Some transactions specified by Logging Policy are not logged


  • Description
    With certain configurations, expected events might not appear in the Logs view section of the Vital Security  Management Console.  This article describes likely reasons why this might happen, and it also provides information on how to configure Vital Security  to display the desired log events.

  • Symptoms
    When viewing the Logs section of the Vital Security Management Console, expected events might not appear.  For example, the "Logging everything except Image files" Logging Policy might be applied, but only Blocked and Coached events appear in the Logs.

  • Cause
    The two most likely reasons why some events might be missing from the logs are:
    • A Log Filter is applied.
    • A condition used in the active Logging Policy is not used in active Security Policies.

  • Solution
    Each cause of missing log entries has its own unique solution.  Below are instructions on how to diagnose and resolve the two most common causes of missing log entries.

    Log Filters

    Log Filters allow an adminstrator to quickly find and review specific transactions. 
    For example, an administrator can show all transactions involving a specific destination website or all transactions that were initiated from a specific client IP. 
    When a Log Filter is activated, it will be applied to all administrators using the Vital Security Management Console. 
    Therefore, it is recommended to clear any Log Filters after reviewing the pertinent log transactions.  Otherwise, another administrator that logs into the console might not realize that a filter is active. 
    If there is a need to regularly re-use a specific Log Filter, that filter can be saved as a predefined View.

    Log Filters are controlled from the Logs section of the Management Console. 
    Prior to Software Version 8.4.0, the button for configuring Log Filters would always be labeled "Filter", regardless of whether or not a Log Filter was active. 
    Starting with Software Version 8.4.0, the button will be labeled "Change Filter" when a filter is applied.  This is depicted below:



    The Filter button, as seen in Software Version 8.4.0 when no filter is applied, (and as seen in previous releases, regardless of whether or not a filter is applied.)



    The Change Filter button, as seen in Software Version 8.4.0 when a filter is applied.

    To disable a Log Filter, click the Filter or Change Filter button (depending on your VSOS version).  
    The Filter dialog box will appear.  Click the Clear Filter button (shown below) followed by the OK button.

    Logging Policy Condition Not Used in Security Policy

    Vital Security records summary details about transactions that match the criteria defined in its active Logging Policy.  Just like a Security Policy, a Logging Policy is comprised of rules, and each rule specifies one or more Conditions. 
    If all of the Conditions in a rule match the current transaction, the event will be recorded according to the rule's Logging Action.

    Logging Policy conditions are derived from the results of a transaction's security scan. 
    When Vital Security  is analyzing a transaction, it applies the security policy's rules sequentially. 
    In order to improve performance and minimize system resource consumption, the appliance stops processing rules once it encounters a rule that matches the current transaction. 
    This means that Conditions that were not evaluated prior to processing the matching rule will not be available for use in the Logging Policy.

    One example of this can be seen when using the "Logging everything except Image files" Logging Policy in conjunction with the "Default Basic Security Policy".  Blocked and Coached transactions will be logged, but others will not.  This is because the "Logging everything except Image files" Logging Policy utilizes a File Extensions condition in order to log unblocked/uncoached events.  However, the "Default Basic Security Policy" does not contain any rules that evaluate file extensions.

    In order to ensure that a Logging Policy is fully effective, it is important to verify that the Logging Policy relies only on Conditions that have been evaluated by the Security Policies.  If it is necessary to build a Logging Policy based on a Condition that is not evaluated by the Security Policies, the Security Policies can be modified so that they scan for the appropriate Condition.  One way to accomplish this is to add a rule that simply evaluates the Condition without actually making Allow, Block, or Coach decisions based on the results of the evaluation.

    This is done by creating a rule where the Result section of the User Response Action is empty.  Simply specify the Condition that should be evaluated, but do not specify an Action.  Such rules are non-terminating (rules below them will still be evaluated, regardless of whether or not the current transaction was matched), so they can be placed anywhere in the policy.  These rules can be identified by their Status icon, which is a large green checkmark.

    Below is a screenshot the illustrates the difference between the Status icons for an actionless rule and an Allow rule.  The Allow rule's icon is a green checkmark inside a green circle.  The actionless rule's icon is simply a large green checkmark without a circle.  Both rules in the screenshot are associated with a URL List condition.


  • VSOS
    8.3.x
    8.4.x
    8.5.0

  • This article applies to:
    NG 1000
    NG 5000
    This article was previously published as:
    Finjan KB 1345

    Last Modified 3/23/2009.
    https://support.trustwave.com/kb/KnowledgebaseArticle13242.aspx