About Filename Logging

The Security Services > Application Control group provides the Filename Logging event. Application Control Filename Logging allows the administrator to be notified of each filename or URIs of interest that Application Control has explicitly identified as it processes packets or flows.

The notification uses the Log mechanism where the output can be shown in several message formats, such as on the Monitor > Logs > System Logs page or by Syslog. For Syslog, the message-id for an Application Control Filename Log is 1574 and it has a message template of Filename: %s, where the value substituted for %s can be a filename or URI identified by Application Control.

Filename Logging events can occur when the following requirements are met:

• Enable App Control - Application Control is enabled per zone from the Object > Match Objects > Zones page and globally on the Policy > Rules and Policies > App Control.
• Enable Filename Logging - Filename Logging is enabled on the Log > Settings page.
• Logging is enabled for the App Control Filename Logging event id=1574 - Enable GUI or Syslog with appropriate filtering on the Log > Settings page.

Filename Logging works with the following protocols:

• HTTP
• FTP
• NetBios/CIFS
• SMTP
• POP3
• IMAP

Gateway Anti-Virus does not need to be enabled.

With HTTP, if the server response does not have a filename in its headers, the last portion of the URL that the client requested is used.

If the entire filename cannot be captured because of any reason, (for example, the filename was too long or it straddles multiple packets or any other reason), the prefix portion that was captured is logged and an asterisk is appended to it in the log entry.