The ability to log and analyze system activities is an essential feature of cOS Stream. Logging enables not only the monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.

Log Message Generation

A large number of different log event messages can be generated as a result of associated system events. Examples of such events are the establishment and ending of flows, receipt of malformed packets and the dropping of traffic according to filtering policies.

Log events are always generated for certain aspects of cOS Stream such as buffer usage, DHCP clients, high availability and IPsec. The generation of events for other subsystems such as DHCP Relay, DHCP Servers and IP Rules can be enabled as needed.

Event Types

Several hundred events exist for which log messages can be generated. The events range from high-level, customizable, user events down to low-level and mandatory system events.

The flow_open event, for example, is a typical high-level event that generates an event message whenever a new flow is established, given that the matching security policy rule has defined that event messages should be generated for that flow.

An example of a low-level event would be the startup_normal event, which generates a mandatory event message as soon as the system starts up.

Message Format

All event messages have a common format, with attributes that include category, severity and recommended actions. These attributes enable easy filtering of messages, either within cOS Stream prior to sending to an event receiver, or as part of the analysis after logging and storing messages on an external log server.

A list of all event messages can be found in the separate cOS Stream Log Reference Guide. The document also describes the design of event messages, the meaning of severity levels and the various attributes available.

Event Severity

The severity of each event is predefined and it can be, in order of severity, one of:

Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug

By default, cOS Stream sends all messages of level Info and above to configured log servers. The Debug category is not sent by default and is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all severity levels are found listed in the separate cOS Stream Log Reference Guide.

The Dynamic Severity

There is an additional severity type called Dynamic which does not fit into the progressive severity list given above. A severity of Dynamic means that the severity of the log event can change. There are two uses for this severity type:

The logtrace Parameter

All log event messages contain a parameter called logtrace which is assigned an integer value. This value is used by Clavister support specialists during troubleshooting to determine where in the system the log message originated since the same log message can potentially be generated from more than one place within cOS Stream.

Log Receivers

To distribute and log the event messages generated by cOS Stream, it is necessary to define one or more event receivers that specify what events to capture, and where to send them.

cOS Stream can be configured to distribute log event messages in different ways: