Firewall Analyzer archives the logs received from each device, and zips them in regular intervals. The Archived Files page files that have been archived for each device, along with options to load the file to search, and delete the file.
Encrypting Archived Log files
Firewall Analyzer encrypts the log archive files to ensure the log data is secured for future forensic analysis and internal audits. Encryption makes the log data unreadable for human. It can be only decrypted by the Firewall Analyzer application.
The time stamping technique ensures that the archive data files are tamper proof. If there is a modification of file, this technique will reveal that the file has been tampered.
The Archived Files page lists the files that have been zipped for each device, along with the archived time, file size, and archiving status.
The list contains the following columns:
|Device||The name of the device for which the log file is archived.|
|Start Time||The starting time of the log file archiving process.|
|Archived Time||The completion time of the log file archiving process.|
|File Size||The file size of the archived logs.|
|Status||You can view the log file archiving status in this column. The status values are: All, Loaded, Loading, Not Loaded, Verified and Tampered. The appropriate status value will be displayed, denoting the file archiving status. While loading Archived Files, if the archived file is tampered, it will not be loaded and marked as Tampered. If it is not tampered, it will be marked as Verified.|
You can carry out the following actions on the archived log files. The Actions are: Load to Search and Report. The Actions are discussed below.
To load an archived file for search, click the Load to Search link against the device for which you need to see archived data. Once the file is fully loaded, you can search for data in the archives, and view specific information.
If you click Load to Search link, the Raw Log Search screen pops up. In the screen, on top you will find Device Name : <>, Defined Criteria : -, Searched From : Traffic Logs
You will find Edit Search Criteria link to edit and modify the search criteria.
On clicking the link, you will find Device Name pix501(non-editable), Search Time
From: <> To: <>. Next there will be two tabs:
Search Traffic Logs and Search Security Logs. Choose one of the tabs as required. Define the search criteria in the Define Criteria
section using the options Match all of the following, Match any of the following, select criteria and logical operator from the from the list and enter the value in the text box. Use Add Criteria and Remove Criteria links to add more than one criterion. The search criteria for Security logs are: Protocol, Source, Destination, User, Virus, Attack, Severity, URL, Status, Rule, VPN, Duration, Message. The search criteria for Traffic logs are: Protocol, Source, Destination, User, Sent (in Bytes), Received (in Bytes), Rule, VPN.
Then, you can view the raw logs Search Result Between [ YYYY-MM-DD HH:MM:SS to YYYY-MM-DD HH:MM:SS ]. You can click View All Security Logs link to view all the security logs.
Below that, you will find Formatted Logs, Raw Logs tabs. You can choose the tabs to view either formatted logs or raw logs. Click Configure Columns to select the columns to be displayed for the formatted logs The columns are: All Columns, Device, Host, User, Protocol, Destination, Date/Time, Virus/Attack, VPN, Severity, Rule Number/ID, Status, URL, Duration, Description, StartTime. You can export the search result as report in PDF or CSV format using Export as: PDF, CSV link.
Below that, the number of lines of logs displayed are indicated in the Showing : _ to _ of total _ logs field. The number lines displayed per page is indicated in the View per page : 5  20 25 50 75 100 250 500 field. Default value is 10. The default columns displayed are: Host, Protocol, Destination, Date/Time, Status, Severity, and Description. You can add or remove columns using Configure Columns icon given above.
Click the icon against an archived file to delete it.
|Once deleted, the archived data cannot be retrieved.|
Once the archive is fully loaded, click the Report link to search for specific data in the archive. In the popup window that opens, enter the criteria for the data, such as the firewall, user name, protocol, etc. You can enter a maximum of three criteria.
Choose the time interval for which you want to see the data that meets all the criteria. Click Generate Report to view the records that match the criteria that you have specified.
Click the Archive Settings link to change the archiving intervals or to disable archiving. In the File Archive Settings popup window, uncheck the Enable Raw Logs Archiving check box to disable file archiving.
Log files are archived at specific interval configured in this screen.
The archiving options available are described below:
|File Creation Interval||12 hours||The time interval after which a log file is created for each host from which event logs are collected.|
|Zip Compression Interval||24 hours||The time interval after which log files created for each host are zipped to save disk space.|
|Start Initial Compression at||_ Hrs _ Mins||The time at which log files created for each host are zipped for the first time to save disk space.|
|Retain logs for||Forever||You can retain the archive log data as per the compliance audit requirement or internal audit policy requirement. The options available are: Forever, 1 Year, 6 Months, 3 Months, 1 Month and 1 Week. Select the option that suits your requirement.|
|Archive File Encryption||Disable||Firewall Analyzer comes with a feature to encrypt the archive data. To enable encryption of archive data, select the Enable radio button and to disable, select Disable radio button.|
|Time Stamping||Disable||Firewall Analyzer comes with a feature to timestamp the archive data. To enable time stamping of archive data, select the Enable radio button and to disable, select Disable radio button.|
|Change Raw Logs Archive Location||<Firewall Analyzer Home>\server\default\archive directory||
By default the Archive Location for the event logs and syslogs in Firewall Analyzer is <Firewall Analyzer Home>\server\default\archive directory, you can change this location by clicking the Edit link and providing the location as per your requirement.
|Change Raw Logs Indexing Location||<Firewall Analyzer Home>\server\default\indexes directory||
By default the Index Location for the event logs and syslogs in Firewall Analyzer is <Firewall Analyzer Home>\server\default\indexes directory, you can change this location by clicking the Edit link and providing the location as per your requirement.
You can create instant zip file of the existing log files waiting to be archived. Click Zip Now to create a zipped file with the currently available log files.
Click Save to save the archiving options, if you have changed them. Click Close to close the Archive Settings box.
Note: The currently active log files (i.e., logs not yet archived) will be stored in the <Firewall Analyzer Home>\server\default\archive\localhost\hot directory. The archived log files (i.e., logs archived as according to the archive settings) will be stored in the <Firewall Analyzer Home>\server\default\archive\localhost\cold directory. The archived log files loaded into database for analysis will be stored in the Warm directory. The log files will be stored in the <Firewall Analyzer Home>\server\default\archive\localhost\warm directory for 1 day and after that the log files will be purged.