3.10 Logging Service
PacketiX VPN Server 2.0 automatically writes logs for operational
status and packets flowing over Virtual HUBs as a log file, thereby
incorporating a function which enables a simple and sure way to confirm
proper operation as well as trace problems and discover any unauthorized
access & policy breaches at a later date. This section explains the
logging service integrated into PacketiX VPN Server 2.0.
3.10.1 Log Save Format & Save Cycle
Types of Logs Saved
The VPN Server automatically writes the Server Log as the log for the
entire VPN Server.
Also, in addition to each of the Virtual HUBs writing a security log
recording important operating conditions relating to the hub's
administration and VPN connection records, they also write packet logs
for packets types pre-designated by the Virtual HUB Administrator.
All log files have their own entry and are written one to a line in a
text file. When multibyte characters such as hiragana & Chinese
characters are used in the log file, the encoding method is unified as
UTF-8.
Log File Save Location & Format
All log files create the three subdirectories server_log,
security_log and packet_log in the directory containing the
vpnserver process (or vpnbridge process in the case of the VPN Bridge)
executable files and write each of the server log, security log and
packet log there. A further subdirectory is created for the security log
and packet log written for each Virtual HUB. These logs are then written
to this subdirectory, which is named after its Virtual HUB.
Log File Switch Cycle
Virtual HUB Administrators can set the log file switch cycle of
security logs and packet logs. New file names are then generated based
on this log file switch cycle. The log file names created when the
settable switch cycle and its rules are applied are as follows. Note
that the entire VPN Server log is always switched and saved on a daily
cycle.
| Switch Cycle |
Naming convention
for file name date portion
(Example: 1:45:10 (pm), 7 December 2005 |
| No Switching |
None (perpetually add
records to same file) |
| Every second |
20051207_014510 |
| Every minute |
20051207_0145 |
| Every hour |
20051207_01 |
| Every day |
20051207 |
| Every month |
200512 |
Changing the Virtual HUB Log File Settings
The Virtual HUB Administrator can set the switch cycles of the
Virtual HUB's security log and packet log by clicking on [Log save
settings] in the VPN Server Manager. When not wishing to save a log
file, deselect the relevant checkbox prevents any log file from being
saved for that type of log. It is also possible to select the details of
which types of packet logs should be saved.
All Virtual HUB logs are set with a one day switch save cycle in
default.
In the vpncmd utility, use the [LogEnable], [LogDisable],
[LogSwitchSet] and [LogPacketSaveType] commands.
Fig. 3-10-1 Log save settings window |
Measures for Log Files Exceeding 2Gbytes
While the each log file increases in response to the log contents and
volume, when exceeding 2Gbytes (or 2,147,483,648 bytes to be precise),
that log file is automatically divided and saved approximately every
2Gbytes. The first file keeps the original file name while the second
and subsequent files are sequentially named "~01", "~02" and so on.
3.10.2 Server Log
The server log is saved under the [server_log] directory.
The entire VPN Server operating log is saved in the server log, which
saves detailed operating records including event records upon the launch
& termination of the VPN Server and when & what type of connections were
received. Therefore, subsequent analysis of this log enables the tracing
of unauthorized access and the cause of problems.
In addition, copies of each of the Virtual HUBs' security logs are
saved together in the server log so that even if a Virtual HUB
Administrator sets the security log not to be saved, it is always saved
automatically in the server log. Accordingly, even when the Virtual HUB
Administrator does not save the Virtual HUB logs or deletes them, their
contents can still be accessed from the VPN Server's server log.
3.10.3 Virtual HUB Security Log
The Virtual HUB security log is saved under the
[security_log/Virtual HUB name] directory. The security log records
information on sessions which connected to the Virtual HUB, records
within the Virtual HUB (address table and database updates etc.) and
records relating to Virtual HUB administration (user creation etc.).
3.10.4 Virtual HUB Packet Log
The Virtual HUB packet log is saved under the [packet_log/Virtual
HUB name] directory. The packet log can save all of the headers of
packets flowing within the Virtual HUB or their entire payloads.
However, saving all types of packet logs generates a massive amount of
log file data. That is why the Virtual HUB Administrator is able to
select which types of packets to register in the packet log. The types
of packets which can be selected in the [Log save settings] window and
their contents are as follows.
| Packet Type |
Packets saved when this type is selected |
| TCP Connection Log |
Those TCP/IP protocol packets in which a TCP/IP connection
between a client and user is established or disconnected. |
| TCP Packet Log |
All TCP/IP protocol packets. |
| DHCP Packet Log |
Those UDP/IP protocol packets which are control data for
DHCP protocol. |
| UDP Packet Log |
All UDP/IP protocol packets. |
| ICMP Packet Log |
All ICMP protocol packets. |
| IP Packet Log |
All IP protocol packets. |
| ARP Packet Log |
All ARP protocol packets. |
| Ethernet Packet Log |
All packets. |
When set to save packet logs, the Virtual HUB saves the packet log
types pre-designated by the Virtual HUB Administrator from among all
virtual Ethernet frames flowing within the Virtual HUB. Each Ethernet
frame is analyzed with the highest possible layer from layer 2 up to
layer 7 using the VPN Server's internal high-level packet analysis
engine and important header information is saved as a packet log.
In addition, the Virtual HUB Administrator can write not only the
header information but also the entire contents of the packet (bit
sequence) to the packet log in 16 decimal format. In this case, note
that it is necessary have a high volume disk capacity in proportion to
the total size of the packets actually transmitted.
In default, only the packet header information of two packet types,
namely the TCP connection log and DHCP packet log, are saved. While this
setting value is sufficient for many environments, change the settings
as required to save more detailed packet information. Please note that
saving all pockets logs is not practical in view of today's broadened
communication lines.
3.10.6 Obtaining Log Files on a Remote Administration Terminal
The log files written by the VPN Server and Virtual HUBs are saved on
the physical computer disk on which the VPN Server is running. However,
reading and downloading of the files written to the physical disk is
typically limited to that computer's Administrators and users capable of
local log in.
The PacketiX VPN Server employs a mechanism which allows log files to
be read remotely without having to actually log in locally in
consideration of the fact that the VPN Server and Virtual HUB
Administrators may not be the System Administrators of the computer
running the VPN Server. This is known as the remote log read function.
The remote log read function is very easy to use. Clicking on the
[Log File List] button when using the VPN Server Manager displays a list
of the log files which can be read with current authority along with
their file size and time of last update. Log files can be selected
arbitrarily from this list and downloaded to an administration terminal.
Data is automatically SSL encrypted to ensure safety when transferring a
log file because the administration connection's TCP/IP connection is
used.
The [LogGet] command can be used in the vpncmd utility.
The VPN Server Administrator can remotely obtain the VPN Server's
server log, and the security logs and server logs of all Virtual HUBs.
Virtual HUB Administrators can only remotely obtain the security log and
server log of the Virtual HUB for which they have authority, and cannot
remotely acquire any other log files.
When connected to a cluster controller in a clustering environment, it
is possible to collectively enumerate and designate the log files of all
cluster member servers including the cluster controller, and download
these files.
Fig. 3-10-2 Log file list display window |
3.10.17 Syslog Transmission function
As explained in 「3.3.17 Syslog Transmission Function」, enabling the Syslog Transmission function
prevents log data sent by the syslog protocol from being saved to the
local hard disk.
|