Session and packet logging
You can configure the vRouter for the following types of logging:
- Session logging. Configure stateful rules to log session state transitions.
- Per packet logging. Log every packet that matches a network packet filter rule, such as a firewall rule or NAT rule.
When logging is enabled, all log messages can be accessed by using the show dataplane log command.
A stateful firewall rule is created by adding the state enabled keywords to a firewall rule. By design, all NAT rules are stateful rules.
When a flow matches either a stateful firewall rule or a NAT rule, a session is created. The session tracks the state transitions of its IP protocol.
For UDP, ICMP, and all non-TCP flows, a session transitions to four states over the lifetime of the flow. For each transition, you can configure the product to log a message. TCP has a larger number of state transitions, each of which can be logged.
Use the security firewall session-log command to configure firewall session logging. When logging is configured, a log message is generated for each state transition.
Per packet logging for debugging
You can set up filtering rules so that each packet matched by the rule is logged.
Ciena recommends limiting per packet logging to debugging. Per packet logging occurs in the forwarding paths and can greatly reduce the throughput of the system and dramatically increase the disk space used for the log files. For all operational purposes, use stateful session logging instead of per packet logging.
To implement per packet logging for debugging purposes, you can include the log keyword when specifying a rule. When the logging option is specified, a log message containing the parameters of the packet is generated and logged.