When the customers look at log details for URL filtering, it seems there are many log entries. But when they look at snapshot or URL access ranking or source IP rankings, all of them are empty and show no data.
Check the logs detail information, I find that all the URL logs are CAT type (URL/4/CAT
), the log format as following:
<188>2006-09-02 14:17:56 USG5520S URL/4/CAT:type="Pre-define category" proto=http action=deny src=22.214.171.124 dst=10.27.234.245 srcport=2589 dstport=80 eventnum=1 page="/" dstname=www.sina.com host="Portal Sites"
After confirmed, the graph in URL filtering label need the audit type(URL/6/AUDIT) logs as the available data. The log format as following:
<190>2006-09-02 14:17:56 USG5520S %%01URL/6/AUDIT(l):type="Not defined" proto=HTTP cat_action=deny src=172.18.1.1 dst=192.168.10.217 srcport=4026 dstport=1155 eventnum=1 arg="/" dstname=www.sina.com hititem="[exact]:www.sina.com/"
And then, I use an audit user to login firewall USG5520S to check if the firewall creates audit logs. After checked, there isn’t any audit logs in the firewall Logbuffer.
So the root cause of the issue maybe is that the firewall USG5520S doesn’t create any audit type logs. Go on checking the configuration of USG5520S, for the audit type logs, there are some configurations were missed. So need to add the following commands:
[USG5520S]info-center source default channel 4 log level informational // Need to configure this command to change the log level to informational, after that, the audit type logs just can be created.
[USG5520S]http-access log-type syslog // Need to configure this command to change the log type to syslog, after that the logs will be saw and shown in the eSight log center.
After add the above commands on the USG5520S, I can see the audit logs in the eSight LogCenter. And the graph shows the data. As below:
According to the issue information, seems like the eSigh LogCenter server doesn’t process the logs correctly.
As the USG firewall works with the LogCenter (eLog), for different graph,need different logs, if the graph shows abnormal, please check if the correct logs has been sent to the LogCenter(eLog) server.