Filter-match logging
When a packet matches a defensive filter during IP filter processing, a message can be logged indicating that the packet was discarded based on this filter. When a defensive filter is added, filter-match logging can be enabled or disabled for the filter; it is enabled by default. The filter-match logging setting can be updated with the ipsec command for an existing defensive filter.
When a defensive filter is simulating a block, filter match logging is always performed to indicate that a packet would have been discarded based on the defensive filter.
You can limit the number of filter-match messages generated for a defensive filter by specifying a log limit for the defensive filter in one of the following ways:
- Use the loglimit keyword on the ipsec command when you add a defensive filter.
- Use the loglimit keyword on the ipsec command to update a defensive filter.
- Set a default value for one or more TCP/IP stacks using the DefaultLogLimit parameter on the DmStackConfig statement in the DMD configuration file. The DefaultLogLimit value is used when a filter is added without specifying a loglimit value. For more information about the DmStackConfig statement and its parameters, see z/OS Communications Server: IP Configuration Reference.
The log limit limits the average rate of filter-match messages generated in a 5-minute interval for a defensive filter. For example, a loglimit value of 100 limits the average rate of filter-match messages to 100 messages per 5-minute interval. A burst of up to 100 messages is allowed while maintaining the long-term average of 100 messages per 5-minute interval.
A count is kept of suppressed messages. At the end of the 5-minute interval, if there are suppressed filter-match messages, EZD0837I or EZD0838I is generated to report the number of suppressed messages.