User manual SONICWALL SONICOS LOG EVENTS REFERENCE

[. . . ] Network Security Solutions NETWORK SECURITY SonicWALL SonicOS SonicOS 5. 6 Log Events Reference Guide PROTECTION AT THE SPEED OF BUSINESSTM Using the SonicOS Log Event Reference Guide This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: · "Log > View" section on page 2 · "Log > Categories" section on page 4 · "Log > Syslog" section on page 9 · "Log > Automation" section on page 11 · · · · · "Log > Name Resolution" section on page 15 "Log > Reports" section on page 16 "Log > ViewPoint" section on page 18 "Index of Log Event Messages" section on page 20 "Index of Syslog Tag Field Description" section on page 79 SonicOS Log Event Reference Guide 1 Log > View Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. [. . . ] Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements. Log Persistence SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged. GMS To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time. SonicOS Log Event Reference Guide 13 Log > Automation Solera Capture Stack Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data. To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option. Configure the following options: · · · · · · · Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host. . . Port - Specify the port number for connecting to the Solera server. Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. User (optional) - Enter the username, if required. Password (optional) - Enter the password, if required. Confirm Password - Confirm the password. ­ Mask Password - Leave this enabled to send the password as encrypted text. 14 SonicOS Log Event Reference Guide Log > Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page. Selecting Name Resolution Settings The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names. In the Name Resolution Method list, select: · · · · None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. DNS: The security appliance will use the DNS server you specify to resolve addresses and names. NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. [. . . ] Please verify PPTP username and password PPTP Connect Initiated by the User PPTP Control Connection Established PPTP Control Connection Negotiation Started PPTP decode failure PPPoE PPPoE PPPoE PPPoE Maintenance Maintenance Maintenance Maintenance INFO INFO INFO INFO 129 128 131 132 SIMPLE SIMPLE SIMPLE SIMPLE PPPoE Maintenance INFO 137 UNUSED PPPoE Maintenance INFO 167 UNUSED PPPoE Authentication Access Maintenance INFO 166 UNUSED User Activity INFO 515 UNUSED PPPoE PPPoE Authentication Access PPTP Maintenance Maintenance INFO INFO 134 135 SIMPLE UNUSED User Activity Maintenance INFO INFO 514 501 UNUSED SIMPLE PPTP Maintenance INFO 394 UNUSED PPTP Maintenance INFO 390 STD_NOTE_STRING PPTP Maintenance INFO 378 SIMPLE PPTP PPTP Maintenance Debug INFO DEBUG 375 596 SIMPLE STD SonicOS Log Event Reference Guide 57 Index of Log Event Messages PPTP Disconnect Initiated by the User PPTP LCP Down PPTP LCP Up PPTP Max Retransmission Exceeded PPTP packet dropped PPTP PAP Authentication Failed PPTP PAP Authentication Failed. Please verify PPTP username and password PPTP PAP Authentication success PPTP PPP Authentication Failed PPTP PPP Down PPTP PPP link down PPTP PPP Link down PPTP PPP Link Finished PPTP PPP Link Up PPTP PPP Negotiation Started PPTP PPP Session Up PPTP Server is not responding, check if the server is UP and running PPTP server rejected control connection PPTP server rejected the call request PPTP Session Disconnect from Remote PPTP PPTP PPTP Maintenance Maintenance Maintenance INFO INFO INFO 388 383 387 STD_NOTE_STRING UNUSED UNUSED PPTP Network Access Maintenance TCP | UDP | ICMP INFO NOTICE 377 39 UNUSED UNUSED PPTP Maintenance INFO 395 UNUSED PPTP Maintenance INFO 397 UNUSED PPTP Maintenance INFO 396 SIMPLE PPTP PPTP PPTP PPTP PPTP PPTP PPTP PPTP Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance Maintenance INFO INFO INFO INFO INFO INFO INFO INFO 386 385 391 399 400 398 382 384 UNUSED SIMPLE UNUSED SIMPLE SIMPLE SIMPLE SIMPLE SIMPLE PPTP Maintenance INFO 444 SIMPLE PPTP Maintenance INFO 432 SIMPLE PPTP Maintenance INFO 433 SIMPLE PPTP Maintenance INFO 381 SIMPLE 58 SonicOS Log Event Reference Guide Index of Log Event Messages PPTP Session Established PPTP Session Negotiation Started PPTP starting CHAP Authentication PPTP starting PAP Authentication PPTP Tunnel Disconnect from Remote Primary firewall has transitioned to Active Primary firewall has transitioned to Idle Primary firewall preempting Backup Primary firewall rebooting itself as it transitioned from Active to Idle while Preempt Primary missed heartbeats from Backup Primary received error signal from Backup Primary received heartbeat from wrong source Primary received reboot signal from Backup Primary WAN link down, Backup going Active Primary WAN link down, Primary going Idle Primary WAN link up, preempting Backup Priority attack dropped Probable port scan detected PPTP PPTP PPTP PPTP Maintenance Maintenance Maintenance Maintenance INFO INFO INFO INFO 380 376 392 393 SIMPLE SIMPLE SIMPLE SIMPLE PPTP Maintenance INFO 379 SIMPLE High Availability High Availability High Availability Maintenance System Error System Error ALERT ALERT ERROR 144 146 153 614 620 SIMPLE SIMPLE SIMPLE High Availability INFO 1058 SIMPLE High Availability System Error ERROR 148 615 SIMPLE High Availability System Error ERROR 150 617 SIMPLE High Availability Maintenance INFO 160 UNUSED High Availability System Error ERROR 671 665 SIMPLE High Availability System Error ERROR 220 634 UNUSED High Availability Maintenance INFO 218 UNUSED High Availability Intrusion Detection Intrusion Detection Maintenance Attack Attack INFO ALERT ALERT 221 79 83 518 522 UNUSED STD STD_NOTE_STRING SonicOS Log Event Reference Guide 59 Index of Log Event Messages Probable TCP FIN scan detected Probable TCP NULL scan detected Probable TCP XMAS scan detected Problem loading the URL List; Appliance not registered Problem loading the URL List; check Filter settings Problem loading the URL List; check your DNS server Problem loading the URL List; Flash write failure Problem loading the URL List; Retrying later Problem loading the URL List; SubscRIPtion expired Problem loading the URL List; Try loading it again Problem occurred during user group membership retrieval Problem sending log email; check log settings Processed Email received from Email Security Service RADIUS user cannot use One Time Password no mail address set for equivalent local user Readonly mode GUI administration session started 60 Intrusion Detection Intrusion Detection Intrusion Detection Attack Attack Attack ALERT ALERT ALERT 177 179 178 528 530 529 STD_NOTE_STRING STD_NOTE_STRING STD_NOTE_STRING Security Services System Error ERROR 183 623 SIMPLE Security Services System Error ERROR 10 602 STD_NOTE_CODE Security Services System Error ERROR 11 603 SIMPLE Security Services System Error ERROR 187 627 SIMPLE Security Services System Error ERROR 186 626 STD Security Services System Error ERROR 184 624 STD Security Services System Error ERROR 185 625 SIMPLE Authentication Access User Activity WARNING 1033 STD_NOTE_STRING Firewall Logging System Error WARNING 12 604 SIMPLE AntiSpam INFO 1096 STD Authentication Access Authentication Access User Activity INFO 1119 STD_STRING_SERVICE User Activity INFO 996 STD_NOTE_STRING SonicOS Log Event Reference Guide Index of Log Event Messages Real time clock battery failure Time values may be incorrect Received a path MTU icmp message from router/ gateway Received a path MTU icmp message from router/ gateway Received Application Firewall Alert: Your SonicWALL Application Firewall (Application Firewall) subscRIPtion has expired Received CFS Alert: Your SonicWALL Content Filtering subscRIPtion has expired Received CFS Alert: Your SonicWALL Content Filtering subscRIPtion will expire in 7 days Received DHCP offer packet has errors Received EMail Filter Alert: Your SonicWALL EMail Filtering subscRIPtion has expired Received EMail Filter Alert: Your SonicWALL EMail Filtering subscRIPtion will expire in 7 days Firewall Hardware System Error WARNING 539 644 SIMPLE Network User Activity INFO 182 STD_NOTE_SPI Network User Activity INFO 188 STD_NOTE_MTU Security Services Maintenance WARNING 1034 8635 SIMPLE Security Services Maintenance WARNING 490 563 SIMPLE Security Services Maintenance WARNING 489 562 SIMPLE DHCP Client Maintenance INFO 588 STD_NOTE_STRING Security Services Maintenance WARNING 492 565 SIMPLE Security Services Maintenance WARNING 491 564 SIMPLE SonicOS Log Event Reference Guide 61 Index of Log Event Messages Received fragmented packet or fragmentation needed Received IKE SA delete request Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscRIPtion has expired Received IPsec SA delete request Received LCP Echo Reply Received LCP Echo Request Received notify. NO_PROPOSAL_CH OSEN Received notify: INVALID_COOKIES Received notify: INVALID_ID_INFO Received notify: INVALID_PAYLOAD Received notify: INVALID_SPI Received notify: ISAKMP_AUTH_FAI LED Received notify: PAYLOAD_MALFOR MED Received notify: RESPONDER_LIFETI ME Received packet retransmission. Drop duplicate packet Received PPPoE Active Discovery Offer Received PPPoE Active Discovery Session_confirmati on Network VPN IKE Debug User Activity DEBUG INFO 63 413 STD STD_NOTE_STRING Security Services VPN IKE PPPoE PPPoE Maintenance User Activity Maintenance Maintenance WARNING INFO INFO INFO 614 412 723 721 571 SIMPLE STD_NOTE_STRING SIMPLE SIMPLE VPN IKE VPN IKE VPN IPsec VPN IKE VPN IKE User Activity User Activity User Activity User Activity User Activity WARNING INFO WARNING ERROR INFO 401 414 483 661 416 STD_NOTE_STRING STD_NOTE_STRING STD_NOTE_STRING STD_NOTE_STRING STD_NOTE_STRING VPN IKE User Activity WARNING 409 STD_NOTE_STRING VPN IKE User Activity WARNING 411 STD_NOTE_STRING VPN IKE User Activity INFO 415 STD_NOTE_STRING VPN IKE User Activity WARNING 406 STD_NOTE_STRING PPPoE Maintenance INFO 593 SIMPLE PPPoE Maintenance INFO 594 SIMPLE 62 SonicOS Log Event Reference Guide Index of Log Event Messages Received response packet for DHCP request has errors Received unencrypted packet in crypto active state Remotely Triggered Dialout session ended. [. . . ]