Log event messages can be displayed in real-time on a CLI console by entering the command:

System:/> log -on

All messages are then displayed as they are generated as well as being sent to any configured log servers.

To switch off logging, use the command:

System:/> log -off

The key combination Ctrl-C can also be used to terminate message display at the console.

A typical sequence of turning on, then turning off logging is shown below with one intervening log message:

System:/> log -on
Logging on

LOG: Jun 17 00:22:20 RULE: prio=Warning id=00000 event=no_route_to_source
     iface=wan srcip=172.22.0.5 pkt_flowdir=n/a 
     pkt_srchw=00:1b:11:5a:0e:c9 pkt_ipver=4 pkt_proto=IGMP pkt_recvif=wan
     pkt_srcip=172.22.0.5 pkt_destip=239.255.255.100 
     pkt_srcport=0 pkt_destport=65178 action=drop logtrace=02404889
     
System:/> log -off
Logging off

System:/> 

Each new log message is preceded by the text "LOG:".

Limiting Message Display

With large numbers of log messages being generated, it can be useful to limit the number of messages displayed. The -rate option of the log command restricts the number of messages per second that are displayed with the excess being discarded. For example, to limit the displayed rate to one message per second, enter the command:

System:/> log -on -rate=1

Another way to limit the total number of log messages displayed is by using the -num option. For example, if only one log message is to be displayed before logging is disabled, the following CLI command would be used:

System:/> log -on -num=1
Logging on

LOG: Jun 17 00:22:20 RULE: prio=Warning id=00000 event=no_route_to_source
     iface=wan srcip=172.22.0.5 pkt_flowdir=n/a 
     pkt_srchw=00:1b:11:5a:0e:c9 pkt_ipver=4 pkt_proto=IGMP pkt_recvif=wan
     pkt_srcip=172.22.0.5 pkt_destip=239.255.255.100 
     pkt_srcport=0 pkt_destport=65178 action=drop logtrace=02404889
     
Received 1 logs. Closing due to limit.

System:/> 

See the separate CLI Reference Guide for a description of log command options.

Using Filters

It is possible to specify a range of different filter parameters with the log so that only log events that match a specific set of criteria are displayed.

Consider a simple example of only seeing log event messages where the source interface is if2. The CLI command to start logging would be:

System:/> log -on -srciface=if2

Not all log events have a source interface specified. Most rules, such as IP rules, would have this field. Another optional parameter that is like this is -action=. This would typically be related to the action of an IPRule object generating an event message although some other configuration objects can have an associated action.

One of the most useful filtering parameters is ID where a particular log event ID is of interest, regardless of what is generating it. Leading zeros are not required. For example:

System:/> log -on -ID=00600001

Note that the entire ID must be specified, including leading zeros. All log event ID numbers are listed in the separate Clavister NetShield Firewall Log Event Reference Guide.

Filtering can be built up into combinations of criteria:

System:/> log -on -ID=00600001 -srciface=if2

With combinations there is a logical AND between the criteria so all have to be true for the event to appear.

If he filtering parameters are to be changed, then a new log command needs to be issued with the -on option. For example, if we are now interested in the same log ID on the if3 port, the command would be:

System:/> log -on -ID=00600001 -srciface=if3

Note that this new command also terminates the execution of any previously issued log -on command.

Instead of specifying a specific field, it is possible to filter events using a general text field. For example, if the only events to be displayed are ones that contain the IP address 203.0.113.12, the CLI command could be:

System:/> log -on -text=203.0.113.12

A refinement of this is to use a regular expression. If we are only interested in events that contain at least one IP address string beginning with 203.0.113. then the CLI command could be:

System:/> log -on -regexp=203\.0\.113\.\d{1,3}

These text based filters will search the entire log event message searching for a match.

All of the log command's options are listed in the separate Clavister NetShield Firewall CLI Reference Guide.