WIXLIB

COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security AppliancesSonicOS Log Event Reference Guide

Using the SonicOS Log EventReference GuideThis reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages.This document contains the following sections: “SonicOS Log Event Messages Overview” on page 1 “Configuring SonicOS ‘Log’ ‘View’” on page 4 “Referencing the SonicOS ‘Log’ ‘View ’ Field Display” on page 7 “Index of Log Event Messages” on page 9 “Index of Syslog Tag Field Description” on page 63SonicOS Log Event Messages OverviewDuring the operation of a SonicWALL security appliance, SonicOS software sends log event messages to the ‘Log’ ‘View’ page in the SonicWALL management interface.In Figure 1, the ‘Log’ ‘View’ page is displayed.Figure 1SonicOS Enhanced ‘Log’ ‘View’ pageEvent logging automatically begins when the SonicWALL security appliance is powered on and configured. SonicOS supports a traffic log containing entries with multiple fields.Log event messages provide operational informational and debugging information to help you diagnose problems with communication lines, internal hardware, or your firmware configuration. Note: For the SonicOS CLI console display, use the show log command to display log events. Referto the SonicOS CLI Reference Guide located on the SonicWALL Web site: l SONICOS LOG EVENT REFERENCE GUIDE1

Note: Not all log event messages indicate operational issues with your SonicWALL securityappliance.SonicOS Log EntriesEach log entry contains the date and time of the event and a brief message describing the event. TheSonicWALL manages log events in the following manner: TCP, UDP, or ICMP packets droppedWhen IP packets are dropped by the SonicWALL security appliance, dropped TCP, UDP andICMP messages are displayed. The messages include the source and destination IP addresses ofthe packet. The TCP or UDP port number or the ICMP code follows the IP address. Log eventmessages usually include the name of the service in quotation marks. Web, FTP, Gopher, or Newsgroup blockedWhen a computer attempts to connect to the blocked site or newsgroup, a log event is displayed.Blocked is defined as a Web site, connection, or event that is denied access from the SonicWALLsecurity appliance. The computer’s IP address, Ethernet address, the name of the blocked Website, and the Content Filter List Code is displayed. Code definitions for the 12 Content Filter Listcategories are shown below.1. Violence7. Cult2. Intimate Apparel/Swimsuit8. Drugs/Illegal Drugs3. Nudism9. Criminal Skills/Illegal Skills4. Adult/Mature Content/Pornography10. Sex Education5. Weapons11. Gambling6. Hate/Racism12. Alcohol & Tobacco ActiveX, Java, Cookie or Code Archive blockedWhen ActiveX, Java or Web cookies are blocked, messages with the source and destination IPaddresses of the connection attempt is displayed. Ping of Death, IP Spoof, and SYN Flood AttacksThe IP address of the machine under attack and the source of the attack is displayed. In mostattacks, the source address shown is fake and does not reflect the real source of the attack.SonicOS ‘Log View Settings’The ‘Log View Settings’ section of the ‘Log’ ‘View’ page provides you the filtering controls to filter logevent messages based on your configured log filter logic. It also contains the following log management buttons: Refresh—Renews the ‘Log View’ table with current log event messages. Clear Log—Empties the entries in the ‘Log View’ table. E-mail Log—E-mails log event messages to your configured SMTP server or list of e-mailaddresses. Export Log—Exports the log into a plain .txt or .csv file format.2SONICOS LOG EVENT REFERENCE GUIDE

SonicOS ‘Log View’ Display FormatThe ‘Log’ ‘View’ page displays log event messages in following format for alert notification: Time—Displays the hour and minute the event occurred. Priority—Displays the level urgency for the event. Category—Displays the event type. Message—Displays a description of the event. Source—Displays the source IP address of incoming IP packet. Destination—Displays the destination IP address of incoming IP packet. Note—Displays displays additional information specific to a particular event occurrence. Rule—Displays the source and destination zones for the access rule. This field provides a link tothe access rule defined in the ‘Firewall’ ‘Access Rules’ page.The display fields for a log event message provides you with data to verify your configurations, trouble-shoot your security appliance, and track IP traffic.SONICOS LOG EVENT REFERENCE GUIDE3

Configuring SonicOS ‘Log’ ‘View’The ‘Log’ ‘View” page in the Web-based SonicWALL management interface allows you to export logreports, e-mail log reports, and monitor real-time Syslog data. As soon as you power on your SonicWALL security appliance, SonicOS software sends Syslog data to your log. In the SonicWALL management interface, you can navigate through the subcategories of the ‘Log’ setting for reporting andcustomizing log reports.In Figure 2, the ‘Log’ ‘View’ page is displayed.Figure 2SonicOS Enhanced ‘Log’ ‘View’ page4SONICOS LOG EVENT REFERENCE GUIDE

Setting the Log Filter LogicBy default, the SonicOS filter logic is set to “Priority && Category && Source && Destination.” Thedouble ampersand symbols (&&) indicate the boolean expression “and.” The default SonicOS filterlogic displays all log events.In Figure 3, the ‘Log’ ‘View’ ‘Log View Settings’ page is displayed.Figure 3SonicOS ‘Log View Settings’Log Event Message FiltersDefault filter logic valueApply filtersGroup filtersDefault filter logicExport logsReset filtersApplying Custom Log Event Message FiltersThis section provides examples on using the ‘Log View Settings’ to filter log event messages displayed in the ‘Log View’ page.Configuration Example: Filtering Log Event Messages by Priority ValueTo set the log filter logic to display only log event messages with a priority level of Emergency:1. Select Emergency from the filter-Priority Value pull-down menu.2. Click on the Apply Filters button.Configuration Example: Filtering Log Event Messages by Category ValueTo set the log filter logic to display only log event messages with a category event type of Attacks:1. Select Attacks from the filter-Category Value pull-down menu.2. Click on the Apply Filters button.SONICOS LOG EVENT REFERENCE GUIDE5

Configuration Example: Filtering Log Event Messages by Source ValueTo set the log filter logic to display only log event messages associated to a source IP address:1. Enter the source IP address or select an interface from the filter-Source Value pull-down menu.2. Click on the Apply Filters button.Configuration Example: Filtering Log Event Messages by Destination ValueTo set the log filter logic to display only log event messages associated to a destination IP address:1. Enter the destination IP address or select an interface from the filter-Source Value pull-downmenu.2. Click on the Apply Filters button.Using Group FiltersUse Group filters to change the default SonicOS filter logic (Priority && Category && Source && Destination) from double ampersand symbols (&&) to double pipe symbols ( ) to indicate the booleanexpression “or.” When using group filters, select two or more Group Filters checkboxes. Note: If you select only one Group Filter checkbox, the filter logic will remain the same. Selecting onlythe Priority-Group Filter checkbox provides you with the following filter logic:(Priority) && Category && Source && DestinationConfiguration Example: Using the ‘Priority’ Group Filter and ‘Category Group’ FilterTo set the log filter logic to display log event messages with a priority level of Emergency or a categoryevent type of Attack:1. Select the ‘Priority’ group filter checkbox.2. Select the ‘Category’ group filter checkbox.3. Select Emergency from the filter-Priority Value pull-down menu.4. Select Attacks from the filter-Category Value pull-down menu.Figure 4 illustrates the SonicOS filter logic updated as follows:(Priority Category) && Source && DestinationFigure 4SonicOS Log Group FiltersA filter logic using the boolean expression “ ” is less restrictive than the default filter logic using theboolean expression “&&”. With the boolean expression “ ”, log event messages are displayed if theymatch either filter values. With the boolean expression “&&”, log event messages are displayed if theymatch both filter values.6SONICOS LOG EVENT REFERENCE GUIDE

Exporting the Logs to a FileThis section provides instructions to export your log to a file.To export the log to a file:1. Click on the Export Log button. You will be prompted to select a export file format type asillustrated in Figure 5.Figure 5SonicOS Export Log2. Select a file format:Plain text format used in log and alert e-mail—Saves the log file as plain text, which can beused for alert e-mails.Comma-Separated Value (CSV) format—Saves the log file for importing into Microsoft Excel orother presentation development application.3. Click on the Export button.4. Save the exported log file to a location on your personal computer’s hard drive. Note: You can export a log to a file with applied filter settings.Referencing the SonicOS ‘Log’ ‘View ’Field DisplaySonicOS 2.5 Enhanced and Standard releases and greater provide the SonicOS ‘Log’ ‘View’ fielddisplay as illustrated in Figure 6.Figure 6SonicOS ‘Log’ ‘View’ Field DisplayTime and Date StampPrioritySource IP AddressCategoryMessage DescritionSONICOS LOG EVENT REFERENCE GUIDELog Event NotesDestination IP7Network Rule

Referencing the SonicWALL Firmware ‘Log’ ‘View Log’ Field DisplaySonicWALL Firmware 6.6.0.0 release and greater provide the SonicWALL Firmware ‘Log’ ‘ViewLog’ field display as illustrated in Figure 7.Figure 7SonicWALL Firmware Log’ ‘View Log’ Field DisplaySource IP AddressTime and Date StampEvent Message8Additional InformationDestination IP AddressSONICOS LOG EVENT REFERENCE GUIDERule Number (If Applicable)

Index of Log Event MessagesThis section contains a list of log event messages for all SonicWALL Firmware and SonicOS SoftwareReleases, ordered alphabetically. Use your web browser’s Find function to search for a command.Log Event Message Symbols KeyLog Event MessageSymbol DescriptionContext%s Ethernet Port DownRepresents a character string.[WAN LAN DMZ] Ethernet PortDownThe cache is full; %u openconnections; some will be droppedRepresents a numerical string.The cache is full; [40,000] openconnections; some will be droppedTCP IP Layered-Data Packet Processing and SonicOS Log Event HandlingIn specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will berejected by a deeper layer of packet processing. In these cases, the connection request has not beenforwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log eventmessage should be ignored in favor of the TCP Connection Dropped log event message.Each log event message described in the following table provides the following log event details: SonicOS Category—Displays the SonicOS Software category event type. Legacy Category—Displays the SonicWALL Firmware Software category event type. Priority Level—Displays the level of urgency of the log event message. Log Message ID Number—Displays the ID number of the log event message. SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.Log evelLogMessageIDNumberSNMPTrapTypeLog EventType#Web site StandardHTTPTrafficReport%sVPN IKEUser --StandardMessageStringSONICOS LOG EVENT REFERENCE GUIDE9