Chapter 26 Logs Screens
26.6 Syslog Logs
There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs.
Table 182 Syslog Logs
LOG MESSAGE | DESCRIPTION | |
Event Log: <Facility*8 + | This message is sent by the system ("RAS" displays as the | |
Severity>Mon dd hr:mm:ss | system name if you haven’t configured one) when the | |
hostname src="<srcIP:srcPort>" | router generates a syslog. The facility is defined in the web | |
dst="<dstIP:dstPort>" | MAIN MENU > LOGS > Log Settings page. The severity | |
msg="<msg>" note="<note>" | is the log’s syslog class. The definition of messages and | |
notes are defined in the other log tables. The “devID” is the | ||
devID="<mac address>" | MAC address of the router’s LAN port. The “cat” is the | |
cat="<category>" | same as the category in the router’s logs. | |
Traffic Log: <Facility*8 + | This message is sent by the device when the connection | |
Severity>Mon dd hr:mm:ss | (session) is closed. The facility is defined in the Log | |
hostname src="<srcIP:srcPort>" | Settings screen. The severity is the traffic log type. The | |
dst="<dstIP:dstPort>" | message and note always display "Traffic Log". The "proto" | |
field lists the service name. The "dir" field lists the incoming | ||
msg="Traffic Log" | ||
and outgoing interfaces ("LAN:LAN", "LAN:WAN", | ||
note="Traffic Log" devID="<mac | "LAN:DMZ", "LAN:DEV" for example). | |
address>" cat="Traffic Log" |
| |
duration=seconds |
| |
sent=sentBytes |
| |
rcvd=receiveBytes |
| |
dir="<from:to>" |
| |
protoID=IPProtocolID |
| |
proto="serviceName" |
| |
trans="IPSec/Normal" |
| |
Event Log: <Facility*8 + | This message is sent by the device ("RAS" displays as the | |
Severity>Mon dd hr:mm:ss | system name if you haven’t configured one) at the time | |
hostname src="<srcIP:srcPort>" | when this syslog is generated. The facility is defined in the | |
dst="<dstIP:dstPort>" | web MAIN MENU > LOGS > Log Settings page. The | |
ob="<01>" ob_mac="<mac | severity is the log’s syslog class. The definition of | |
messages and notes are defined in the other log tables. OB | ||
address>" msg="<msg>" | is the Out Break flag and the mac address of the Out Break | |
note="<note>" devID="<mac | PC. | |
address>" cat="<category>" |
| |
Event Log: <Facility*8 + | This message is sent by the device ("RAS" displays as the | |
Severity>Mon dd hr:mm:ss | system name if you haven’t configured one) at the time | |
hostname src="<srcIP:srcPort>" | when this syslog is generated. The facility is defined in the | |
dst="<dstIP:dstPort>" | web MAIN MENU > LOGS > Log Settings page. The | |
ob="01" ob_mac="<mac | severity is the log’s syslog class. The "encode" message | |
address>" msg="<msg>" | indicates the mail attachments encoding method. The | |
note="<note>" devID="<mac | definition of messages and notes are defined in the Anti- | |
address>" cat="Anti Virus" | Virus log descriptions. | |
encode="< uu b64 >" |
|
508 |
| |
ZyWALL 2WG User’s Guide |
| |
|
|
|