AA ISA can be configured, per AQP or per session filter, to log events related to how the packets are processed (either allowed or denied). AA supports event logging locally on the node or remotely via syslog. AA ISA FW logs contain the following information:
group partition
timestamp
5-tuple
direction
subscriber info (if available)
log source/type (session-filter or AQP)
action (allow/drop)
session-filter specific
session-filter name
session-filter entry
AQP specific
drop reason
fragment offset (if applicable)
fragment ID (if applicable)
TCP validation policy (if applicable)
If an out of order fragment triggers the log, then whatever 5-tuple information is available is included.
For AQPs, only drop events are captured in the log. The logs do not capture drops because of flow policers.
The operator can configure up to one event log per partition. For offline logging via syslog, the operator needs to configure the IP address of the syslog server and the VLAN ID to be used to connect to the server.