This article applies to:
- Firewall Suite 4.1c
- Security Reporting Center 2.0b
Question:
How does OPSEC LEA work?
Symptoms:
- Only one record appears in the log file after creating a LEA connection.
Information:
With the release of WebTrends Firewall Suite 4.1c and Security Reporting Center 2.0b, the OPSEC LEA module has been modified so it is easier to configure and administrator while much more reliable.
How does it work?
Once the LEA connection has been created it sends a request to the Check Point firewall to establish a connection. Once the connection is established a log file is created (in the location specified in the LEA connection) and only one record is brought over. After the first record has been created in the log file the connection will wait 50 minutes and will then bring over the log data for the last 50 minutes so that the log file is updated with the latest information. This large lag time allows the software to collect data and accurately report on bandwidth information, as generally bandwidth information is not logged into the log file until the session closes. If the log file is retrieved before the connection terminates, then bandwidth information can be lost.
After the initial 50 minutes have past the log file is updated every five minutes with the latest information. This cycle continues, and at the start of each day a new log file is created.
To represent graphically, your connection would look something like this:
| Minutes: |
0 |
50 |
55 |
60 |
|
| |
-- |
|
|
|
First record is created in the log |
| |
|
-------- |
|
|
Log file updated with last 50 minutes of activity |
| |
|
|
-------- |
|
Log file updated with last 5 minutes of activity |
| |
|
|
|
-------- |
Log file updated with last 5 minutes of activity |
- This article was previously published as:
- NETIQKB33302