Cipafilter Support:
800.243.3729 ext 300
Mon - Fri 7 AM - 6 PM CT
Cipafilter log files overview
Posted by Nick Oakman, Last modified by Logan Kates on 06 March 2018 10:30 AM

This will be a basic introduction to the log files in the /data/log directory.  Some will have their own article to explain in more detail if necessary.



This is where you'll see information regarding logins to the filter's terminal, and privilege escalations.  Any SSH logins or login attempts will show up here, as well as any time a user issues the sudo command.  This log is also helpful to look at from the web interface if you are unable to SSH to the filter.  It may indicate errors with creating the SSH user accounts, or other problems.



This file will normally not have any data in it.  You must enable auth-helper debugging manually by entering the command: sudo debug auth-helper

Once that has been done, the file will contain output from the auth-helper command.  auth-helper is used to determine whether an authentication attempt to the filter is successful, including making sure the username exists, validating the password if a password is required, and determining which filtering group the user is a member of.  This log is helpful when troubleshooting authentication or group placement problems, however the log will grow very quickly, which is why it isn't enabled by default.  After you get the needed information, the auth-helper debug should be turned off using the command sudo debug --clear



The bandwidthd process outputs to this file when it commits bandwidth usage information to the database.  Useful to make sure that bandwidthd is functioning.  Also upon startup, it outputs information about which interfaces and subnets it is currently monitoring.



There shouldn't be anything here unless there was an error running the blacklist-update process, which is used to update the category blacklists as well as the automatic super whitelist, and Chromebook compatibility list.



This log contains the same information that is displayed on the screen when connecting a monitor to the Cipafilter device.  It is mostly output from the startup rc scripts in /usr/cipafilter/init.d



Links to contentfilter.log



Contains information about connection attempts to which is used for emergency tunnels



Messages from clamd (antivirus software) and freshclam (updates virus definitions)



Normally nothing here unless client tools debugging is turned on by entering sudo debug clienttools.php

If debugging is on, this will have data for every time the Windows, macOS, or Chrome client checks in.  If the check-in was unsuccessful, error messages are shown.



Main log file for contentfilter.  See separate article for interpreting this data



This log contains abort notices if it became necessary for the contentfilter-test process to force contentfilter to restart.  Ideally this file should be empty.



contentfilter-watchdog is the process that starts contentfilter, and restarts it if it dies for some reason.  So this log will mostly contain any stdout output from the contentfilter process.



Messages from various daemons running on the filter, such as ntpd, snmpd, lldpd



Contains information regarding the last database backup, including creation of the backup, purging of old data, vacuuming, and pushing the backup to a remote share.  If there are any warning messages on the filter about the database backup failing, this log should contain more information about what went wrong.  Otherwise, it normally will end stating that the backup/purge was successful.



Log for the dirsync process which periodically caches data from the customer's LDAP server for authentication



Log for the dnsmasq process which caches DNS responses to improve performance.  This log will indicate the current size of the cache, and whether there have been any lookup failures for the primary or secondary DNS server



Shows activity from the fail2ban process which blocks the IP of devices that appear to be malicious



Shows data regarding radius authentication.  



If multi gateway routing is in use, this file will contain data about when each ISP connection is brought up or down



Shows data about the hotspare status if it is enabled.  



Information about filter-to-filter VPN tunnels and L2TP over IPsec.  In older firmware where L2TP isn't an option, this file links to racoon.log.



Contains a log of kernel messages.  This is basically the same as the output you get from running the dmesg command.



Holds data that is used by the lastlog command.  This file is binary and not human-readable.



Shows errors reported by sendmail or mimedefang



Detailed log of e-mail that is sent, received, or relayed by the Cipafilter.  Including instant notifications, reports, and e-mails received for spam filtering and archiving.



Shows warnings reported by sendmail or mimedefang



Similar to contentfilter-watchdog.log, except for the e-mail filter.  Should contain stdout output from cf-milter if e-mail spam filtering is in use.



Log file for postgresql, which is the database used for storing web reporting, email archiving, and dirsync data.



Information and errors related to PPTP VPN tunnels from a remote user to the Cipafilter



Shows information and errors for the racoon process, which is the key exchange program used for filter-to-filter IPsec VPN tunnels.  Starting in 9.2 racoon will no longer be used in favour of charon.



Contains output from processes started via the override console



A general system log containing messages and errors from cron jobs as well as various daemons.  Also will indicate system messages such as if the power button was pressed.



Usually blank unless there are any errors during the user_update process.   This process is used for synchronising ssh keys between Enterprise and the Cipafilter.



Output from vmstat program.  Updated once per hour.

(0 vote(s))
Not helpful

Comments (0)
©Cipafilter 2017. All Rights Reserved.