Logs Severity


#1

I have noticed that if I have any firewall rules logged to the syslog, they are logged with a severity of “1” which is an alert. This fills our syslog with hundreds of urgent alert messages for any packets that match a firewall rule and pages our support techs (since the syslog server thinks there is a problem).

It seems that these syslog messages should be logged with a severity of “6” for informational only.

In addition, syslog messages from the AP when a client connects and disconnects are logged with a severity of “5” which is typically a “notice: normal but significant activity” message. Again, I think a simple connect and disconnect from an AP would be more of a “6” informational only message


#2

Hi Reynaldo,

What is the syslogs server that you are using ?

Beside that, can you share some samples logs that collected from the syslogs server ?

Thank You


#3

I am using PRTG as the syslog server. Unfortunately, it is not possible to export syslog messages from the server. I can take some screen shots but without pointing at a different server, that is it…


#4

Hi Reynaldo,

Can you share the screenshot here ? Remember please remove those sensitive info from the logs.

Thank You


#5

Firewall log example:


AP Example:



#6

Hi Reynaldo,

I will move this thread under feature request and let engineering team to consider the request.

Originally, for firewall logs it will only recommended to turn on for troubleshooting purposes or logs some special traffics logs, thus the logs is categories under alert.

Beside that, can you advice us the use case for the firewall logs that you are currently working on ? Do you turn on the firewall logs for all the defined firewall rules ? If yes, any special requirement why you need to turn on the firewall logs ?

For AP logs , severity 5 usually refer to “notification”. This is very subjective that some users may think that it’s notification logs. Can you also provide the details use case for the AP logs severity info ?

Thank You


#7

We have some firewall rules that allow our admins to have access to other VLANs and it is nice to log that activity for audit purposes.

I totally understand the subjectivity of classification of syslog messages. What is a 3 to me is a 6 to someone else. Vendors are not consistent with the use. Peplink may use a “5” for notification where another vendor would classify that same message as a “6” or a “4” even. Makes using syslogs for network administration alerting difficult since you either catch too many messages or not enough.


#8

Hi Reynaldo,

We will let engineering team to consider the request.

Usually for logs monitoring/alerting, you should filter the logs base on the message fields instead of the logs severity field only.

Thank You