User manual SONICWALL SONICOS LOG EVENTS REFERENCE
DON'T FORGET : ALWAYS READ THE USER GUIDE BEFORE BUYING !!!
If this document matches the user guide, instructions manual or user manual, feature sets, schematics you are looking for, download it now. Diplodocs provides you a fast and easy access to the user manual SONICWALL SONICOS LOG EVENTS REFERENCE. We hope that this SONICWALL SONICOS LOG EVENTS REFERENCE user guide will be useful to you.
Manual abstract: user guide SONICWALL SONICOS LOG EVENTS REFERENCE
Detailed instructions for use are in the User's Guide.
[. . . ] Network Security Solutions
NETWORK SECURITY
SonicWALL SonicOS
SonicOS 5. 6 Log Events Reference Guide
PROTECTION AT THE SPEED OF BUSINESSTM
Using the SonicOS Log Event Reference Guide
This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: · "Log > View" section on page 2 · "Log > Categories" section on page 4 · "Log > Syslog" section on page 9 · "Log > Automation" section on page 11
· · · · · "Log > Name Resolution" section on page 15 "Log > Reports" section on page 16 "Log > ViewPoint" section on page 18 "Index of Log Event Messages" section on page 20 "Index of Syslog Tag Field Description" section on page 79
SonicOS Log Event Reference Guide
1
Log > View
Log > View
The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. [. . . ] Access from a centralized GMS console will have similar requirements.
Log Persistence
SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.
GMS
To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.
SonicOS Log Event Reference Guide
13
Log > Automation
Solera Capture Stack
Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data. To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option.
Configure the following options:
· · · · · · ·
Server - Select the host for the Solera server. Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. Confirm Password - Confirm the password.
Mask Password - Leave this enabled to send the password as encrypted text.
14
SonicOS Log Event Reference Guide
Log > Name Resolution
Log > Name Resolution
The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page.
Selecting Name Resolution Settings
The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names. In the Name Resolution Method list, select:
· · · ·
None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. DNS: The security appliance will use the DNS server you specify to resolve addresses and names. NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS.
Specifying the DNS Server
You can choose to specify DNS servers, or to use the same servers as the WAN zone.
Step 1 Step 2 Step 3
Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect.
SonicOS Log Event Reference Guide
15
Log > Reports
Log > Reports
The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page.
Note
SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to http://www. sonicwall. com
Data Collection
The Reports window includes the following functions and commands:
·
Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.
·
Reset Data Click Reset Data to clear the report statistics and begin a new sample period. [. . . ] Check Primary Profile or Profile details
Network Access Intrusion Detection Intrusion Detection Intrusion Detection
TCP | UDP | ICMP
WARNING
347
STD_NOTE_STRING
Attack Attack
ALERT ALERT WARNING
1098 82 25
6465 521 503
STD_NOTE_STRING STD_NOTE_STRING STD
Firewall Hardware
ERROR
1043
5425
SIMPLE
PPP DialUp
User Activity
INFO
306
SIMPLE
PPP DialUp
INFO
666
STD
PPP DialUp PPP DialUp PPP DialUp
User Activity User Activity User Activity
INFO INFO INFO
285 284 298
SIMPLE SIMPLE UNUSED
PPP DialUp
User Activity
INFO
297
SIMPLE
PPP DialUp PPP DialUp
Maintenance User Activity
INFO INFO
811 288
SIMPLE SIMPLE
PPP DialUp
User Activity
INFO
321
SIMPLE
54
SonicOS Log Event Reference Guide
Index of Log Event Messages
PPP DialUp: Maximum connection time exceeded disconnecting PPP DialUp: No dialtone detected check phoneline connection PPP DialUp: No link carrier detected check phone number PPP DialUp: No peer IP address from DialUp ISP, local and remote IPs will be the same PPP DialUp: PPP link down PPP DialUp: PPP link established PPP DialUp: PPP negotiation failed disconnecting PPP DialUp: Received new IP address PPP DialUp: Shutting down link PPP DialUp: Starting PPP PPP DialUp: Startup without Ethernet cable, will try to dial on outbound Application Firewall PPP DialUp: The profile in use disabled VPN networking PPP DialUp: Trying to failover but Alternate Profile is manual
PPP DialUp
User Activity
INFO
327
SIMPLE
PPP DialUp
User Activity
INFO
282
SIMPLE
PPP DialUp
User Activity
INFO
283
SIMPLE
PPP DialUp PPP DialUp PPP DialUp
Maintenance User Activity User Activity
INFO INFO INFO
481 301 300
SIMPLE SIMPLE SIMPLE
PPP DialUp
User Activity
INFO
296
UNUSED
PPP DialUp PPP DialUp PPP DialUp
User Activity User Activity
INFO INFO INFO
299 302 1037
STD SIMPLE SIMPLE_MESSAGE_STRING
PPP DialUp
User Activity
INFO
323
UNUSED
PPP DialUp
Maintenance
INFO
330
SIMPLE
WAN Failover
User Activity
INFO
434
SIMPLE
SonicOS Log Event Reference Guide
55
Index of Log Event Messages
PPP DialUp: Trying to failover but Primary Profile is manual PPP DialUp: Unknown dialing failure PPP DialUp: User requested connect PPP DialUp: User requested disconnect PPP DialUp: VPN networking restored PPP: Authentication successful PPP: CHAP authentication failed check username / password PPP: MSCHAP authentication failed check username / password PPP: PAP Authentication failed check username / password PPP: Starting CHAP authentication PPP: Starting MS CHAP authentication PPP: Starting PAP authentication PPPoE terminated PPPoE CHAP Authentication Failed PPPoE discovery process complete PPPoE enabled but not ready
PPP DialUp
User Activity
INFO
322
SIMPLE
PPP DialUp PPP DialUp
User Activity User Activity
INFO INFO
287 305
SIMPLE SIMPLE
PPP DialUp
User Activity
INFO
304
SIMPLE
PPP DialUp
Maintenance
INFO
331
SIMPLE
PPP
User Activity
INFO
289
SIMPLE
PPP
User Activity
INFO
291
SIMPLE
PPP
User Activity
INFO
292
SIMPLE
PPP PPP
User Activity User Activity
INFO INFO
290 294
SIMPLE SIMPLE
PPP PPP PPPoE
User Activity User Activity Maintenance
INFO INFO INFO
293 295 130
SIMPLE SIMPLE SIMPLE
PPPoE PPPoE PPPoE
Maintenance Maintenance Maintenance
INFO INFO INFO
136 133 499
UNUSED SIMPLE SIMPLE
56
SonicOS Log Event Reference Guide
Index of Log Event Messages
PPPoE LCP Link Down PPPoE LCP Link Up PPPoE Network Connected PPPoE Network Disconnected PPPoE PAP Authentication Failed PPPoE PAP Authentication Failed. Please verify PPPoE username and password PPPoE PAP Authentication success PPPoE password changed by Administrator PPPoE starting CHAP Authentication PPPoE starting PAP Authentication PPPoE user name changed by Administrator PPTP enabled but not ready PPTP CHAP Authentication Failed. Please verify PPTP username and password PPTP Connect Initiated by the User PPTP Control Connection Established PPTP Control Connection Negotiation Started PPTP decode failure
PPPoE PPPoE PPPoE PPPoE
Maintenance Maintenance Maintenance Maintenance
INFO INFO INFO INFO
129 128 131 132
SIMPLE SIMPLE SIMPLE SIMPLE
PPPoE
Maintenance
INFO
137
UNUSED
PPPoE
Maintenance
INFO
167
UNUSED
PPPoE Authentication Access
Maintenance
INFO
166
UNUSED
User Activity
INFO
515
UNUSED
PPPoE PPPoE Authentication Access PPTP
Maintenance Maintenance
INFO INFO
134 135
SIMPLE UNUSED
User Activity Maintenance
INFO INFO
514 501
UNUSED SIMPLE
PPTP
Maintenance
INFO
394
UNUSED
PPTP
Maintenance
INFO
390
STD_NOTE_STRING
PPTP
Maintenance
INFO
378
SIMPLE
PPTP PPTP
Maintenance Debug
INFO DEBUG
375 596
SIMPLE STD
SonicOS Log Event Reference Guide
57
Index of Log Event Messages
PPTP Disconnect Initiated by the User PPTP LCP Down PPTP LCP Up PPTP Max Retransmission Exceeded PPTP packet dropped PPTP PAP Authentication Failed PPTP PAP Authentication Failed. Please verify PPTP username and password PPTP PAP Authentication success PPTP PPP Authentication Failed PPTP PPP Down PPTP PPP link down PPTP PPP Link down PPTP PPP Link Finished PPTP PPP Link Up PPTP PPP Negotiation Started PPTP PPP Session Up PPTP Server is not responding, check if the server is UP and running PPTP server rejected control connection PPTP server rejected the call request PPTP Session Disconnect from Remote
PPTP PPTP PPTP
Maintenance Maintenance Maintenance
INFO INFO INFO
388 383 387
STD_NOTE_STRING UNUSED UNUSED
PPTP Network Access
Maintenance TCP | UDP | ICMP
INFO NOTICE
377 39
UNUSED UNUSED
PPTP
Maintenance
INFO
395
UNUSED
PPTP
Maintenance
INFO
397
UNUSED
PPTP
Maintenance
INFO
396
SIMPLE
PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP
Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance
INFO INFO INFO INFO INFO INFO INFO INFO
386 385 391 399 400 398 382 384
UNUSED SIMPLE UNUSED SIMPLE SIMPLE SIMPLE SIMPLE SIMPLE
PPTP
Maintenance
INFO
444
SIMPLE
PPTP
Maintenance
INFO
432
SIMPLE
PPTP
Maintenance
INFO
433
SIMPLE
PPTP
Maintenance
INFO
381
SIMPLE
58
SonicOS Log Event Reference Guide
Index of Log Event Messages
PPTP Session Established PPTP Session Negotiation Started PPTP starting CHAP Authentication PPTP starting PAP Authentication PPTP Tunnel Disconnect from Remote Primary firewall has transitioned to Active Primary firewall has transitioned to Idle Primary firewall preempting Backup Primary firewall rebooting itself as it transitioned from Active to Idle while Preempt Primary missed heartbeats from Backup Primary received error signal from Backup Primary received heartbeat from wrong source Primary received reboot signal from Backup Primary WAN link down, Backup going Active Primary WAN link down, Primary going Idle Primary WAN link up, preempting Backup Priority attack dropped Probable port scan detected
PPTP PPTP PPTP PPTP
Maintenance Maintenance Maintenance Maintenance
INFO INFO INFO INFO
380 376 392 393
SIMPLE SIMPLE SIMPLE SIMPLE
PPTP
Maintenance
INFO
379
SIMPLE
High Availability High Availability High Availability
Maintenance System Error System Error
ALERT ALERT ERROR
144 146 153
614 620
SIMPLE SIMPLE SIMPLE
High Availability
INFO
1058
SIMPLE
High Availability
System Error
ERROR
148
615
SIMPLE
High Availability
System Error
ERROR
150
617
SIMPLE
High Availability
Maintenance
INFO
160
UNUSED
High Availability
System Error
ERROR
671
665
SIMPLE
High Availability
System Error
ERROR
220
634
UNUSED
High Availability
Maintenance
INFO
218
UNUSED
High Availability Intrusion Detection Intrusion Detection
Maintenance Attack Attack
INFO ALERT ALERT
221 79 83
518 522
UNUSED STD STD_NOTE_STRING
SonicOS Log Event Reference Guide
59
Index of Log Event Messages
Probable TCP FIN scan detected Probable TCP NULL scan detected Probable TCP XMAS scan detected Problem loading the URL List; Appliance not registered Problem loading the URL List; check Filter settings Problem loading the URL List; check your DNS server Problem loading the URL List; Flash write failure Problem loading the URL List; Retrying later Problem loading the URL List; SubscRIPtion expired Problem loading the URL List; Try loading it again Problem occurred during user group membership retrieval Problem sending log email; check log settings Processed Email received from Email Security Service RADIUS user cannot use One Time Password no mail address set for equivalent local user Readonly mode GUI administration session started 60
Intrusion Detection Intrusion Detection Intrusion Detection
Attack Attack Attack
ALERT ALERT ALERT
177 179 178
528 530 529
STD_NOTE_STRING STD_NOTE_STRING STD_NOTE_STRING
Security Services
System Error
ERROR
183
623
SIMPLE
Security Services
System Error
ERROR
10
602
STD_NOTE_CODE
Security Services
System Error
ERROR
11
603
SIMPLE
Security Services
System Error
ERROR
187
627
SIMPLE
Security Services
System Error
ERROR
186
626
STD
Security Services
System Error
ERROR
184
624
STD
Security Services
System Error
ERROR
185
625
SIMPLE
Authentication Access
User Activity
WARNING
1033
STD_NOTE_STRING
Firewall Logging
System Error
WARNING
12
604
SIMPLE
AntiSpam
INFO
1096
STD
Authentication Access Authentication Access
User Activity
INFO
1119
STD_STRING_SERVICE
User Activity
INFO
996
STD_NOTE_STRING
SonicOS Log Event Reference Guide
Index of Log Event Messages
Real time clock battery failure Time values may be incorrect Received a path MTU icmp message from router/ gateway Received a path MTU icmp message from router/ gateway Received Application Firewall Alert: Your SonicWALL Application Firewall (Application Firewall) subscRIPtion has expired Received CFS Alert: Your SonicWALL Content Filtering subscRIPtion has expired Received CFS Alert: Your SonicWALL Content Filtering subscRIPtion will expire in 7 days Received DHCP offer packet has errors Received EMail Filter Alert: Your SonicWALL EMail Filtering subscRIPtion has expired Received EMail Filter Alert: Your SonicWALL EMail Filtering subscRIPtion will expire in 7 days
Firewall Hardware
System Error
WARNING
539
644
SIMPLE
Network
User Activity
INFO
182
STD_NOTE_SPI
Network
User Activity
INFO
188
STD_NOTE_MTU
Security Services
Maintenance
WARNING
1034
8635
SIMPLE
Security Services
Maintenance
WARNING
490
563
SIMPLE
Security Services
Maintenance
WARNING
489
562
SIMPLE
DHCP Client
Maintenance
INFO
588
STD_NOTE_STRING
Security Services
Maintenance
WARNING
492
565
SIMPLE
Security Services
Maintenance
WARNING
491
564
SIMPLE
SonicOS Log Event Reference Guide
61
Index of Log Event Messages
Received fragmented packet or fragmentation needed Received IKE SA delete request Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscRIPtion has expired Received IPsec SA delete request Received LCP Echo Reply Received LCP Echo Request Received notify. [. . . ]
DISCLAIMER TO DOWNLOAD THE USER GUIDE SONICWALL SONICOS LOG EVENTS REFERENCE
Click on "Download the user Manual" at the end of this Contract if you accept its terms, the downloading of the manual SONICWALL SONICOS LOG EVENTS REFERENCE will begin.