Minimize icon to the far right of the section name. The icon turns into the Maximize icon. Click this icon to redisplay the Log View Settings sectionDash_Packet_Capture
Note For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which tab it is accessed through. The Packet Monitor and how to use it are described in detail in System > Packet Monitor.
Note For increased convenience and accessibility, the Log > View page is now part of the Dashboard > Log Monitor page, which can be accessed either from Dashboard > Log Monitor or Log > View in the left navigation pane.
The Dashboard > Log Monitor page comprises two sections: Log View Settings and Log View.
The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log View section of the Dashboard > Log Monitor page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column.
The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.
Topics:
• Filtering Log Records Viewed
• Distributed Event Detection and Replay
The log is displayed in a table, which is sortable by column. The log table columns are:
• # - the item number of the entry.
• Time - the date and time of the event.
• Priority - the level of priority associated with the log event.
• Category - the type of traffic, such as Network Access or Authenticated Access.
• Message - provides a description of the event.
• Source - displays the source network and IP address.
• Destination - displays the destination network and IP address.
• Notes - provides additional information about the event.
• Rule - notes any Network Access Rule affected by event.
Note To increase the number of entries visible on a page without scrolling, you can collapse the Log View Settings section by clicking on the Minimize icon to the far right of the section name. The icon turns into the Maximize icon. Click this icon to redisplay the Log View Settings section
Highlighted Entries
Emergency and Alert entries are highlighted in the table.
Navigating and Sorting Log View Table Entries
Navigating the Entries
The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using navigation controls located at the top right of the Log View table. For further information on navigating the Log View table, see Navigating Dynamic Tables.
Sorting the Entries
You can sort the entries in the table by clicking on the column header. The default sort is by Time. The entries are sorted by ascending or descending order. When you click on the column header, an arrow appears to the right of the column entry, indicating the sorting status. A down arrow means ascending order. An up arrow indicates descending order.
Refresh
To update log messages, click the Refresh button near the top left corner of the page. You can specify the refresh interval in the Refresh Interval (secs) field above the Log View table.
To pause the refresh, click the Pause icon above the Log View table.
Clear Log
To delete the contents of the log, click the Clear Log button near the top of the page.
To export the contents of the log to a defined destination, click the Export Log button below the Log View Settings section. The Export Log window displays, from which you can export log content in two formats:
• Plain text format--Used in log and alert e-mail.
• Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.
If you have configured the SonicWALL security appliance to e-mail log files, clicking E-mail Log near the top of the page sends the current log files to the e-mail address specified in the Log > Automation page; for details, see E-mail Log Automation.
Note The SonicWALL security appliance can alert you of important events, such as an attack on the SonicWALL security appliance. Alerts are immediately sent via e-mail, either to an e-mail address or to an e-mail pager. For receiving alerts, you must enter your e-mail address and server information, as described in E-mail Log Automation.
You can filter the results to display only event logs matching certain criteria: Priority, Category, Source (IP or Interface), and Destination (IP or Interface). You configure the filter in the Log View Settings table.
To configure your filter, follow these steps:
1. Navigate to the Dashboard > Log Monitor page to enter your filter criteria in the Log View Settings table.
2. Select the priority level to log in the Priority drop-down menu. The default is All.
Syslog uses these eight categories to characterize messages, in descending order of severity:
– Emergency
– Alert
– Critical
– Error
– Warning
– Notice
– Info (informational)
– Debug
Selecting a lower-level category includes all higher-level categories as well. For example, selecting Error also displays Emergency, Alert, and Critical messages, but excludes Warning, Notice, Info, and Debug. Selecting Debug displays all messages.
Note Specify a priority level for a SonicWALL security appliance on the Log > Categories page; see Log > Categories.
For a complete reference guide of log event messages, refer to the SonicOS Combined Log Event Reference Guide.
3. Select a category from the Category menu. The default is All Categories.
4. Optionally, specify a source IP in the Source (IP, Interface) field and select a source interface from the interface drop-down menu: All Interfaces, X0, X1, X2:V50, X3. The defaults are all IPs and All Interfaces.
5. Optionally, specify a destination IP in the Destination (IP, Interface) field and select a destination interface from the interface drop-down menu: All Interfaces, X0, X1, X2:V50, X3. The defaults are all IPs and All Interfaces.
6. The values you enter are combined into a search string with a logical AND. For example, if you specify an interface for Source and for Destination, the search string will look for connections matching:
Priority AND Category AND Source interface AND Destination interface
The logic used for the filter is displayed in the Filter Logic section:
Check the Group Filters box next to any two or more criteria to combine them with a logical OR.
For example, if you enter values for Source IP, Destination IP, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching:
(Source IP OR Destination IP) AND Priority AND Category
The Filter Logic section changes to reflect the new logic:
7. Click the Apply Filter button to apply the filter immediately to the Log View table. Click the Reset Filters button to clear the filter and display the unfiltered results again.
The following example filters log events resulting from traffic from the WAN to the LAN:
For a complete reference guide of log event messages, refer to the SonicOS Combined Log Event Reference Guide.
SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any ‘interesting-content’ events, it can only provide a record of the occurrence, but not the actual data of the event.
Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped.
Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet.
While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:
• Reliable storage of data
• Effective indexing of data
• Classification of interesting-content
Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.
Distributed Event Detection and Replay
The Solera appliance can search its data-repository, while also allowing the administrator to define “interesting-content” events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS has an extensive set of log events, including:
• Debug/Informational Events—Connection setup/tear down
• User-events—Administrative access, single sign-on activity, user logins, content filtering details
• Firewall Rule/Policy Events—Access to and from particular IP:Port combinations, also identifiable by time
• Interesting-content at the Network or Application Layer—Port-scans, SYN floods, DPI or AF signature/policy hits
The following is an example of the process of distributed event detection and replay:
1. The administrator defines the event trigger. For example, an Application Firewall policy is defined to detect and log the transmission of an official document:
2. A user on the network retrieves the file.
3. The event is logged by the SonicWALL.
4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL. The defined NPCS appliance will be the link’s target. The link will include the query string parameters defining the desired connection.
5. The NPCS will (optionally) authenticate the user session.
6. The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local machine.
The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements.
Log Persistence
SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method.
By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.
GMS
To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.
