Cipafilter log files overview
Posted by Nick Oakman, Last modified by Logan Kates on 06 March 2018 10:30 AM
This will be a basic introduction to the log files in the /data/log directory. Some will have their own article to explain in more detail if necessary.
This is where you'll see information regarding logins to the filter's terminal, and privilege escalations. Any SSH logins or login attempts will show up here, as well as any time a user issues the
This file will normally not have any data in it. You must enable auth-helper debugging manually by entering the command:
Once that has been done, the file will contain output from the
There shouldn't be anything here unless there was an error running the
This log contains the same information that is displayed on the screen when connecting a monitor to the Cipafilter device. It is mostly output from the startup rc scripts in /usr/cipafilter/init.d
Links to contentfilter.log
Contains information about connection attempts to cipatunnel.cipafilter.com which is used for emergency tunnels
Messages from clamd (antivirus software) and freshclam (updates virus definitions)
Normally nothing here unless client tools debugging is turned on by entering
If debugging is on, this will have data for every time the Windows, macOS, or Chrome client checks in. If the check-in was unsuccessful, error messages are shown.
Main log file for contentfilter. See separate article for interpreting this data
This log contains abort notices if it became necessary for the contentfilter-test process to force contentfilter to restart. Ideally this file should be empty.
contentfilter-watchdog is the process that starts contentfilter, and restarts it if it dies for some reason. So this log will mostly contain any stdout output from the contentfilter process.
Messages from various daemons running on the filter, such as ntpd, snmpd, lldpd
Contains information regarding the last database backup, including creation of the backup, purging of old data, vacuuming, and pushing the backup to a remote share. If there are any warning messages on the filter about the database backup failing, this log should contain more information about what went wrong. Otherwise, it normally will end stating that the backup/purge was successful.
Log for the dirsync process which periodically caches data from the customer's LDAP server for authentication
Log for the dnsmasq process which caches DNS responses to improve performance. This log will indicate the current size of the cache, and whether there have been any lookup failures for the primary or secondary DNS server
Shows activity from the fail2ban process which blocks the IP of devices that appear to be malicious
Shows data regarding radius authentication.
If multi gateway routing is in use, this file will contain data about when each ISP connection is brought up or down
Shows data about the hotspare status if it is enabled.
Information about filter-to-filter VPN tunnels and L2TP over IPsec. In older firmware where L2TP isn't an option, this file links to racoon.log.
Contains a log of kernel messages. This is basically the same as the output you get from running the
Holds data that is used by the
Shows errors reported by
Detailed log of e-mail that is sent, received, or relayed by the Cipafilter. Including instant notifications, reports, and e-mails received for spam filtering and archiving.
Shows warnings reported by
Similar to contentfilter-watchdog.log, except for the e-mail filter. Should contain stdout output from cf-milter if e-mail spam filtering is in use.
Log file for postgresql, which is the database used for storing web reporting, email archiving, and dirsync data.
Information and errors related to PPTP VPN tunnels from a remote user to the Cipafilter
Shows information and errors for the racoon process, which is the key exchange program used for filter-to-filter IPsec VPN tunnels. Starting in 9.2 racoon will no longer be used in favour of charon.
Contains output from processes started via the override console
A general system log containing messages and errors from cron jobs as well as various daemons. Also will indicate system messages such as if the power button was pressed.
Usually blank unless there are any errors during the user_update process. This process is used for synchronising ssh keys between Enterprise and the Cipafilter.
Output from vmstat program. Updated once per hour.