2Management47Statistics and High AvailabilityStatistics are not correctly mirrored in inactive unit of an HA cluster. This topic is discussedfurther in HA issues on page 166.Events and loggingThe ability to log and analyze system activities is an essential feature of the SEG. Loggingenables monitoring of the SEG status and health, allows auditing of network usage, andassists in troubleshooting.Log message generationThe SEG defines a large number of different log event messages, which are generated as aresult of associated system events. Examples of such events are the establishment and endingof flows, receipt of malformed packets, and the dropping of traffic according to filteringpolicies.Log events are always generated for certain aspects of the SEG, such as buffer usage, DHCPclients, high availability, and IPsec. The generation of events for other SEG subsystems such asDHCP relay, DHCP servers, and IP rules can be enabled as needed.Event typesThe SEG defines several hundred events for which log messages can be generated. The eventsrange from high‐level, customizable, user events to low‐level and mandatory system events.For example, the flow_open event is a typical high‐level event that generates an eventmessage whenever a new flow is established, given that a matching security policy rule existsthat specifies that event messages should be generated for that flow.An example of a low‐level event would be the startup_normal event, which generates amandatory event message as soon as the system starts up.Message formatAll event messages have a common format with attributes that include category, severity, andrecommended actions. These attributes enable easy filtering of messages, either within theSEG prior to sending to an event receiver, or as part of the analysis after logging and storingmessages on an external log server.A list of all event messages can be found in the SEG‐100 Log Reference. That guide alsodescribes the design of event messages, the meaning of severity levels, and the variousattributes available.