Log_logReadView
The SonicWALL SuperMassive maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an Email address for convenience and archiving. The log is displayed in a table and can be sorted by column.
The SonicWALL SuperMassive can alert you of important events, such as an attack to the SonicWALL SuperMassive. Alerts are immediately Emailed, either to an Email address or to an Email pager. Each log entry contains the date and time of the event and a brief message describing the event.
This chapter contains the following subsections:
• Refreshing Log Event Messages
• Exporting Log Event Messages
• Filtering Log Records Viewed
The log is displayed in a table and is sortable by column. The log table columns include:
• Time - the date and time of the event.
• Priority - the level of priority associated with your log event.
Syslog uses eight categories to characterize messages – in descending order of severity, the categories include:
– Emergency
– Alert
– Critical
– Error
– Warning
– Notice
– Informational
– Debug
Specify a priority level on a SonicWALL SuperMassive on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select ‘error’ as the priority level to log all messages tagged as ‘error,’ as well as any messages tagged with ‘critical,’ ‘alert,’ and ‘emergency.’ Select ‘debug’ to log all messages.
Note Refer to Log Event Messages section for more information on your specific log event.
• Category - the type of traffic, such as Network Access or Authenticated Access.
• Message - provides description of the event.
• Source - displays source network and IP address.
• Destination - displays the destination network and IP address.
• Notes - provides additional information about the event.
• Rule - notes Network Access Rule affected by event.
The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.
You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.
To update log messages, clicking the Refresh button near the top-right corner of the page.
To delete the contents of the log, click the Clear Log button near the top-right corner of the page.
To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats:
• Plain text format--Used in log and alert email.
• Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.
If you have configured the SonicWALL SuperMassive to Email log files, clicking Email Log near the top right corner of the page sends the current log files to the Email address specified in the Log > Automation > Email section.
Note The SonicWALL SuperMassive can alert you of important events, such as an attack to the SonicWALL SuperMassive. Alerts are immediately sent via Email, either to an Email address or to an Email pager. For sending alerts, you must enter your Email address and server information in the Log > Automation page.
You can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface).
Step 1 Enter your filter criteria in the Log View Settings table.
Step 2 The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching:
Source interface AND Destination interface
Step 3 Check the Group Filters box next to any two or more criteria to combine them with a logical OR.
For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching:
(Source IP OR Destination IP) AND Protocol
Step 4 Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset Filters to clear the filter and display the unfiltered results again.
For a complete reference guide of log event messages, refer to the SonicWALL Log Event Reference Guide located at http://www.sonicwall.com/us/support/230_3611.html.
Distributed Event Detection and Replay
The Solera appliance can search its data-repository, while also allowing the administrator to define “interesting-content” events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS has an extensive set of log events, including:
• Debug/Informational Events—Connection setup/tear down
• User-events—Administrative access, single sign-on activity, user logins, content filtering details
• Firewall Rule/Policy Events—Access to and from particular IP:Port combinations, also identifiable by time
• Interesting-content at the Network or Application Layer—Port-scans, SYN floods, DPI or AF signature/policy hits
The following is an example of the process of distributed event detection and replay:
1. The administrator defines the event trigger. For example, an App Rules policy is defined to detect and log the transmission of an official document.
2. A user (at IP address 192.168.19.1) on the network retrieves the file.
3. The event is logged by the SonicWALL.
4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (such as, IP: [192.168.169.100], Port: [443]). The defined NPCS appliance will be the link’s target. The link will include the query string parameters defining the desired connection.
5. The NPCS will (optionally) authenticate the user session.
SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.