Log_logCategoriesView

Log > Categories

This chapter provides configuration tasks to enable you to categorize and customize the logging functions on your firewall for troubleshooting and diagnostics.

Log Severity/Priority

This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through Email for notification.

Logging Level

The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority:

• Emergency (highest priority)
• Alert
• Critical
• Error
• Warning
• Notice
• Informational
• Debug (lowest priority)

Alert Level

The Alert Level control determines how Email Alerts are sent. An event of equal or greater priority causes an Email alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include:

• None (disables Email alerts)
• Emergency (highest priority)
• Alert
• Critical
• Error
• Warning (lowest priority)

Log Redundancy Filter

The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds.

Alert Redundancy Filter

The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds.

Log Categories

Dell SonicWALL network security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.

All firewalls, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all Dell SonicWALL network security appliances is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally.

Dell SonicWALL network security appliances now include an expanded list of attack categories that can be logged.

The View Style menu provides the following three log category views:

• All Categories - Displays both Legacy Categories and Expanded Categories.
• Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories.
• Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure.

The following table describes both the Legacy and Extended log categories.

802.11 Management

Legacy

Logs WLAN IEEE 802.11 connections

Advanced Routing

Expanded

Logs messages related to RIPv2 and OSPF routing events

Anti-Spam Service

Extended

Logs SonicWALL Anti-Spam service activity

Application Control

Extended

Logs SonicWALL Application Control events

App Rules

Extended

Logs SonicWALL App Rules events

Attacks

Legacy

Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing

Authenticated Access

Expanded

Logs administrator, user, and guest account activity

Blocked Java, etc.

Legacy

Logs Java, ActiveX, and Cookies blocked by the firewall

Blocked Web Sites

Legacy

Logs Web sites or news groups blocked by the Content Filter List or by customized filtering

BOOTP

Expanded

Logs BOOTP activity

Crypto Test

Expanded

Logs crypto algorithm and hardware testing

DDNS

Expanded

Logs Dynamic DNS activity

Denied LAN IP

Legacy

Logs all LAN IP addresses denied by the firewall

DHCP Client

Expanded

Logs DHCP client protocol activity

DHCP Relay

Expanded

Logs DHCP central and remote gateway activity

DHCP Server

Extended

Logs DHCP server activity

DPI-SSL

Extended

Logs DPI-SSL events

Dropped ICMP

Legacy

Logs blocked incoming ICMP packets

Dropped TCP

Legacy

Logs blocked incoming TCP connections

Dropped UDP

Legacy

Logs blocked incoming UDP packets

Dynamic Address Objects

Extended

Logs Dynamic Address Object (DAO) activity

Firewall Event

Extended

Logs internal firewall activity

Firewall Hardware

Extended

Logs firewall hardware error events

Firewall Logging

Extended

Logs general events and errors

Firewall Rule

Extended

Logs firewall rule modifications

FTP

Extended

Logs FTP sessions and activity

GMS

Extended

Logs GMS status event

High Availability

Extended

Logs High Availability activity

IPcomp

Extended

Logs IP compression activity

Intrusion Prevention

Extended

Logs intrusion prevention related activity

L2TP Client

Extended

Logs L2TP client activity

L2TP Server

Extended

Logs L2TP server activity

Multicast

Extended

Logs multicast IGMP activity

Network

Extended

Logs network ARP, fragmentation, and MTU activity

Network Access

Extended

Logs network and firewall protocol access activity

Network Debug

Legacy

Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators.

Network Monitor

Extended

Logs Network Monitor traffic

Network Traffic

Expanded

Logs network traffic reporting events

PPP

Extended

Logs generic PPP activity

PPP Dial-Up

Extended

Logs PPP dial-up activity

PPPoE

Extended

Logs PPPoE activity

PPTP

Extended

Logs PPTP activity

RBL

Extended

Logs real-time black list activity

RIP

Extended

Logs RIP activity

Remote Authentication

Extended

Logs RADIUS and LDAP server activity

RF Monitoring

Extended

Logs wireless RF monitoring activity

Security Services

Extended

Logs security services activity

SonicPoint

Extended

Logs SonicPoint activity

SonicPointN

Extended

Logs SonicPointN activity (using 802.11n wireless)

SSLVPN

Extended

Logs SSLVPN and virtual office activity

SSO Agent Authentication

Extended

Logs Single Sign On (SSO) agent authentication attempts and activity

System Environment

Extended

Logs system environment activity

System Errors

Legacy

Logs problems with DNS or Email

System Maintenance

Legacy

Logs general system activity, such as system activations

User Activity

Legacy

Logs successful and unsuccessful log in attempts

VOIP

Extended

Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity

VPN

Extended

Logs VPN activity

VPN Client

Extended

Logs VPN client activity

VPN IKE

Extended

Logs VPN IKE activity

VPN IPsec

Extended

Logs VPN IPSec activity

VPN PKI

Extended

Logs VPN PKI activity

VPN Tunnel Status

Legacy

Logs status information on VPN tunnels

WAN Availability

Extended

Logs changes in WAN interface availability

WAN Failover

Extended

Logs WAN failover activity

Wireless

Extended

Logs wireless activity

Wlan IDS

Extended

Logs WLAN IDS activity

Managing Log Categories

The Log Categories table displays log category information organized into the following columns:

• Category - Displays log category name.
• Description - Provides description of the log category activity type.
• Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page.
• Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.
• Syslog - Provides checkbox for enabling/disabling the capture of the log events into the firewall Syslog.
• Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers.

You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order.

You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header.