also save the results to your local computer in these formats:
To see Security Gateway status and monitoring information:
The Monitor Information window opens.