User manual SONICWALL SONICOS LOG EVENTS REFERENCE

[. . . ] Network Security Solutions NETWORK SECURITY SonicWALL SonicOS SonicOS 5. 6 Log Events Reference Guide PROTECTION AT THE SPEED OF BUSINESSTM Using the SonicOS Log Event Reference Guide This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: · "Log > View" section on page 2 · "Log > Categories" section on page 4 · "Log > Syslog" section on page 9 · "Log > Automation" section on page 11 · · · · · "Log > Name Resolution" section on page 15 "Log > Reports" section on page 16 "Log > ViewPoint" section on page 18 "Index of Log Event Messages" section on page 20 "Index of Syslog Tag Field Description" section on page 79 SonicOS Log Event Reference Guide 1 Log > View Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. [. . . ] Access from a centralized GMS console will have similar requirements. Log Persistence SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged. GMS To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time. SonicOS Log Event Reference Guide 13 Log > Automation Solera Capture Stack Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data. To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option. Configure the following options: · · · · · · · Server - Select the host for the Solera server. Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. Confirm Password - Confirm the password. ­ Mask Password - Leave this enabled to send the password as encrypted text. 14 SonicOS Log Event Reference Guide Log > Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page. Selecting Name Resolution Settings The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names. In the Name Resolution Method list, select: · · · · None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. DNS: The security appliance will use the DNS server you specify to resolve addresses and names. NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS. Specifying the DNS Server You can choose to specify DNS servers, or to use the same servers as the WAN zone. Step 1 Step 2 Step 3 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect. SonicOS Log Event Reference Guide 15 Log > Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page. Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to http://www. sonicwall. com Data Collection The Reports window includes the following functions and commands: · Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. · Reset Data Click Reset Data to clear the report statistics and begin a new sample period. [. . . ] Check Primary Profile or Profile details Network Access Intrusion Detection Intrusion Detection Intrusion Detection TCP | UDP | ICMP WARNING 347 STD_NOTE_STRING Attack Attack ALERT ALERT WARNING 1098 82 25 6465 521 503 STD_NOTE_STRING STD_NOTE_STRING STD Firewall Hardware ERROR 1043 5425 SIMPLE PPP DialUp User Activity INFO 306 SIMPLE PPP DialUp INFO 666 STD PPP DialUp PPP DialUp PPP DialUp User Activity User Activity User Activity INFO INFO INFO 285 284 298 SIMPLE SIMPLE UNUSED PPP DialUp User Activity INFO 297 SIMPLE PPP DialUp PPP DialUp Maintenance User Activity INFO INFO 811 288 SIMPLE SIMPLE PPP DialUp User Activity INFO 321 SIMPLE 54 SonicOS Log Event Reference Guide Index of Log Event Messages PPP DialUp: Maximum connection time exceeded disconnecting PPP DialUp: No dialtone detected check phoneline connection PPP DialUp: No link carrier detected check phone number PPP DialUp: No peer IP address from DialUp ISP, local and remote IPs will be the same PPP DialUp: PPP link down PPP DialUp: PPP link established PPP DialUp: PPP negotiation failed disconnecting PPP DialUp: Received new IP address PPP DialUp: Shutting down link PPP DialUp: Starting PPP PPP DialUp: Startup without Ethernet cable, will try to dial on outbound Application Firewall PPP DialUp: The profile in use disabled VPN networking PPP DialUp: Trying to failover but Alternate Profile is manual PPP DialUp User Activity INFO 327 SIMPLE PPP DialUp User Activity INFO 282 SIMPLE PPP DialUp User Activity INFO 283 SIMPLE PPP DialUp PPP DialUp PPP DialUp Maintenance User Activity User Activity INFO INFO INFO 481 301 300 SIMPLE SIMPLE SIMPLE PPP DialUp User Activity INFO 296 UNUSED PPP DialUp PPP DialUp PPP DialUp User Activity User Activity INFO INFO INFO 299 302 1037 STD SIMPLE SIMPLE_MESSAGE_STRING PPP DialUp User Activity INFO 323 UNUSED PPP DialUp Maintenance INFO 330 SIMPLE WAN Failover User Activity INFO 434 SIMPLE SonicOS Log Event Reference Guide 55 Index of Log Event Messages PPP DialUp: Trying to failover but Primary Profile is manual PPP DialUp: Unknown dialing failure PPP DialUp: User requested connect PPP DialUp: User requested disconnect PPP DialUp: VPN networking restored PPP: Authentication successful PPP: CHAP authentication failed check username / password PPP: MSCHAP authentication failed check username / password PPP: PAP Authentication failed check username / password PPP: Starting CHAP authentication PPP: Starting MS CHAP authentication PPP: Starting PAP authentication PPPoE terminated PPPoE CHAP Authentication Failed PPPoE discovery process complete PPPoE enabled but not ready PPP DialUp User Activity INFO 322 SIMPLE PPP DialUp PPP DialUp User Activity User Activity INFO INFO 287 305 SIMPLE SIMPLE PPP DialUp User Activity INFO 304 SIMPLE PPP DialUp Maintenance INFO 331 SIMPLE PPP User Activity INFO 289 SIMPLE PPP User Activity INFO 291 SIMPLE PPP User Activity INFO 292 SIMPLE PPP PPP User Activity User Activity INFO INFO 290 294 SIMPLE SIMPLE PPP PPP PPPoE User Activity User Activity Maintenance INFO INFO INFO 293 295 130 SIMPLE SIMPLE SIMPLE PPPoE PPPoE PPPoE Maintenance Maintenance Maintenance INFO INFO INFO 136 133 499 UNUSED SIMPLE SIMPLE 56 SonicOS Log Event Reference Guide Index of Log Event Messages PPPoE LCP Link Down PPPoE LCP Link Up PPPoE Network Connected PPPoE Network Disconnected PPPoE PAP Authentication Failed PPPoE PAP Authentication Failed. Please verify PPPoE username and password PPPoE PAP Authentication success PPPoE password changed by Administrator PPPoE starting CHAP Authentication PPPoE starting PAP Authentication PPPoE user name changed by Administrator PPTP enabled but not ready PPTP CHAP Authentication Failed. Please verify PPTP username and password PPTP Connect Initiated by the User PPTP Control Connection Established PPTP Control Connection Negotiation Started PPTP decode failure PPPoE PPPoE PPPoE PPPoE Maintenance Maintenance Maintenance Maintenance INFO INFO INFO INFO 129 128 131 132 SIMPLE SIMPLE SIMPLE SIMPLE PPPoE Maintenance INFO 137 UNUSED PPPoE Maintenance INFO 167 UNUSED PPPoE Authentication Access Maintenance INFO 166 UNUSED User Activity INFO 515 UNUSED PPPoE PPPoE Authentication Access PPTP Maintenance Maintenance INFO INFO 134 135 SIMPLE UNUSED User Activity Maintenance INFO INFO 514 501 UNUSED SIMPLE PPTP Maintenance INFO 394 UNUSED PPTP Maintenance INFO 390 STD_NOTE_STRING PPTP Maintenance INFO 378 SIMPLE PPTP PPTP Maintenance Debug INFO DEBUG 375 596 SIMPLE STD SonicOS Log Event Reference Guide 57 Index of Log Event Messages PPTP Disconnect Initiated by the User PPTP LCP Down PPTP LCP Up PPTP Max Retransmission Exceeded PPTP packet dropped PPTP PAP Authentication Failed PPTP PAP Authentication Failed. Please verify PPTP username and password PPTP PAP Authentication success PPTP PPP Authentication Failed PPTP PPP Down PPTP PPP link down PPTP PPP Link down PPTP PPP Link Finished PPTP PPP Link Up PPTP PPP Negotiation Started PPTP PPP Session Up PPTP Server is not responding, check if the server is UP and running PPTP server rejected control connection PPTP server rejected the call request PPTP Session Disconnect from Remote PPTP PPTP PPTP Maintenance Maintenance Maintenance INFO INFO INFO 388 383 387 STD_NOTE_STRING UNUSED UNUSED PPTP Network Access Maintenance TCP | UDP | ICMP INFO NOTICE 377 39 UNUSED UNUSED PPTP Maintenance INFO 395 UNUSED PPTP Maintenance INFO 397 UNUSED PPTP Maintenance INFO 396 SIMPLE PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance INFO INFO INFO INFO INFO INFO INFO INFO 386 385 391 399 400 398 382 384 UNUSED SIMPLE UNUSED SIMPLE SIMPLE SIMPLE SIMPLE SIMPLE PPTP Maintenance INFO 444 SIMPLE PPTP Maintenance INFO 432 SIMPLE PPTP Maintenance INFO 433 SIMPLE PPTP Maintenance INFO 381 SIMPLE 58 SonicOS Log Event Reference Guide Index of Log Event Messages PPTP Session Established PPTP Session Negotiation Started PPTP starting CHAP Authentication PPTP starting PAP Authentication PPTP Tunnel Disconnect from Remote Primary firewall has transitioned to Active Primary firewall has transitioned to Idle Primary firewall preempting Backup Primary firewall rebooting itself as it transitioned from Active to Idle while Preempt Primary missed heartbeats from Backup Primary received error signal from Backup Primary received heartbeat from wrong source Primary received reboot signal from Backup Primary WAN link down, Backup going Active Primary WAN link down, Primary going Idle Primary WAN link up, preempting Backup Priority attack dropped Probable port scan detected PPTP PPTP PPTP PPTP Maintenance Maintenance Maintenance Maintenance INFO INFO INFO INFO 380 376 392 393 SIMPLE SIMPLE SIMPLE SIMPLE PPTP Maintenance INFO 379 SIMPLE High Availability High Availability High Availability Maintenance System Error System Error ALERT ALERT ERROR 144 146 153 614 620 SIMPLE SIMPLE SIMPLE High Availability INFO 1058 SIMPLE High Availability System Error ERROR 148 615 SIMPLE High Availability System Error ERROR 150 617 SIMPLE High Availability Maintenance INFO 160 UNUSED High Availability System Error ERROR 671 665 SIMPLE High Availability System Error ERROR 220 634 UNUSED High Availability Maintenance INFO 218 UNUSED High Availability Intrusion Detection Intrusion Detection Maintenance Attack Attack INFO ALERT ALERT 221 79 83 518 522 UNUSED STD STD_NOTE_STRING SonicOS Log Event Reference Guide 59 Index of Log Event Messages Probable TCP FIN scan detected Probable TCP NULL scan detected Probable TCP XMAS scan detected Problem loading the URL List; Appliance not registered Problem loading the URL List; check Filter settings Problem loading the URL List; check your DNS server Problem loading the URL List; Flash write failure Problem loading the URL List; Retrying later Problem loading the URL List; SubscRIPtion expired Problem loading the URL List; Try loading it again Problem occurred during user group membership retrieval Problem sending log email; check log settings Processed Email received from Email Security Service RADIUS user cannot use One Time Password no mail address set for equivalent local user Readonly mode GUI administration session started 60 Intrusion Detection Intrusion Detection Intrusion Detection Attack Attack Attack ALERT ALERT ALERT 177 179 178 528 530 529 STD_NOTE_STRING STD_NOTE_STRING STD_NOTE_STRING Security Services System Error ERROR 183 623 SIMPLE Security Services System Error ERROR 10 602 STD_NOTE_CODE Security Services System Error ERROR 11 603 SIMPLE Security Services System Error ERROR 187 627 SIMPLE Security Services System Error ERROR 186 626 STD Security Services System Error ERROR 184 624 STD Security Services System Error ERROR 185 625 SIMPLE Authentication Access User Activity WARNING 1033 STD_NOTE_STRING Firewall Logging System Error WARNING 12 604 SIMPLE AntiSpam INFO 1096 STD Authentication Access Authentication Access User Activity INFO 1119 STD_STRING_SERVICE User Activity INFO 996 STD_NOTE_STRING SonicOS Log Event Reference Guide Index of Log Event Messages Real time clock battery failure Time values may be incorrect Received a path MTU icmp message from router/ gateway Received a path MTU icmp message from router/ gateway Received Application Firewall Alert: Your SonicWALL Application Firewall (Application Firewall) subscRIPtion has expired Received CFS Alert: Your SonicWALL Content Filtering subscRIPtion has expired Received CFS Alert: Your SonicWALL Content Filtering subscRIPtion will expire in 7 days Received DHCP offer packet has errors Received EMail Filter Alert: Your SonicWALL EMail Filtering subscRIPtion has expired Received EMail Filter Alert: Your SonicWALL EMail Filtering subscRIPtion will expire in 7 days Firewall Hardware System Error WARNING 539 644 SIMPLE Network User Activity INFO 182 STD_NOTE_SPI Network User Activity INFO 188 STD_NOTE_MTU Security Services Maintenance WARNING 1034 8635 SIMPLE Security Services Maintenance WARNING 490 563 SIMPLE Security Services Maintenance WARNING 489 562 SIMPLE DHCP Client Maintenance INFO 588 STD_NOTE_STRING Security Services Maintenance WARNING 492 565 SIMPLE Security Services Maintenance WARNING 491 564 SIMPLE SonicOS Log Event Reference Guide 61 Index of Log Event Messages Received fragmented packet or fragmentation needed Received IKE SA delete request Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscRIPtion has expired Received IPsec SA delete request Received LCP Echo Reply Received LCP Echo Request Received notify. [. . . ]