Logging Policy not logging certain traffic


  • Description
    A customized logging policy designed to log certain traffic might still not catch that traffic.

  • Symptoms
    When a customized logging policy is created to log certain traffic, in certain situations, there is no logging of the expected traffic.  

  • Cause
    The logging policy is dependant on the Conditions (based on Finjan Content Processors) used in the Security Policy.
    Like in the Security Policy, the conditions in the Log Policy rules are based on the same Content Processors. 
    If a specific Content Processor, e.g., "Direction", was not used during the inspection of the request then a Log Policy rule using that specific Content Processor will not be triggered.

    For example: you create a Logging Policy to log all FTP traffic, but in the Logs, not all FTP traffic is displayed (see screenshot below).

    This is caused by the fact that the Security Policy did not use the "Protocol" Content Processor to inspect the request/response. Therefore, because this Content Processor was not used, the Log Policy using that same Content Processor was not triggered and this traffic was not logged.


  • Solution
    Make sure you that the conditions you use in your logging policy rules are the same as the conditions used in the security policy rules. .
    If you would like to log everything (not advised in production environments), you could use a logging policy that has two rules as follows:

  • Software Version
    8.3.x
    8.4.x
    8.5.0

  • This article applies to:
    NG 1000
    NG 5000
    NG 8000
    This article was previously published as:
    Finjan KB 1480

    Last Modified 3/23/2009.
    https://support.trustwave.com/kb/KnowledgebaseArticle13339.aspx