1 SonicOS Log Event Reference Guide Using the SonicOS Log Event Reference Guide This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: • “Log > View” section on page 2 • “Log > Categories” section on page 5 • “Log > Syslog” section on page 9 • “Log > Automation” section on page 10 • “Log > Name Resolution” section on page 14 • “Log > Reports” section on page 16 • “Log > ViewPoint” section on page 17 • “Index of Log Event Messages” section on page 19 • “Index of Syslog Tag Field Description” section on page 57
60
Embed
Using the SonicOS Log Event Reference Guidesoftware.sonicwall.com/Manual/232-001835-00_Rev_A... · Using the SonicOS Log Event Reference . Guide. ... The SonicWALL security appliance
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Using the SonicOS Log Event Reference Guide
This reference guide lists and describes SonicOS log event messages. Reference a log event
message by using the alphabetical index of log event messages.
This document contains the following sections: • “Log > View” section on page 2
• “Log > Categories” section on page 5
• “Log > Syslog” section on page 9
• “Log > Automation” section on page 10
• “Log > Name Resolution” section on page 14
• “Log > Reports” section on page 16
• “Log > ViewPoint” section on page 17
• “Index of Log Event Messages” section on page 19
• “Index of Syslog Tag Field Description” section on page 57
1SonicOS Log Event Reference Guide
Log > View
Log > ViewThe SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column.
The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.
Log View TableThe log is displayed in a table and is sortable by column. The log table columns include:
• Time - the date and time of the event.
• Priority - the level of priority associated with your log event. Syslog uses eight categories to characterize messages – in descending order of severity, the categories include:
– Emergency
– Alert
– Critical
– Error
– Warning
– Notice
– Informational
– Debug
Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select ‘error’ as the priority level to log all messages tagged as ‘error,’ as well as any messages tagged with ‘critical,’ ‘alert,’ and ‘emergency.’ Select ‘debug’ to log all messages.
Note Refer to Log Event Messages section for more information on your specific log event.
• Category - the type of traffic, such as Network Access or Authenticated Access.
• Message - provides description of the event.
• Source - displays source network and IP address.
• Destination - displays the destination network and IP address.
• Notes - provides additional information about the event.
• Rule - notes Network Access Rule affected by event.
2 SonicOS Log Event Reference Guide
Log > View
Navigating and Sorting Log View Table EntriesThe Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.
You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.
RefreshTo update log messages, clicking the Refresh button near the top right corner of the page.
Clear LogTo delete the contents of the log, click the Clear Log button near the top right corner of the page.
Export LogTo export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats:
• Plain text format--Used in log and alert e-mail.
• Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.
E-mail LogIf you have configured the SonicWALL security appliance to e-mail log files, clicking E-mail Log near the top right corner of the page sends the current log files to the e-mail address specified in the Log > Automation > E-mail section.
Note The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately sent via e-mail, either to an e-mail address or to an e-mail pager. For sending alerts, you must enter your e-mail address and server information in the Log > Automation page.
3SonicOS Log Event Reference Guide
Log > View
Filtering Log Records ViewedYou can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface).
Step 1 Enter your filter criteria in the Log View Settings table.
Step 2 The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching:
Source interface AND Destination interface
Step 3 Check the Group Filters box next to any two or more criteria to combine them with a logical OR.
For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching:
(Source IP OR Destination IP) AND Protocol
Step 4 Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again.
The following example filters for log events resulting from traffic from the WAN to the LAN:
Log Event MessagesFor a complete reference guide of log event messages, refer to the “Log Event Message Index” section on page 20.
4 SonicOS Log Event Reference Guide
Log > Categories
Log > CategoriesThis guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics.
Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to www.sonicwall.com.
Log Severity/PriorityThis section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification.
Logging LevelThe Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:
• Emergency (highest priority)
• Alert
• Critical
• Error
• Warning
• Notice
• Informational
• Debug (lowest priority)
Alert LevelThe Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:
• None (disables e-mail alerts)
• Emergency (highest priority)
• Alert
• Critical
• Error
• Warning (lowest priority)
5SonicOS Log Event Reference Guide
Log > Categories
Log Redundancy FilterThe Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.
Alert Redundancy FilterThe Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds.
Log CategoriesSonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.
All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally.
SonicWALL security appliances now include an expanded list of attack categories that can be logged.
The View Style menu provides the following three log category views:
• All Categories - Displays both Legacy Categories and Expanded Categories.
• Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories.
• Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure.
The following table describes both the Legacy and Extended log categories.
High Availability Extended Logs High Availability activity
IPcomp Extended Logs IP compression activity
Intrusion Prevention Extended Logs intrusion prevention related activity
L2TP Client Extended Logs L2TP client activity
L2TP Server Extended Logs L2TP server activity
Multicast Extended Logs multicast IGMP activity
Network Extended Logs network ARP, fragmentation, and MTU activity
Network Access Extended Logs network and firewall protocol access activity
Network Debug Legacy Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators.
System Errors Legacy Logs problems with DNS or e-mail.
System Maintenance
Legacy Logs general system activity, such as system activations.
User Activity Legacy Logs successful and unsuccessful log in attempts.
VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity
Log Type Category Description
7SonicOS Log Event Reference Guide
Log > Categories
Managing Log CategoriesThe Log Categories table displays log category information organized into the following columns:
• Category - Displays log category name.
• Description - Provides description of the log category activity type.
• Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page.
• Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.
• Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL security appliance Syslog.
• Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers.
You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order.
You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header.
VPN Extended Logs VPN activity
VPN Client Extended Logs VPN client activity
VPN IKE Extended Logs VPN IKE activity
VPN IPsec Extended Logs VPN IPSec activity
VPN PKI Extended Logs VPN PKI activity
VPN Tunnel Status Legacy Logs status information on VPN tunnels.
WAN Failover Extended Logs WAN failover activity
Wireless Extended Logs wireless activity
Wlan IDS Extended Logs WLAN IDS activity
Log Type Category Description
8 SonicOS Log Event Reference Guide
Log > Syslog
Log > SyslogIn addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.Syslog Settings
Syslog Facility • Syslog Facility - Allows you to select the facilities and severities of the messages based on
the syslog protocol.
Note See RCF 3164 - The BSD Syslog Protocol for more information.
• Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you’re using SonicWALL ViewPoint for your reporting solution.
Note For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.
– Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.
– Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you select WebTrends, however, you must have WebTrends software installed on your system.
Note If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance.
• Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events.
• Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events.
Adding a Syslog ServerTo add syslog servers to the SonicWALL security appliance
Step 1 Click Add. The Add Syslog Server window is displayed.
Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers.
Step 3 If your syslog is not using the default port of 514, type the port number in the Port Number field.
Step 4 Click OK.
Step 5 Click Accept to save all Syslog Server settings.
Log > AutomationThe Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings.
E-mail Log Automation • Send Log to E-mail address - Enter your e-mail address ([email protected]) in
this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.
• Send Alerts to E-mail address - Enter your e-mail address ([email protected]) in the Send alerts to field to be immediately e-mailed when attacks or system errors occur. Type a standard e-mail address or an e-mail paging service. If this field is left blank, e-mail alert messages are not sent.
• Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field.
• Email Format - Specifies whether log emails will be sent in Plain Text or HTML format.
Mail Server SettingsThe mail server settings allow you to specify the name or IP address of your mail server, the from e-mail address, and authentication method.
• Mail Server (name or IP address) - Enter the IP address or FQDN of the e-mail server used to send your log e-mails in this field.
• From E-mail Address - Enter the E-mail address you want to display in the From field of the message.
• Authentication Method - You can use the default None item or select POP Before SMTP.
Note If the Mail Server (name or IP address) is left blank, log and alert messages are not e-mailed.
10 SonicOS Log Event Reference Guide
Log > Automation
Deep Packet ForensicsSonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any ‘interesting-content’ events, it can only provide a record of the occurrence, but not the actual data of the event.
Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped.
Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet.
While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:
• Reliable storage of data
• Effective indexing of data
• Classification of interesting-content
Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.
Distributed Event Detection and ReplayThe Solera appliance can search its data-repository, while also allowing the administrator to define “interesting-content” events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including:
• Debug/Informational Events—Connection setup/tear down
• User-events—Administrative access, single sign-on activity, user logins, content filtering details
• Firewall Rule/Policy Events—Access to and from particular IP:Port combinations, also identifiable by time
• Interesting-content at the Network or Application Layer—Port-scans, SYN floods, DPI or AF signature/policy hits
The following is an example of the process of distributed event detection and replay:
1. The administrator defines the event trigger. For example, an Application Firewall policy is defined to detect and log the transmission of an official document:
11SonicOS Log Event Reference Guide
Log > Automation
2. A user (at IP address 192.168.19.1) on the network retrieves the file.
3. The event is logged by the SonicWALL.
4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP: [192.168.169.100], Port: [443]). The defined NPCS appliance will be the link’s target. The link will include the query string parameters defining the desired connection.
5. The NPCS will (optionally) authenticate the user session.
6. The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local machine.
Methods of AccessThe client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements.
Log PersistenceSonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method.
By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.
12 SonicOS Log Event Reference Guide
Log > Automation
GMSTo provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.
Solera Capture StackSolera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.
13SonicOS Log Event Reference Guide
Log > Name Resolution
To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option.
Configure the following options:
• Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host...
• Protocol - Select either HTTP or HTTPS.
• Port - Specify the port number for connecting to the Solera server.
• Interface(s) - Specify which interfaces you want to transmit data for to the Solera server.
• User (optional) - Enter the username, if required.
• Password (optional) - Enter the password, if required.
• Confirm Password - Confirm the password.
– Mask Password - Leave this enabled to send the password as encrypted text.
Log > Name ResolutionThe Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports.
The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page.
14 SonicOS Log Event Reference Guide
Log > Name Resolution
Selecting Name Resolution SettingsThe security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names.
In the Name Resolution Method list, select:
• None: The security appliance will not attempt to resolve IP addresses and Names in the log reports.
• DNS: The security appliance will use the DNS server you specify to resolve addresses and names.
• NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary.
• DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS.
Specifying the DNS ServerTo choose specific DNS servers or use the same servers as the WAN zone, perform the following steps:
Step 1 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default.
Step 2 If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers.
Step 3 Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect.
15SonicOS Log Event Reference Guide
Log > Reports
Log > ReportsThe SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page.
Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com
Data CollectionThe Reports window includes the following functions and commands:
• Start Data Collection
Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.
• Reset Data
Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.
View DataSelect the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.
Web Site HitsSelecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.
The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see .
Click on the name of a Web site to open that site in a new window.
Bandwidth Usage by IP AddressSelecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period.
Bandwidth Usage by ServiceSelecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period.
The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.
Log > ViewPointSonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities. ViewPoint’s broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs.
ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more.
For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.
For complete SonicWALL ViewPoint documentation, go to the SonicWALL documentation Web site at http://www.sonicwall.com/us/support/3340.html.
Activating ViewPointThe Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods.
If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept.
Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance.
Step 1 Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The mysonicwall.com Login page is displayed.
Step 2 Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link.
Step 3 Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit.
Step 4 If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL.
Enabling ViewPoint SettingsOnce you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint, perform the following steps:
Step 1 Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log > ViewPoint page.
Step 2 Click the Add button. The Add Syslog Server window is displayed.
Step 3 Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP Address field.
Step 4 Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number.
Step 5 Click Accept.
Note The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page.
Clicking the Edit icon displays the Add Syslog Server window for editing the ViewPoint server information. Clicking the Delete icon, deletes the ViewPoint syslog server entry.
18 SonicOS Log Event Reference Guide
Index of Log Event Messages
Index of Log Event MessagesThis section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser’s Find function to search for a command.
Log Event Message Symbols Key
TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message.
Each log event message described in the following table provides the following log event details: • SonicOS Category—Displays the SonicOS Software category event type.
• Legacy Category—Displays the SonicWALL Firmware Software category event type.
• Priority Level—Displays the level of urgency of the log event message.
• Log Message ID Number—Displays the ID number of the log event message.
• SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.
Log Event Message Symbol Description Context
%s Ethernet Port Down Represents a character string. [WAN | LAN | DMZ] Ethernet Port Down
The cache is full; %u open connections; some will be dropped
Represents a numerical string. The cache is full; [40,000] open connections; some will be dropped
19SonicOS Log Event Reference Guide
Index of Log Event Messages
Log Event Message Index
Log Event Message New Category Legacy Category Priority ID
Your Active/Active Clustering subscription has expired.
High Availability --- Warning 1149 ---
Terminal Services agent is down SSO User Activity Alert 1150 ---
Terminal Services agent is up SSO User Activity Alert 1151 ---
Active/Active Clustering license is not activated on the following cluster units: %s
High Availability --- Error 1152 ---
SSLVPN Traffic SSL VPN Connection Traffic Information 1153 ---
Application Control Detection Alert: %s App-Control Detection
--- Alert 1154 15001
Application Control Prevention Alert: %s App-Control Detection
--- Alert 1155 15002
GMS or syslog server name lookup failed - try again in 60 secs.
Firewall Event --- Error 1156 ---
User account '%s' expired and disabled Authenticate Access
User Activity Information 1157 ---
User account '%s' expired and pruned Authenticate Access
User Activity Information 1158 ---
Received Alert: Your Firewall Visualization Control subscription has expired.
Security Services --- Warning 1159 ---
Attempt to contact Remote backup server for upload approval failed
Firewall Event Maintenance Debug 1160 ---
Backup remote server did not approve upload request
Firewall Event Maintenance Debug 1161 ---
Modules attached to HA units do not match: %s
High Availability System Error Alert 1162 664
Malformed DNS packet detected Network Access Debug Alert 1177 ---
A high percentage of the system packet buffers are held waiting for SSO
SSO User Activity Alert 1178 ---
A user has a very high number of connections waiting for SSO
SSO User Activity Alert 1179 ---
DOS protection on WAN begins %s Intrusion Detection Debug Alert 1180 ---
DOS protection on WAN %s Intrusion Detection Debug Warning 1181 ---
DOS protection on WAN %s Intrusion Detection Debug Alert 1182 ---
Deleting IPsec SA (Phase 2) VPN IKE User Activity Debug 1183 ---
Delete invalid scope because port ip in the range of this DHCP scope.
DHCP Server --- Warning 1184 ---
IKE Responder: Peer's network does not match VPN policy's Network
VPN IKE User Activity Warning 1189 ---
Added new LDAP mirror user group: %s RADIUS User Activity Information 1190 ---
Deleted LDAP mirror user group: %s RADIUS User Activity Information 1191 ---
Log Event Message New Category Legacy Category Priority ID
SNMP Trap Type
56 SonicOS Log Event Reference Guide
Index of Syslog Tag Field Description
Index of Syslog Tag Field DescriptionThis section provides an alphabetical listing of Syslog tags and the associated field description.
Added a new member to an LDAP mirror user group
RADIUS User Activity Information 1192 ---
Removed a member from an LDAP mirror user group
RADIUS User Activity Information 1193 ---
Monitoring probe out interface mismatch %s High Availability --- Error 1194 ---
Log Event Message New Category Legacy Category Priority ID
SNMP Trap Type
Tag Field Description
<ddd> Syslog message prefix The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the mes-sage. (See [1] Section 4.1.1)
arg URL Used to render a URL: arg represents the URL path name part.
bcastRx Interface statistics report Displays the broadcast packets received
bcastTx Interface statistics report Displays the broadcast packets transmitted
bytesRx Interface statistics report Displays the bytes received
bytesTx Interface statistics report Displays the bytes transmitted
c Message category (legacy only) Indicates the legacy category number (Note: We are not currently sending new category informa-tion.)
change Configuration change webpage Displays the basename of the firewall web page that performed the last configuration change
code Blocking code Indicates the CFS block code category
code ICMP type and code Indicates the ICMP code
conns Firewall status report Indicates the number of connections in use
cpuUtil Firewall status report Displays the CPU utilization (not in use)
dst Destination Destination IP address, and optionally, port, net-work interface, and resolved name.
dstname Destination URL Displays the URL of web site hit and other legacy destination strings
dstname URL Used to render a URL: dstname represents the URL host part
57SonicOS Log Event Reference Guide
Index of Syslog Tag Field Description
dyn Firewall status report Displays the HA and dialup connection state (ren-dered as “h.d” where “h” is “n” (not enabled), “b” (backup), or “p” (primary) and “d” is “1” (enabled) or “0” (disabled))
fw Firewall WAN IP Indicates the WAN IP Address
fwlan Firewall status report Indicates the LAN zone IP address
goodRxBytes SonicPoint statistics report Indicates the well formed bytes recevied
goodTxBytes SonicPoint statistics report Indicates the well formed bytes transmitted
i Firewall status report Displays the GMS message interval in seconds
id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by habit)
if Interface statistics report Displays the interface on which statistics are reported
ipscat IPS message Displays the IPS category
ipspri IPS message Displays the IPS priority
lic Firewall status report Indicates the number of licenses for firewalls with limited modes
m Message ID Provides the message ID number
mac MAC address Provides the MAC address
msg Static message Displays the event message (from spreadsheet)
msg Dynamically-defined message Displays a dynamically defined message string
msg Static message with dynamic string Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.
msg Static message with dynamic num-ber
Displays a message using the predefined string string containing a “%s” and a dynamic numeric argument.
msg IPS message Displays a message using the predefined mes-sage string containing a “%s” and a dynamic string argument.
msg Anti-Spyware message Displays the event message (from spreadsheet)
n Message count Indicates the number of times event occurs
op HTTP OP code Displays the HTTP operation (GET, POST, etc.) of web site hit
pri Message priority Displays the event priority level (0=emer-gency..7=debug)
58 SonicOS Log Event Reference Guide
Index of Syslog Tag Field Description
proto IP protocol Indicates the IP protocol and detail information
proto Protocol and service Displays the protocol information (rendered as “proto/service”)
proto Protocol and service Displays the protocol information (rendered as “proto/service”)
pt Firewall status report Displays the HTTP/HTTPS management port (rendered as “hhh.sss”)
radio SonicPoint statistics report Displays the SonicPoint radio on which event occurred
ramUtil Firewall status report Displays the RAM utilization (not in use)
rcvd Bytes received Indicates the number of bytes received within connection
result HTTP Result code Displays the HTTP result code (200, 403, etc.) of web site hit
rule Rule ID Displays the Access Rule number causing packet drop
sent Bytes sent Displays the number of bytes sent within connec-tion
sid IPS message Provides the IPS signature ID
sid Anti-Spyware message Provides the AntiSpyware signature ID
sn Firewall serial number Indicates the device serial number
spycat Anti-Spyware message Displays the antiSpyware category
spypri Anti-Spyware message Displays the AntiSpyware priority
src Source Indicates the source IP address, and optionally, port, network interface, and resolved name.
station SonicPoint statistics report Displays the client (station) on which event occurred
time Time Reports the time of event
type ICMP type and code Indicates the ICMP type
ucastRx Interface statistics report Displays the unicast packets received
ucastTx Interface statistics report Displays the unicast packets transmitted
unsynched Firewall status report Reports the time since last local change in sec-onds
usesstandbysa Firewall status report Displays whether standby SA is in use (“1” or “0”) for GMS management
59SonicOS Log Event Reference Guide
Index of Syslog Tag Field Description
usr (or user) User Displays the user name (“user” is the tag used by WebTrends)
vpnpolicy VPN policy name Displays the VPN policy name of event