Submenu – Log Viewer

Airlock Gateway logs and system service logs are stored in an Elasticsearch database. Depending on the configuration, a local or remote Elasticsearch installation is targeted.

Kibana is used to browse logs. A click on the Log Viewer menu item opens Kibana in Discover View. Some saved searches are predefined to simplify searching and filtering for specific log messages. The Lucene query language syntax can be used to create search queries.

Kibana is also used for reporting. Some Airlock Gateway dashboards are predefined:
Default – An overview dashboard with aggregated proxy and attack statistics.
Application Statistics – Displays metrics aggregated by virtual hosts and mappings to identify top applications.
Attacks: Details visualizations of attacks and their origins.
Performance and Troubleshooting – A dashboard for analyzing performance issues and back-end problems.
Session statistics – A dashboard with detailed session and header statistics.

The default dashboard is embedded in the Configuration Center and shown after logging in.

Custom reports

The definition of custom searches, visualizations and dashboards is possible. Create new charts using the Visualize and Dashboard views. Note, however, that custom objects are not backed up. Before resetting the configuration or applying updates, ensure all custom objects are exported using the Management view.

Reset logging and reporting

In case the Airlock Gateway default searches or dashboards have been modified or corrupted, there is an option to restore the default configuration. To restore searches and dashboards, log in as user menu using ssh, then select 1 (System Management) and 5 (Restore saved searches and dashboards). Make sure to back up custom objects before resetting the configuration.

Disk space management

Airlock Gateway stores its log files in Elasticsearch. The time range covered by logs and reports depends on available disk space and the traffic volume of the system. A fresh index is created every day, storing all logs of the corresponding day. As soon as the usage in /var exceeds a specific trigger limit or when the log files exceed a certain age in days, the corresponding indices are deleted to a certain percentage of disk space to ensure enough capacity is available in /var.

Default settings	Description
`PERCENT_TO_TRIGGER=75`	If disk usage exceeds the configured percentage, a cleanup will be triggered.
`PERCENT_TO_KEEP=70`	Cleanup deletes the oldest indices until the disk usage is at the configured percentage.
`MAX_DAYS_TO_KEEP=365`	Regardless of the trigger levels, all indices older than the configured number of days will be deleted.

If space restrictions on the local Airlock Gateway host are too tight, consider offloading logging and reporting to a remote Elasticsearch installation (see configuration).
See article Customize Elasticsearch data archiving to alter the behavior of rotating and archiving logs controlled by the Log Viewer.

Log rotation and archiving parameters for certain system files is configured as a nightly cronjob using logrotate. This will rotate log files as configured in various files in /etc/logrotate.d/. More information about logrotate and its options can be found online in the logrotate man page.

Terms of use for WMS service maps.airlock.com

Airlock Gateway reporting uses an external WMS service to provide geographical maps. Ergon Informatik AG provides this service through https://maps.airlock.com. Using the WMS service is only permitted to visualize Airlock Gateway logs.