Logging Connections with Access Control Rules

Depending on your choices for the rule action and deep inspection options, your logging options differ; see How Rules and Policy Actions Affect Logging.

Procedure

Step 1	In the access control policy editor, click Edit () next to the rule where you want to configure logging. If View () appears instead, the configuration is inherited from an ancestor policy, belongs to an ancestor domain, or you do not have permission to modify the configuration.
Step 2	Click Logging.
Step 3	Specify whether you want to Log at Beginning of Connection or Log at End of Connection. To optimize performance, log either the beginning or the end of any connection, but not both.
Step 4	(Optional) Check the Log Files check box to log file and malware events associated with the connection. It is recommended to leave this option enabled.
Step 5	Specify where to send the connection events: Event Viewers: Send events to the management center. When using cloud management, send events to the cloud-delivered management center and to an on-premises management center if you have configured it to perform event analytics only. You can view the events in the event viewer of either product. Syslog Server: Send connection events to the syslog server configured in the Logging tab in Access Control Policy, unless overridden. Show Overrides: Displays the options to override the settings configured in the access control policy. Override Severity: When you choose this option and select a severity for the rule, connection events for this rule will have the selected severity regardless of the severity configured in the Logging tab in Access Control Policy. Override Default Syslog Destination: Send the syslog generated for the connection event for this rule to destination specified in this alert. SNMP Trap: Connection events are sent to the selected SNMP trap.
Step 6	Click Confirm.
Step 7	Click Apply to save the rule.

What to do next

Deploy configuration changes.