SonicOS 7.1 Device Log
- SonicOS 7.1
- About SonicOS
- About Device
- Settings
- Syslog
- Automation
- Name Resolution
- Reports
- AWS
- SonicWall Support
Configuring Event Attributes Globally
For information about configuring event attributes selectively, see Configuring Event Attributes Selectively.
Clicking the Edit All Category Attributes icon above the table launches the Edit Attributes of All Categories dialog. This dialog enables you to set the attributes for all events in all categories and groups at once.
These global attributes can be modified:
- Event Priority
- Inclusion of events in Log Monitor, Email, and Syslog
- Frequency Filter Interval
- Email settings
- Font color when displayed in Log Monitor
One practical use of this global setting is to force ALL events to use the same Syslog Server Profile (GMS uses Profile 0 only), send Log Digest to the same E-mail Address, and send Alerts to the same E-mail Address.
To edit the Category attributes globally:
- Navigate to the Device > Logs > Settings page.
- Click the Edit All Category Attributes icon. The Edit Attributes of All Categories pop-up dialog appears.
Enable is solid green when all categories, groups, and/or events are enabled, white when all are disabled, and semi-solid when they are mixed (some enabled, some disabled).
As this configuration is for all categories, you have to explicitly set the option to “all enabled” by clicking the icon until it is solid green, or to set the option to “all disabled” by clicking the icon until it is white. To configure a single event to be different from the rest of its group or category, you must go into the individual event setting configuration. If you do this, the icon is semi-solid.
When the fields display Multiple Values, different values have been specified for one or more category, group, or event. To view the individual settings, refer to Configuring Event Attributes Selectively. To change the setting from Multiple Values into one value for all categories, groups, or events while in the Edit Attributes of All Categories dialog, verify that the option was enabled so the field can be accessed for entering the new value. If the option is disabled, the field is dimmed and inaccessible.
The changes are saved and overwrite individual settings. Normally, production environments would not set all Categories/Groups/Events to have exactly the same settings. Before doing this, be sure to save your current configuration using the Save Template option, so that the previous settings can be restored if a mistake is made by using Import Template > Custom. Also, factory default settings can be restored using Import Template > Default.
- From the Event Priority drop-down menu, select the priority that you want.
Changing the Event Priority globally uses the same value for all Events. Modifying the Event Priority affects the Syslog output for the tag “pri=” as well as how the event is treated when performing filtering by Logging Level or Alert Level. Setting the Event Priority to a level that is lower than the Logging Level causes those events to be filtered out. Also, as GMS ignores received Syslogs that have a level of Debug, heartbeat messages and reporting messages must have a minimum Event Priority of Inform.
The following Frequency Filter Interval fields enable you to specify how many events of the same Event ID to log per time interval. Note that having the same Event ID does not mean that the event is a duplicate because the message itself might contain different information such as source/destination IP addresses, and so on. The filtering is done based on Event ID only. The range for these intervals is 0 to 86400 seconds.
The different options are independent of each other, and you can enable any combination of them and set different frequencies of generation for them. For example, you might want an event message emailed to you, but it is not shown in the Monitor > Logs > System Logs page. When GMS is enabled, however, care must be taken when modifying event attributes so events used to generate reports are not incorrectly filtered out. Explicit modification of individual events are saved even if used for GMS. Before making any changes, save current Log settings using Save Template. This way, should a mistake be made, the previous settings can be restored using Import Template > Custom. As a last resort, the GMS settings can be restored using Import Template > Analyzer/Viewpoint/GMS.
- If you want to display the log events in the Monitor > Logs > System Logs page, select the Enable icon for the Display Events in Log Monitor option.
- In the Frequency Filter Interval field for Display Events in Log Monitor, enter the number of seconds that should elapse before allowing the same event to be logged and displayed again when that event occurs one after the other. The range is 0 to 86400.
For example, if you set this value to 60 seconds, then when the event Connection Closed first happens at 1:15 p.m., the next Connection Closed event to be displayed must occur at least 60 seconds after the first one. Any Connection Closed event occurring within the 60 seconds interval is not displayed.
- In the Frequency Filter Interval field for Display Events in Log Monitor, enter the number of seconds that should elapse before allowing the same event to be logged and displayed again when that event occurs one after the other. The range is 0 to 86400.
- If you want to send events as E-mail Alerts, select the Enable icon for the Send Events as E-mail Alerts option.
- In the Frequency Filter Interval field for Send Events as E-mail Alerts, enter the number of seconds that should elapse before allowing the same email event to be sent when that event occurs one after the other. The range is 0 to 86400.
For example, if you set this value to 60 seconds, then when an E-mail Alerts first happens at 1:15 p.m., the next E-mail Alerts for the same event is not sent until 60 seconds after the first one. Alerts for the same event occurring within the 60 seconds interval are not emailed.
- In the Frequency Filter Interval field for Send Events as E-mail Alerts, enter the number of seconds that should elapse before allowing the same email event to be sent when that event occurs one after the other. The range is 0 to 86400.
- If you want to report events through Syslog, select the Enable icon for the Report Events via Syslog option.
- In the Frequency Filter Interval field for Report Events via Syslog, enter the number of seconds that should elapse before allowing the same Syslog messages to be sent when that event occurs one after the other. The range is 0 to 86400.
For example, if you set this value to 60 seconds, then when a Syslog message is first reported at 1:15 p.m., the next Syslog message for the same event is not sent until 60 seconds after the first one. Syslog messages for the same event occurring within the 60-second interval are not sent.
- In the Frequency Filter Interval field for Report Events via Syslog, enter the number of seconds that should elapse before allowing the same Syslog messages to be sent when that event occurs one after the other. The range is 0 to 86400.
- To send the Syslogs to a particular Syslog server group, enter the group’s ID in the Use this Syslog Server Profile field. The default is 0.
- If you want to report events through IPFIX, select the Enable icon for the Report Events via IPFIX option.
- In the Frequency Filter Interval field for Report Events via IPFIX, enter the number of seconds that should elapse before allowing the same events to be reported through IPFIX when events occur one after the other. The range is 0 to 86400.
For example, if you set this value to 60 seconds, then when an event reported through IPFIX first happens at 1:15 p.m., the next report for the same event is not sent until 60 seconds after the first one. Reports to IPFIX for the same event occurring within the 60 seconds interval are not sent.
- In the Frequency Filter Interval field for Report Events via IPFIX, enter the number of seconds that should elapse before allowing the same events to be reported through IPFIX when events occur one after the other. The range is 0 to 86400.
- If you want to include the events in the Log Digest, select the Enable icon for the Include Events in Log Digest option. The Log Digest is a chronological collation of events.
- If you enabled Include Events in Log Digest, do one of the following for Send Log Digest to E-mail Address:
- If you want to use the same email address that is entered in the Log > Automation page even when you change other values in this dialog, select Leave Unchanged. This option is enabled by default.
If this option is enabled, it is important to verify the email address configured in the Send Log Digest to Email Address field is correct.
- To change the email address, clear the Leave unchanged option and enter a new address in the now-active field.
An email alert is one email sent for each event occurrence as soon as that event has occurred. A Log Digest, on the other hand, is a chronological collation of events sent as a single email in digest format. Because it is a summation of events, the event information time period is a mix of older and newer events.
- If you want to use the same email address that is entered in the Log > Automation page even when you change other values in this dialog, select Leave Unchanged. This option is enabled by default.
- If you want to receive alerts through email based on the global settings in this dialog, do one of the following for Send Alerts to E-mail Address:
- If you want to use the same email address that is entered in the Log > Automation page even when you change other values in this dialog, select Leave color settings unchanged. This option is enabled by default.
- To change the email address, clear the Leave color settings unchanged option and enter a new address in the now-active field.
- Click Save.
Was This Article Helpful?
Help us to improve our support portal