ZyWALL 5/35/70 Series User’s Guide
Syslog Logs
There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs.
Table 298 Syslog Logs
LOG MESSAGE | DESCRIPTION | |
|
| |
Event Log: <Facility*8 + | This message is sent by the system ("RAS" displays as the | |
Severity>Mon dd hr:mm:ss | system name if you haven’t configured one) when the router | |
hostname src="<srcIP:srcPort>" | generates a syslog. The facility is defined in the web MAIN | |
dst="<dstIP:dstPort>" | MENU, LOGS, Log Settings page. The severity is the log’s | |
msg="<msg>" note="<note>" | syslog class. The definition of messages and notes are | |
defined in the other log tables. The “devID” is the MAC | ||
devID="<mac address>" | address of the router’s LAN port. The “cat” is the same as | |
cat="<category>" | the category in the router’s logs. | |
Traffic Log: <Facility*8 + | This message is sent by the device when the connection | |
Severity>Mon dd hr:mm:ss | (session) is closed. The facility is defined in the Log | |
hostname src="<srcIP:srcPort>" | Settings screen. The severity is the traffic log type. The | |
dst="<dstIP:dstPort>" | message and note always display "Traffic Log". The "proto" | |
field lists the service name. The "dir" field lists the incoming | ||
msg="Traffic Log" | ||
and outgoing interfaces ("LAN:LAN", "LAN:WAN", | ||
note="Traffic Log" devID="<mac | "LAN:DMZ", "LAN:DEV" for example). | |
address>" cat="Traffic Log" |
| |
duration=seconds |
| |
sent=sentBytes |
| |
rcvd=receiveBytes |
| |
dir="<from:to>" |
| |
protoID=IPProtocolID |
| |
proto="serviceName" |
| |
trans="IPSec/Normal" |
| |
Event Log: <Facility*8 + | This message is sent by the device ("RAS" displays as the | |
Severity>Mon dd hr:mm:ss | system name if you haven’t configured one) at the time | |
hostname src="<srcIP:srcPort>" | when this syslog is generated. The facility is defined in the | |
dst="<dstIP:dstPort>" | web MAIN MENU, LOGS, Log Settings page. The severity | |
ob="<01>" ob_mac="<mac | is the log’s syslog class. The definition of messages and | |
notes are defined in the other log tables. OB is the Out | ||
address>" msg="<msg>" | Break flag and the mac address of the Out Break PC . | |
note="<note>" devID="<mac |
| |
address>" cat="<category>" |
| |
|
| |
Event Log: <Facility*8 + | This message is sent by the device ("RAS" displays as the | |
Severity>Mon dd hr:mm:ss | system name if you haven’t configured one) at the time | |
hostname src="<srcIP:srcPort>" | when this syslog is generated. The facility is defined in the | |
dst="<dstIP:dstPort>" | web MAIN MENU, LOGS, Log Settings page. The severity | |
ob="01" ob_mac="<mac | is the log’s syslog class. The "encode" message indicates | |
address>" msg="<msg>" | the mail attachments encoding method. The definition of | |
note="<note>" devID="<mac | messages and notes are defined in the | |
address>" cat="Anti Virus" | descriptions. | |
encode="< uu b64 >" |
|
Appendix S Log Descriptions | 790 |