Log/Categories.htm

Log > Categories

This chapter provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics.

Note: You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to www.sonicwall.com.

Log Priority

This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification.

Logging Level

The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:

Emergency (highest priority)
Alert
Critical
Error
Warning
Notice
Informational
Debug (lowest priority)

Alert Level

The Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:

None (disables e-mail alerts)
Emergency (highest priority)
Alert
Critical
Error (lowest priority)

Log Redundancy Filter

The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.

Alert Redundancy Filter

The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds.

Log Categories

SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it's become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.

All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally.

SonicWALL security appliances now include an expanded list of attack categories that can be logged.

The View Style menu provides the following three log category views:

All Categories - Displays both Legacy Categories and Expanded Categories.
Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories.
Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure.

Table 61.1 describes both the Legacy and Extended log categories.

Table 61.1 Log Categories

Log Type	Category	Description
802.11b Management	Legacy	Logs WLAN IEEE 802.11b connections.
Advanced Routing	Expanded	Logs messages related to RIPv2 and OSPF routing events.
Attacks	Legacy	Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing
Authenticated Access	Expanded	Logs administrator, user, and guest account activity
Blocked Java, etc.	Legacy	Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance.
Blocked Web Sites	Legacy	Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering.
BOOTP	Expanded	Logs BOOTP activity
Crypto Test	Expanded	Logs crypto algorithm and hardware testing
DDNS	Expanded	Logs Dynamic DNS activity
Denied LAN IP	Legacy	Logs all LAN IP addresses denied by the SonicWALL security appliance.
DHCP Client	Expanded	Logs DHCP client protocol activity
DHCP Relay	Expanded	Logs DHCP central and remote gateway activity
Dropped ICMP	Legacy	Logs blocked incoming ICMP packets.
Dropped TCP	Legacy	Logs blocked incoming TCP connections.
Dropped UDP	Legacy	Logs blocked incoming UDP packets.
Firewall Event	Extended	Logs internal firewall activity
Firewall Hardware	Extended	Logs firewall hardware error events
Firewall Logging	Extended	Logs general events and errors
Firewall Rule	Extended	Logs firewall rule modifications
GMS	Extended	Logs GMS status event
High Availability	Extended	Logs High Availability activity
IPcomp	Extended	Logs IP compression activity
Intrusion Prevention	Extended	Logs intrusion prevention related activity
L2TP Client	Extended	Logs L2TP client activity
L2TP Server	Extended	Logs L2TP server activity
Multicast	Extended	Logs multicast IGMP activity
Network	Extended	Logs network ARP, fragmentation, and MTU activity
Network Access	Extended	Logs network and firewall protocol access activity
Network Debug	Legacy	Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators.
Network Traffic	Expanded	Logs network traffic reporting events
PPP	Extended	Logs generic PPP activity
PPP Dial-Up	Extended	Logs PPP dial-up activity
PPPoE	Extended	Logs PPPoE activity
PPTP	Extended	Logs PPTP activity
RBL	Extended	Logs real-time black list activity
RIP	Extended	Logs RIP activity
Remote Authentication	Extended	Logs RADIUS and LDAP server activity
Security Services	Extended	Logs security services activity
SonicPoint	Extended	Logs SonicPoint activity
System Errors	Legacy	Logs problems with DNS or e-mail.
System Maintenance	Legacy	Logs general system activity, such as system activations.
User Activity	Legacy	Logs successful and unsuccessful log in attempts.
VOIP	Extended	Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity
VPN	Extended	Logs VPN activity
VPN Client	Extended	Logs VPN client activity
VPN IKE	Extended	Logs VPN IKE activity
VPN IPsec	Extended	Logs VPN IPSec activity
VPN PKI	Extended	Logs VPN PKI activity
VPN Tunnel Status	Legacy	Logs status information on VPN tunnels.
WAN Failover	Extended	Logs WAN failover activity
Wireless	Extended	Logs wireless activity
Wlan IDS	Extended	Logs WLAN IDS activity

Managing Log Categories

The Log Categories table displays log category information organized into the following columns:

Category - Displays log category name.
Description - Provides description of the log category activity type.
Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page.
Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.
Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL security appliance Syslog.
Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers.

You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order.

You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header.

SonicWALL, Inc. http://www.sonicwall.com 1160 Bordeaux Drive Sunnyvale, CA 94089-1209