System Logs and Events
CyberEdge supports a number of log and event types, providing system administrators with visibility of the CyberEdge system, network and security events. Log and event data stored on the CyberEdge appliance is available in both the Management and Reporting user interfaces.
Log and Event Types
Events
Log Type |
Description |
|---|---|
| Access Policy Events | Events generated by Access Policy rule matches including allow and block actions |
| System Config Change Events | System configuration changes made by the administrator |
| Content Scanning Events | Events generated by content scanning policy matches |
| Network Connection Events | Events generates by the network including interface status changes and network outages |
| NAT Events | Port forward, 1:1 NAT connection activity into and out of the network |
| Access Events | Authentication events including session login, session logout, authentication methods |
| Threat Management Events | Events logged by the Intrusion Prevention System (IPS) |
System logs
Log Type |
Description |
|---|---|
| Administration UI Access Logs | Access logs tracking activity and usage of the user interface for any User |
| Authentication Logs | Authentication events for the administration user interface |
| BGP Logs | BGP connection logs |
| Connection Manager Logs | Logs provide status updates for of CyberEdge network connections |
| DHCP and Router Advertisement | DHCP logs when CyberEdge is configured as a DHCP Server or DHCP relay |
| DNS Server Logs | CyberEdge DNS server logs |
| Client-to-Site VPN Logs | Client to site VPN connection logs |
| Site-to-Site VPN (IPsec) Logs | Site to site IPSec connection logs |
| Proxy Access Logs | Proxy access logs |
| System Alert Logs | Major system alert notifications |
| Reverse Proxy Logs | Reverse proxy logs monitoring incoming and outgoing connections to internal hosts |
Log Retention
The log retention periods will vary depending on the importance of the log and the amount of data stored. When storage becomes low, the oldest records will be purged first with priority given to Short Term Events. Outlined below is the CyberEdge event and log retention policies.
Long Term retention
Log Type |
Retention Period |
|---|---|
| Config Changes | 1 year |
| Authentication Events | 1 Year |
Short Term retention
Event Type |
Retention Period |
|---|---|
| Firewall Events | 8 weeks |
| NAT Events (All) | 8 weeks |
| VPN Events (All) | 8 weeks |
| IPS Events (All) | 8 weeks |
| IP Ban Events | 8 weeks |
| Content Scanning | 8 weeks |
| Speak Up Events | 8 weeks |
| YouTube Analytics | 8 weeks |
| Network Monitoring Data | 8 weeks |
Note
- The CyberEdge prioritizes the ability to record new events, and will automatically remove old events to free up disk space for new events when necessary. If available database storage becomes low, the appliance will automatically drop Network Monitoring data one week at a time, down to a minimum of 4 weeks.
- Old events can be manually cleared to free up disk space by going to Reporting > Storage
Configure Remote Syslog Servers
Start by configuring one or more remote syslog servers that will be referenced by each event type to be forwarded. Since Syslog over TLS is not currently supported, log forwarding should only take place over a secure network, as the data is NOT encrypted during transit. To configure a remote syslog server navigate to:
- System > Log Forwarding
- In Remote Syslog Server go to "Add"
- Enter the details for the remote systlog server including protocol, name, hostname/IP and port.
- Click "Save"
- Click "Save and "Apply Changes"
Tip
- Whilst it is not strictly required, it is recommended to save and apply changes before configuring log forwarding events.
- The standard syslog default port is UDP 514.
Configure Event Forwarding
Log forwarding allows for system and network events to be shipped to external syslog servers. Log forwarding should be used where users wish to analyze logs in more detail using third party reporting tools or are required to store/archive logs for extended periods of time. The following setup guide assumes a working remote syslog server. To configure log forwarding navigate to:
- System > Log Forwarding
- In Event Forwarding or System Log Forwarding, choose the log type to forward
- In the log type, select its syslog target.
- Click "Save"
- Click "Save and "Apply Changes"
The specified log will now be forwarded to the configured target.
Note
- Log forwarding can impose a significant load and impact performance, so this should be taken into account when developing your log forwarding strategy and determining the number of remote syslog servers to configure.
- Log and event data is not encrypted in transit. Logs should be forwarded over a secure network connection.