Configuring Logging, Alerts, and Event Notifications. Netgear STM600 - ProSecure Web And Email Threat Management Appliance, STM300 - ProSecure Web And Email Threat Management Appliance, STM150 - ProSecure Web And Email Threat Management Appliance

6.

Monitoring System Access and

Performance

6

This chapter describes the system monitoring features of the STM. You can be alerted to important events such as attacks and login failures. You can also view the system status and real-time traffic and security information. In addition, the diagnostics utilities are described.

Note:

All email notification functions that are part of the Logs, Reports, and Alerts menus, and some of the functions that are part of the

Diagnostics configuration menu require that you configure the email

notification server—see

Configuring the Email Notification Server

on page 176.

This chapter contains the following sections:

• Configuring Logging, Alerts, and Event Notifications on this page

• Monitoring Real-Time Traffic, Security, Statistics, and Web Usage on page 184

• Viewing System Status on page 192

• Querying Logs on page 194

• Viewing, Scheduling, and Generating Reports on page 200

• Viewing and Managing the Quarantine Files on page 208

• Using Diagnostics Utilities on page 215

Configuring Logging, Alerts, and Event Notifications

You can configure the STM to email logs and alerts to a specified email address. For example, the STM can email security-related events such as malware incidents, infected clients, and failed authentications. By default, the STM logs content filtering events such as attempts to access blocked sites and URLs, unwanted email content, spam attempts, and many other types of events.

For you to receive the logs in an email message, the STM’s notification server needs to be configured and email notification needs to be enabled. If the notification server is not configured or email notification is disabled, you can still query the logs and generate log reports to view on the Web Management Interface or to save in CSV format.

Chapter 6. Monitoring System Access and Performance | 175

ProSecure Web/Email Security Threat Management (STM) Appliance

For more information about logs, see

Querying Logs

on page 194.

Configuring the Email Notification Server

If you have used the Setup Wizard, you might have already configured the email notification server; the Email Notification Server screen allows you to modify these settings.

The STM can automatically send information such as notifications and reports to an administrator. You need to configure the necessary information for sending email, such as the administrator’s email address, the email server, user name, and password.

To configure the email notification server:

1.

Select Global Settings > Email Notification Server from the menu. The Email

Notification Server screen displays. (The following figure contains some examples.)

Figure 101.

2.

Complete the fields, select the radio button and check boxes, and make your selections from the drop-down lists as explained in the following table:

Table 50. Email Notification Settings

Setting Description (or Subfield and Description)

Show as Mail Sender A descriptive name of the sender for email identification purposes. For example, enter [email protected].

Send Notifications to The email address to which the notifications should be sent. Typically, this is the email address of a user with administrative privileges.

SMTP server The IP address and port number or Internet name and port number of your ISP’s outgoing email SMTP server. The default port number is 25.

Note:

If you leave this field blank, the STM cannot send email notifications.

176 | Chapter 6. Monitoring System Access and Performance


Table 50. Email Notification Settings (Continued)


Mail Server Requires

Authentication

If the SMTP server requires authentication, select the Mail Server Requires

Authentication check box and enter the following settings:

User Name

Password

The user name for SMTP server authentication.

The password for SMTP server authentication.

3.

Click Apply to save your settings.

Configuring and Activating System, Email, and Syslog Logs

You can configure the STM to log system events such as a change of time by an NTP server, secure login attempts, restarts, and other events. You can also send logs to the administrator or schedule logs to be sent to the administrator or to a syslog server on the network. In addition, the Log Management screen provides the option to selectively clear logs. Because this large screen has three sections, each with its own Apply button, this screen is presented

in this manual in three figures (the following figure,

Figure 103

on page 180, and

Figure 104

on page 182).

Emailing Logs

To enable and configure logs to be sent to an email address:

1.

Select Monitoring > Logs from the menu. The Logs submenu tabs display, with the Log

Management screen in view (see the following figure,

Figure 103

on page 180, and

Figure 104

on page 182).

2.

Locate the Email Logs to Administrator section on the screen. Select the Enable check box to enable the STM to send logs to an email address.



Figure 102. Log Management, screen 1 of 3

3.

Complete the fields, select the radio button and check boxes, and make your selections from the drop-down lists as explained in the following table:

Table 51. Email Logs Settings

Setting

Send to

Frequency

Description (or Subfield and Description)

The email address of the recipient of the log file. This is normally a user with administrative privileges. You enter up to three email address, separated by commas.

Click Send Now to immediately send the logs that you first need to have specified (see the information later in this table).

Note:

To limit the size of the email, the STM does not send the actual logs to the specified email address but an email that contains links to the actual logs. These links remain active for a period of 10 days, after which the logs are no longer available.

Select a radio button to specify how often the log file is sent:

• When the space is full. Logs are sent when the storage space that is assigned to the logs is full.

• Daily. Logs are sent daily at the time that you specify from the drop-down lists (hours and minutes).

• Weekly. Logs are sent weekly at the day and time that you specify from the drop-down lists (weekday, hours, and minutes).



Table 51. Email Logs Settings (Continued)

Setting

Select Logs to

Send

Format

Size


Select the check boxes to specify which logs are sent via email:

• System logs. The system event logs that include all system errors, informational messages, configuration changes, and system software updates.

• Email traffic logs. All scanned incoming and outgoing email traffic.

• Web traffic logs. All scanned incoming and outgoing Web traffic.

• Malware logs. All intercepted viruses and spyware.

• Spam logs. All intercepted spam, including spam that was detected through the blacklist, real-time blacklist, and distributed spam analysis.

• Email filter logs. All emails that are intercepted because of keyword, file type, file name, password, or size limit violations.

• Content filter logs. All websites, URLs, and FTP sites that are intercepted because of Web category, blacklist, file type, or size limit violations.

• Application logs. All intercepted application access violations.

Select the types of system logs that are sent via email:

• error. All system errors.

• info. All informational messages.

• conf. All configuration changes.

• update. All system software updates.

Select a radio button to specify the format in which the log file is sent:

• Plain text. The log file is sent as a plain text file.

• CSV. The log file is sent as a comma-separated values (CSV) file.

Select the Zip the logs to save space check box to enable the STM to compress the log file.

Select the Split logs size to check box to break up the log file into smaller files, and specify the maximum size of each file in MB. The default setting is 20 MB.

4.


Sending Logs to a Syslog Servers

To enable and configure logs to be sent to a syslog server:

1.


Management screen in view (see

Figure 102

on page 178).

2.

Locate the Send Logs via Syslog section on the screen (see the following figure), and select the Enable check box to enable the STM to send logs to a syslog server.




3.

Complete the fields, select the check boxes, and make your selections from the drop-down lists as explained in the following table:

Table 52. Syslog Settings


IP Address The IP address of the syslog server.

Port

Logs

The port number that the syslog server uses to receive logs. The default port number is 514.

Select the check boxes to specify which logs are sent to the syslog server:

• System logs. The system event logs that include all system errors, informational messages, configuration changes, and system software updates.

• Email traffic logs. All scanned incoming and outgoing traffic.

• Web traffic logs. All scanned incoming and outgoing traffic.

• Malware logs. All intercepted viruses and spyware.

• Spam logs. All intercepted spam, including spam that was detected through the blacklist, real-time blacklist, and distributed spam analysis.

• Email filter logs. All emails that are intercepted because of keyword, file type, file name, password, or size limit violations.

• Content filter logs. All websites, URLs, and FTP sites that are intercepted because of

Web category, blacklist, file type, or size limit violations.

• Application logs. All intercepted application access violations.



Table 52. Syslog Settings (Continued)

Setting

Facility

Priority


The facility indicates from which internal part of the STM the log message originates. For each log that you have selected to be sent to the syslog server (see earlier in this table), select one of the following facilities from the drop-down list:

• auth. Security and authorization log messages.

• authpriv. Security and authorization log messages for sensitive information.

• cron. Clock daemon log messages.

• deamon. Other daemon log messages.

• ftp. FTP log messages.

• kern. Kernel log messages.

• local0 through local7. Locally defined log messages (1 through 7).

• lpr. Line printer subsystem log messages.

• mail. Mail subsystem log messages.

• news. Usenet news subsystem log messages.

• syslog. Log messages that are generated internally by the syslog server (syslogd).

• user. Generic user-level log messages.

• uucp. Unix-Unix copy (UUCP) subsystem log messages.

For each log that you have selected to be sent to the syslog server (see earlier in this table), select one of the following severities from the drop-down list:

• emerg. The STM is unusable.

• alert. An action needs to be taken immediately.

• crit. There are critical conditions.

• err. There are error conditions.

• warning. There are warning conditions.

• notice. There are normal but significant conditions.

• info. Informational messages.

• debug. Debug-level messages.

Note:

All the logs with a severity that is equal to and above the severity that you specify are logged on the specified syslog server. For example, if you select crit as the severity, then the logs with the severities crit, alert, and emerg are logged.

4.




Clearing Logs

To clear logs:

1.


Management screen in view (see

Figure 102

on page 178). Locate the Clear the

Following Log Information section at the bottom of the screen:


2.

Select one ore more check boxes to specify which logs are cleared:

•

System. The system event logs are cleared.

•

Email traffic. The logs with scanned incoming and outgoing email traffic are cleared.

•

Web traffic. The logs with scanned incoming and outgoing Web traffic are cleared.

•

Malware. The logs with intercepted viruses and spyware are cleared.

•

Spam. The logs with intercepted spam are cleared.

•

Email filter. The logs with intercepted emails are cleared.

•

Content filter. The logs with intercepted websites, URLs, and FTP sites are cleared.

•

Application. The logs with intercepted applications are cleared.

3.

Click Clear Log Information.

Configuring Alerts

You can configure the STM to send an email alert when a failure, license expiration, or malware attack or outbreak occurs. Four types of alerts are supported:

•

Update Failure Alert. Sent when an attempt to update any component such as a pattern

file or scan engine firmware fails.

•

License Expiration Alerts. Sent when a license is about to expire and then again when

a license has expired.

•

Malware Alert. Sent when the STM detects malware threats.

•

Malware Outbreak Alert. Sent when the malware outbreak criteria that you have

configured are reached or exceeded. Outbreak criteria are based on the number of malware threats detected within a specified period of time.



To configure and activate the email alerts:

1.

Select Monitoring > Alerts from the menu. The Alerts screen displays:

Figure 105.

2.

Select the check boxes and complete the fields as explained in the following table:

Table 53. Alerts Settings

Setting

Enable Update

Failure Alerts


Select this check box to enable update failure alerts.

Enable License

Expiration Alerts

Select this check box to enable update license expiration alerts.

Enable Malware

Alerts

Select this check box to enable malware alerts, and configure the Subject and Message fields.

Subject Enter the subject line for the email alert. The default text is [Malware alert].

Message Enter the content for the email alert. The default text is %VIRUSINFO%, which is the metaword that enables the STM to insert the correct malware threat information.

Note:

In addition to the %VIRUSINFO% metaword, you can insert the following metawords in your customized message:

%TIME%, %PROTOCOL%, %FROM%, %TO%, %SUBJECT%,

%FILENAME%, %ACTION%, %VIRUSNAME%.


Configuring Logging, Alerts, and Event Notifications. Netgear STM600 - ProSecure Web And Email Threat Management Appliance, STM300 - ProSecure Web And Email Threat Management Appliance, STM150 - ProSecure Web And Email Threat Management Appliance

Monitoring System Access and

Performance