ZyXEL Communications P-2302R Series 18.1.2 Syslog Logs

P-2302R Series User’s Guide

18.1.2 Syslog Logs

There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs.

Table 73 Syslog Logs

	LOG MESSAGE	DESCRIPTION

	Event Log: <Facility*8 + Severity>Mon dd	This message is sent by the system ("RAS" displays as the
	hr:mm:ss hostname	system name if you haven’t configured one) when the router
	src="<srcIP:srcPort>"	generates a syslog. The facility is defined in the Log
	dst="<dstIP:dstPort>" msg="<msg>"	Settings screen. The severity is the log’s syslog class. The
	note="<note>" devID="<mac address>"	definition of messages and notes are defined in the various
	note="<note>" devID="<mac address>"	log charts throughout this appendix. The “devID” is the MAC
	cat="<category>"	log charts throughout this appendix. The “devID” is the MAC
	cat="<category>"	address of the router’s LAN port. The “cat” is the same as
		address of the router’s LAN port. The “cat” is the same as
		the category in the router’s logs.

	Traffic Log: <Facility*8 + Severity>Mon	This message is sent by the device when the connection
	dd hr:mm:ss hostname	(session) is closed. The facility is defined in the Log
	src="<srcIP:srcPort>"	Settings screen. The severity is the traffic log type. The
	dst="<dstIP:dstPort>" msg="Traffic Log"	message and note always display "Traffic Log". The "proto"
	dst="<dstIP:dstPort>" msg="Traffic Log"	field lists the service name. The "dir" field lists the incoming
	note="Traffic Log" devID="<mac
	note="Traffic Log" devID="<mac	and outgoing interfaces ("LAN:LAN", "LAN:WAN",
	address>" cat="Traffic Log"	and outgoing interfaces ("LAN:LAN", "LAN:WAN",
	address>" cat="Traffic Log"	"LAN:DEV" for example).
	duration=seconds sent=sentBytes	"LAN:DEV" for example).
	duration=seconds sent=sentBytes
	rcvd=receiveBytes dir="<from:to>"
	protoID=IPProtocolID
	proto="serviceName" trans="IPSec/
	Normal"

The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.

Table 74 RFC-2408 ISAKMP Payload Types

LOG DISPLAY	PAYLOAD TYPE

SA	Security Association
PROP	Proposal
TRANS	Transform
KE	Key Exchange
ID	Identification
CER	Certificate
CER_REQ	Certificate Request
HASH	Hash
SIG	Signature
NONCE	Nonce
NOTFY	Notification

Chapter 18 Logs

194