目次

Chapter 18 Logging and Reporting


In this Chapter

• “Viewing Content Security Manager Log Events” on -->
• “Specifying Log Categories and Priorities” on -->
• “Configuring Syslog Settings” on -->
• “Configuring E-mail Log Automation for Alerts and Logs” on -->
• “Generating Simple Hits and Usage Reports” on -->
• “Installing the SonicWALL ViewPoint Reporting Application” on -->

Log > View

The SonicWALL Content Security Manager maintains an event log which displays potential security threats. This log can be viewed with a browser using the SonicWALL management interface, or it can be automatically sent to an email address for convenience and archiving. The log is displayed in a table and can be sorted by column.

The SonicWALL Content Security Manager can alert you of important events. Alerts are immediately emailed, either to an email address or to an email pager. Each log entry contains the date and time of the event and a brief message describing the event.

Click Log on the left side of the browser window. The default view is Log > View.

Note: For a complete listing of SonicWALL Content Security Manager log messages, refer to the SonicWALL Log Events Reference Guide, available on the SonicWALL Content Security Manager Resource CD or at <http://www.sonicwall.com/us/3396.html>.

Navigating and Sorting Log View Table Entries

The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.

You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific VPN policy. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page.

You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

Refreshing the Log

To update log messages, clicking the Refresh button.

Clearing the Log

Clicking Clear Log deletes the contents of the log.

Exporting the Log

You can export the log to a file by clicking on the Export Log button. The Export Log window is displayed. You can select from plain-text format or Comma-Separated Value (CSV) format. After selecting the file format, click Export. Click Save in the File Download window (Windows 2000) to save the log file.

E-mailing the Log

If you have configured the SonicWALL Content Security Manager to email log files, clicking E-mail Log sends the current log files to the email address specified in the Log > Automation > E-mail section.

Log > Categories

You can extend your SonicWALL Content Security Manager log reporting capabilities by using SonicWALL ViewPoint, which is included in the SonicWALL Content Security Manager product. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. Refer to "SonicWALL ViewPoint" for more information.

Log Severity/Priority

This section provides information on configuring the level of priority log messages that are captured and the corresponding alert messages that are sent through email for notification.

Logging Level

The Logging Level control filters events by priority. Events of equal or greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:

Emergency (highest priority)
• Alert
• Critical
• Error
• Warning
• Notice
• Informational
• Debug (lowest priority)

Alert Level

The Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail Alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:

Emergency (highest priority)
• Alert
• Critical
• Error (lowest priority)
• None (disables email alerts)

Log Redundancy Filter

The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.

Alert Redundancy Filter

The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL Content Security Manager log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds.

Log Categories

The SonicWALL Content Security Manager provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.

The SonicWALL Content Security Manager recognizes legacy port and protocol types of attacks, and automatically and holistically prevents these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally.

SonicWALL Content Security Manager now includes an expanded list of attack categories that can be logged.

The View Style menu provides the following three log category views:

All Categories - Displays both Legacy Categories and Expanded Categories.
Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories.
Expanded Categories - Displays the expanded listing of categories without the Legacy categories.

All Categories

Displays both the Legacy Categories and Expanded Categories items from the View Style menu.

Legacy Categories

Legacy Categories represent the older log event categories that has been replaced with the Expanded Categories listing. The Legacy Categories are preserved for use in Syslog messages.
Attacks - Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing.
Blocked Java, etc . - Logs Java, ActiveX, and Cookies blocked by the SonicWALL Content Security Manager.
Blocked Web Sites - Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering.
Denied LAN IP - Logs all LAN IP addresses denied by the SonicWALL Content Security Manager.
Dropped ICMP - Logs blocked incoming ICMP packets.
Dropped TCP - Logs blocked incoming TCP connections.
Dropped UDP - Logs blocked incoming UDP packets.
Network Debug - Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators.
System Environment - Logs physical unit events such as fan failure or power disruption.
System Errors - Logs problems with DNS or email.
System Maintenance - Logs general system activity, such as system activations.
User Activity - Logs successful and unsuccessful log in attempts.

Expanded Categories

The Expanded Categories with descriptions are listed in the Log Categories table. Expanded Categories includes new functional categories that replace the older Legacy Categories, but the older Legacy Categories events are included in a rearranged format within the Expanded Categories.

Managing Log Categories

The Log Categories table displays log category information organized into the following columns:

Category - Displays log category name.
Description - Provides description of the log category activity type.
Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page.
Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.
Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL Content Security Manager Syslog.
Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers.

You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order.

You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header.

Log > Syslog

In addition to the standard event log, the SonicWALL Content Security Manager can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL Content Security Manager are then sent to the server(s). Up to three Syslog server IP addresses can be added.

Syslog Settings

Syslog Facility

Syslog Facility - Allows you to select the facilities and severity of the messages based on the syslog protocol.
Note: See RCF 3164 - The BSD Syslog Protocol for more information.
Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you are using SonicWALL ViewPoint for your reporting solution.
Syslog Event Redundancy (seconds) - This setting prevents repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The
default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.Syslog Event Redundancy
Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you select WebTrends, however, you must have WebTrends software installed on your system.
Note: If the SonicWALL Content Security Manager is managed by SonicWALL Global Management System, the Syslog Server fields cannot be configured by the administrator of the SonicWALL Content Security Manager.
Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events.
Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events.

Syslog Servers

Adding a Syslog Server

To add syslog servers to the SonicWALL Content Security Manager

1. Click Add. The Add Syslog Server window is displayed.
2. Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL Content Security Manager are then sent to the servers.
3. If your syslog is not using the default port of 514, type the port number in the Port Number field.
4. Click OK.
5. Click Apply to save all Syslog Server settings.

Log > Automation

Click Log, and then Automation to begin configuring the SonicWALL Content Security Manager to send log files using email and configuring syslog servers on your network.

E-mail Log Automation

E-mail address Send Log to - enter your email address (username@mydomain.com) in this field to receive the event log via email. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not emailed.
Send Alerts to E-mail address - enter your email address (username@mydomain.com) in the Send alerts to field to be immediately emailed when attacks or system errors occur. Type a standard email address or an email paging service. If this field is left blank, email alert messages are not sent.
Send Log - determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and in the At field, the time of day in 24-hour format in the

Mail Server Settings

The mail server settings allow you to specify the name or IP address of your mail server, the from email address, and authentication method.

Mail Server (name or IP address) - Enter the IP address or FQDN of the email server used to send your log emails in this field.
From E-mail Address - Enter the E-mail address you want to display in the From field of the message.
Authentication Method - You can use the default None item or select POP Before SMTP.
Note: If the Mail Server (name or IP address) is left blank, log and alert messages are not emailed.

Log > Reports

The SonicWALL Content Security Manager can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. Click Log on the left side of the browser window, and then click the Reports.

Data Collection

The Reports page includes the following functions and commands:

Start Data Collection
Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.
Reset Data
Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL Content Security Manager is restarted.

View Data

Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.

Web Site Hits

Selecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.

The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites.

Bandwidth Usage by IP Address

Under View Data, selecting Bandwidth Usage by IP Address from the Report to view drop-down list displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period.

Bandwidth Usage by Service

Selecting Bandwidth Usage by Service from the Report to view drop-down list displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period.

The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.

Log > ViewPoint

SonicWALL ViewPoint

SonicWALL ViewPoint is included as part of the SonicWALL Content Security Manager. SonicWALL ViewPoint is a software solution that creates dynamic, Web-based reports of network activity. ViewPoint generates both real-time and historical reports to provide a complete view of all activity through your SonicWALL Content Security Manager. With SonicWALL ViewPoint, you are able to monitor network access, enhance network security and anticipate future bandwidth needs.

• Displays bandwidth use by IP address and service.
• Identifies inappropriate Web use.
• Presents detailed reports of attacks.
• Collects and aggregates system and network errors.

Syslog Servers

Clicking Enable ViewPoint Settings and Apply overrides Syslog settings for SonicWALL ViewPoint as your reporting solution. The Override Syslog Settings with ViewPoint Settings control on the
Log > Syslog page is also automatically checked.

To point the SonicWALL Content Security Manager to the computer with SonicWALL ViewPoint installed, perform these steps:

1. Click Add. The Add Syslog Server window is displayed.
2. In the Name or IP Address field, enter the name or IP address of the computer on which you installed SonicWALL ViewPoint .
3. Click OK.

Installing ViewPoint

The ViewPoint software is available for download from your mySonicWALL.com account at
<https://www.mysonicwall.com> after you register the Content Security Manager. The following instructions explain how to install ViewPoint.

Note: For complete instructions on configuring and managing SonicWALL ViewPoint, refer to the SonicWALL ViewPoint User’s Guide on the SonicWALL Content Security Manager Resource CD or available at
<http://www.sonicwall.com/us/support/3340.html>.

Requirements

In order to install and run SonicWALL ViewPoint, you must be logged in as the administrator and the SonicWALL ViewPoint server must meet the following requirements:

• Windows 2000 or Windows XP Professional
• If accessed from the External Interface, the SonicWALL Content Security Manager appliance must have a static IP address. Otherwise, it may have either a static or dynamic IP address.
• Local and remote browser access: Microsoft Internet Explorer 5.5 or later
• Support for Java Plug-in JRE 1.3.1
• Pentium III or IV with a 1.4 GHz or faster processor
• Minimum 512 MB RAM
• At least 20 GB of free disk space
• Hostname that is 20 characters or less
• The SonicWALL ViewPoint system must be connected to the network.
• SonicWALL ViewPoint cannot be installed in a folder that has an embedded blank space.
For example, “Program Files.”

Installation

When you are ready to install SonicWALL ViewPoint, follow these steps:

1. Log on to the computer as administrator.
2. Launch the SonicWALL ViewPoint installation wizard.
3. Click Next. The License Agreement screen appears.
4. Select from the following:
To accept the terms of the license agreement, select I accept the terms of the License Agreement and click Next. The Choose Install Folder screen appears.
5. To accept the default location, click Next. To select a different location, click Choose and select a folder. Click Next. The Settings screen appears.
6. In the Settings screen, do the following:
Enter the IP address or host name of the Simple Mail Transfer Protocol (SMTP) server in the SMTP Server Address field.
Enter the number of the Web server port in the Web Server Port field (default: 80).
Enter the email addresses of administrators who will receive email notifications from SonicWALL ViewPoint.
Enter and confirm the database password in the Database Password and Confirm Password fields.
To configure SonicWALL ViewPoint to validate these settings, select the Validate fields on this screen check box.
7. Click Install. The installation program begins copying SonicWALL ViewPoint files
8. After the files are copied, restart the computer. Installation is complete.


ヘルプの目次へ戻る