LogLogic McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

Transcription

1 LogLogic McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Sidewinder Release 1.2 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring LogLogic s Sidewinder Log Collection Introduction to Sidewinder Prerequisites Configuring Sidewinder Enabling the LogLogic Appliance to Capture Data Adding a Sidewinder Device Verifying the Configuration Chapter 2 How LogLogic Supports Sidewinder How LogLogic Captures Sidewinder Data LogLogic Real-Time LogLogic Search- Based Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions Appendix A Reference LogLogic Support for Sidewinder s McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 3

4 4 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for McAfee Firewall Enterprise (Sidewinder) enables LogLogic Appliances to capture logs from machines running Sidewinder. Once the logs are captured and parsed, you can generate reports and create alerts on Sidewinder s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

7 Chapter 1 Configuring LogLogic s Sidewinder Log Collection This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Sidewinder logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Sidewinder-related log data. Introduction to Sidewinder Prerequisites Configuring Sidewinder Enabling the LogLogic Appliance to Capture Data Verifying the Configuration Introduction to Sidewinder Sidewinder (also known as Secure Firewall) is a hardware appliance that contains the following features: Application-layer firewall VPN functionality Web filtering Anti-spam/Anti-fraud functionality Anti-virus/Anti-spyware filtering engines The logs produced by Sidewinder include events from all of its application functions (i.e., firewall, VPN, Web filtering, etc.) as well as local auditing of the Sidewinder appliance itself (e.g., appliance configuration changes, logins, daemon errors, etc.). Sidewinder appliances can generate audit log messages via Syslog using a variety of log formats. The LogLogic Appliance supports Syslog Sidewinder firewall events using the Sidewinder Export Format (SEF). The LogLogic Appliance acts as the Syslog Server for Sidewinder, and Sidewinder sends SEF-formatted Syslog messages via UDP or TCP to the Appliance s Syslog Listener. The configuration procedures for Sidewinder and the LogLogic Appliance depend upon your environment. For more information, see How LogLogic Captures Sidewinder Data on page 14. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 7

8 Prerequisites Prior to configuring Sidewinder and the LogLogic Appliance, ensure that you meet the following prerequisites: Secure Computing Sidewinder appliances running version 6.1, 6.2.x, 7.0 Proper access permissions to make configuration changes LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Sidewinder support Administrative access on the LogLogic Appliance McAfee Firewall Enterprise (Sidewinder) appliances running version 7.0 Configuring Sidewinder You must enable and configure auditing and Syslog on Sidewinder prior to configuring the LogLogic Appliance. Note: This document does not describe all features and functionality within Sidewinder regarding configuration and Syslog. For more information on these areas, see McAfee Support Knowledge Base ( and the McAfee Product Documentation. To configure Sidewinder version 6.1: 1. Make sure that the auditing and syslog daemons are stopped on the Sidewinder host machine. 2. On Sidewinder, navigate to the following location: /etc/sidewinder/ 3. Open the auditd.conf file in a text editor and add the following line to the end of the file: syslog(facility filters["filter"] format) where, facility Facility level associated with the Syslog message (e.g., local0-local7) filter Name of the sacap filter to use for all the events. If this parameter is set to NULL, then all audit events are reported to the log. Note: Depending on load and network traffic, a more restrictive filter than NULL might be needed. For more information on sacap filters, see the McAfee Product Documentation. format output format. Make sure this is set to SEF (Sidewinder Export Format used by Sidewinder G2 Security Reporter). For example, syslog(local0 filters["null"] SEF) 4. Open the syslogd.conf file in a text editor and modify the default burb entry (log_burb[0]) to the correct burb. 5. Navigate to the following location: /etc/ 8 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

9 6. Open the syslog.conf file in a text editor and add the following line to the file: where, facility Facility level you specified in same facility as mentioned above x.x.x.x IP address of the remote Syslog Server (i.e., LogLogic Appliance) For example, 7. Restart the auditing and syslog daemons by completing the following steps: a. Find the Syslog Process Identifier (PID) using the pss syslog command. b. Restart the syslogd and audit processes by using the following commands: kill syslogpid ind Slog /usr/sbin/syslogd -l cf server restart auditd To configure Sidewinder version 6.2.x: 1. Make sure that the auditing and syslog daemons are stopped on the Sidewinder host machine. 2. Navigate to the following location: /etc/sidewinder/ 3. Open the auditd.conf file in a text editor and add the following line to the end of the file: syslog(facility filters["filter"] format) where, facility Facility level associated with the Syslog message (e.g., local0-local7) filter Name of the sacap filter to use for all the events. If this parameter is set to NULL, then all audit events are reported to the log. Note: Depending on load and network traffic, a more restrictive filter than NULL might be needed. For more information on sacap filters, see the McAfee Product Documentation. format output format. Make sure this is set to SEF (Sidewinder Export Format used by Sidewinder G2 Security Reporter). For example, syslog(local0 filters["null"] SEF) 4. Navigate to the following location: /etc/ 5. Open the syslog.conf file in a text editor and add the following line to the file: where, facility Facility level you specified in same facility as mentioned above x.x.x.x IP address of the remote Syslog Server (i.e., LogLogic Appliance) For example, McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 9

10 6. Restart the auditing and syslog daemons by completing the following steps: a. Find the Syslog Process Identifier (PID) using the pss syslog command. b. Restart the syslogd and audit processes by using the following commands: kill -HUP syslogpid ind Slog /usr/sbin/syslogd -l cf server restart auditd To configure Sidewinder version 7.0: 1. Make sure that the auditing and syslog daemons are stopped on the Sidewinder host machine. 2. Navigate to the following location: /secureos/etc/ 3. Open the auditd.conf file in a text editor and add the following line to the end of the file: syslog(facility filters["filter"] format) where, facility Facility level associated with the Syslog message (e.g., local0-local7) filter Name of the sacap filter to use for all the events. If this parameter is set to NULL, then all audit events are reported to the log. Note: Depending on load and network traffic, a more restrictive filter than NULL might be needed. For more information on sacap filters, see the McAfee Product Documentation. format output format. Make sure this is set to SEF (Sidewinder Export Format used by Sidewinder G2 Security Reporter). For example, syslog(local0 filters["null"] SEF) 4. Navigate to the following location: /etc/ 5. Open the syslog.conf file in a text editor and add the following line to the file: where, facility Facility level you specified in same facility as mentioned above x.x.x.x IP address of the remote Syslog Server (i.e., LogLogic Appliance) For example, 6. Within the syslog.conf file by changing this line: *.notice;auth,...uucp.none /var/logmessages to this: *.notice;auth,...uucp,facility.none /var/logmessages Changing this line prevents redundant logging. 7. Restart the auditing and syslog daemons by using the following commands: cf daemond restart agent=syslog cf daemond restart agent=auditd 10 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

11 Enabling the LogLogic Appliance to Capture Data The following sections describe how to configure the LogLogic Appliance to capture Sidewinder Syslog messages. Caution: The LogLogic Appliance s device auto-identification feature is not supported for Sidewinder. You must manually add Sidewinder as a device on the Appliance. Adding a Sidewinder Device If you do not want to utilize the auto-identification feature, you can manually add a Sidewinder device to the LogLogic Appliance before you redirect the logs. To add Sidewinder as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Sidewinder device Description (optional) Description of the Sidewinder device Device Type Select Sidewinder from the drop-down menu Host IP IP address of the Sidewinder appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 11

12 Figure 1 Add Device Tab 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Sidewinder appliance, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration The section describes how to verify that the configuration changes made to Sidewinder and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. 3. Locate the IP address for each Sidewinder device. If the device name (Sidewinder) appears in the list of devices, then the configuration is correct (see Figure 2 on page 13). 12 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

13 Figure 2 Verification of the Sidewinder Configuration If the device does not appear in the Log Source Status tab, check the Sidewinder logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Sidewinder configuration and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Sidewinder by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 15. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 18 for more information. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 13

14 Chapter 2 How LogLogic Supports Sidewinder This chapter describes LogLogic s support for Sidewinder. LogLogic enables you to capture Sidewinder log data to monitor events. How LogLogic Captures Sidewinder Data LogLogic Real-Time LogLogic Search- Based How LogLogic Captures Sidewinder Data Sidewinder version 6.1, 6.2.x, and 7.0 (or later) support various streamed event formats through Syslog (e.g., Sidewinder Export Format (SEF), WebTrends Extended Logging Format (WELF), W3C Extended Logging Format (HTTP), etc.). Regardless of the Sidewinder version, the LogLogic Appliance only supports Sidewinder firewall events in SEF format. Sidewinder generates Syslog messages in SEF format, then messages are sent, via UDP or TCP, to the Syslog Listener on the LogLogic Appliance. Figure 3 Sidewinder with LogLogic Appliance as the Syslog Server Once the data is captured you can generate reports. In addition, you can create alerts to notify you of issues on your Sidewinder. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Table 1 on page 22 lists the Sidewinder Syslog messages that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Sidewinder logs, but includes only specific messages for report/alert generation. For more information, see Appendix A Reference on page 21 for sample log messages for each event and event to category mapping. 14 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

15 LogLogic Real-Time LogLogic provides pre-configured Real-Time for Sidewinder log data. The following Real-Time are available: User Authentication Displays identity and access related events during a specified time interval. User Created/Deleted Displays user being created or deleted by an administrator during a specified time interval. Last User Activity Displays user-specific details and used to track user activity during a specified time interval. To access LMI 5 Real-Time : 1. In the top navigation pane, click. 2. Click Access Control. The following Real-Time are available: User Authentication User Created/Deleted Last User Activity You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search- Based LogLogic provides pre-configured Search s for Sidewinder log data. Search s are used to filter report data and create alerts. To access Search s: 1. From the navigation menu, select Search. 2. Select Search s. The following Search s are available: Note: All Sidewinder Search s use Regular Expressions (RegEx) that can be used to create reports using RegEx Search features on the LogLogic Appliance. Sidewinder 6.2: ACL Modification v6.2 - Access Control List (ACL) Database Change s. Uses the following RegEx: type=t_acl_change Sidewinder 6.2: Protocol Error v6.2 - Traffic passing by violated the Protocol. Uses the following RegEx: type=t_protocol_error Sidewinder 6.2: Proxy Flooded v6.2 - Proxy Flooded Type. Using RegEx: type=t_snmp_coldtrap Sidewinder 6.2: SNMP Coldstart Trap v6.2 - SNMP Coldstart Trap s. Using RegEx: type=t_proxy_flooded Sidewinder 6.2: SYN Attack v6.2 - SYN Attack messages. Using RegEx: type=t_syn_attack McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 15

16 Sidewinder 6.2: TACACS/RADIUS Accounting v6.2 - TACACS/RADIUS Accounting s. Using RegEx: type=t_tacrad_acct Sidewinder 6.2: Type Enforcement v6.2 - Type Enforcement Errors generated by the Kernel like DDT Violation/DIT Violation/Domain Privilege Denied/Failed type Change. Using RegEx: type\=(t_ddtviolation t_ditviolation t_dmnprivdenied t_chtype) Sidewinder 6.2: User Database Modification v6.2 - User Database Modification by User or System. Using RegEx: type\=(t_udb_sysac t_udb_useract) Sidewinder 7.x: Application Defense Violation v7.x - Application Defense Violation. Using RegEx: type=t_auth_lockout Sidewinder 7.x: Authentication Lockout v7.x - Authentication Failure Lockout. Using RegEx: type=t_attack.*?(?=category=)category=appdef_violation Sidewinder 7.x: Buffer Overflow Attack v7.x - Buffer Overflow Attack. Using RegEx: type=t_attack.*?(?=category=)category=buffer_overflow Sidewinder 7.x: Connection Failed v7.x - Connection to the Server Failed. Using RegEx: event=(failed connection connect failed) Sidewinder 7.x: Denial of Service Attack v7.x - DOS Attack. Using RegEx: type=t_attack.*?(?=category=)category=dos Sidewinder 7.x: General Attack v7.x - General Attack. Using RegEx: type=t_attack.*?(?=category=)category=general Sidewinder 7.x: Invalid TCP packets v7.x - Invalid TCP packets. Using RegEx: (event\=(tcp old duplicate TCP data/ closed conn TCP RESET sequence error)) Sidewinder 7.x: License Expiration v7.x - License Feature Expiration. Using RegEx: type=t_license_expire Sidewinder 7.x: License Notice v7.x - User License close to the max. outbound host IP addresses. Using RegEx: event=license notice Sidewinder 7.x: Passport v7.x - Passport Change s. Using RegEx: type\=t_passport_chng.*?(?=event\=)event\=(?!passport expiration)[^\,]* Sidewinder 7.x: Passport Expiration v7.x - Passport Expired. Using RegEx: type=t_passport_chng.*?(?=event=)event=passport expiration Sidewinder 7.x: Policy Violation v7.x - Policy Violation s. Using RegEx: type=t_attack.*?(?=category=)category=policy_violation Sidewinder 7.x: Protocol Violation v7.x - Protocol Violation s. Using RegEx: type=t_attack.*?(?=category=)category=protocol_violation Sidewinder 7.x: Signature-based IPS Intrusion Attempt v7.x - Signature-based IPS Intrusion Attempt. Using RegEx: type=t_attack.*?(?=category=)category=signature_ips Sidewinder 7.x: Spam v7.x - Spam. Using RegEx: type=t_attack.*?(?=category=)category=spam Sidewinder 7.x: System Backup v7.x - System Backup Success/Failure s. Using RegEx: event\=(system backup success system backup failure) Sidewinder 7.x: Virus v7.x - Virus. Using RegEx: type=t_attack.*?(?=category=)category=virus Sidewinder: Blackhole v7.x and v6.2 - Blackhole Add/Delete/Update/Expire/Address error s. Using RegEx: type=t_blackhole 16 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

17 Sidewinder: Configuration Change v7.x and v6.2 - Administrative Configuration Change s. Using RegEx: type=t_cfg_change Sidewinder: Console Login Failure v7.x and v6.2 - Console Login Failure. Using RegEx: (type=t_attack.*?(?=event)event=auth deny.*?(?=reason)reason="authentication failed."\,information="console login authentication failed[a-za-z0-9 -_]*) (type=t_auth_attempt.*?(?=result)result=0\,info="[a-za-z0-9-_ ]*console[a-za-z0-9 -_]*) Sidewinder: Hardware/Software Failure v7.x and v6.2 - Hardware/Software/NIC/ Memory/ Disk Failure s. Using RegEx: type=(t_hardware_failure t_software_failure) Sidewinder: Health Monitoring v7.x and v6.2 - Health Monitoring of Load/CPU/ Memory/Interface/ General data s. Using RegEx: (type\=t_lcm\,pri\=(?!p_minor)[^\,]*) (type\=t_interface\,pri\=(?!p _minor)[^\,]*) (type\=t_geninfo\,pri\=(?!p_minor)[^\,]*) Sidewinder: License Exceeded v7.x and v6.2 - User License Exceeded the maximum number of outbound host IP addresses. Using RegEx: type=t_lic_exceeded Sidewinder: Log Overflow v7.x and v6.2 - Log overflow. Using RegEx: type=t_log_overflow Sidewinder: Proxy/Remote Server Authentication Failure v7.x and v6.2 - Authentication to Proxy/Remote Server Failed. Using RegEx: type=t_proxyauth Sidewinder: Software Client Login Failure v7.x and v6.2 - Software Client Login Failure. Using RegEx: (type=t_attack.*?(?=event)event=auth deny.*?(?=reason)reason="authentication failed."\,information="cobra login authentication failed) (type=t_auth_attempt.*?(?=result)result=0.*?(?=info)info=[a -za-z0-9 -_]*cobra[a-za-z0-9 -_]*) Sidewinder: UDP Drop v7.x and v6.2 - UDP Packet got Dropped. Using RegEx: type\=t_udp_drop Sidewinder: UPS v7.x and v6.2 - UPS Powerfail/Shutdown s. Using RegEx: type\=(t_ups_powerfail t_ups_shutdown) For more information on Search s, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 17

18 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Sidewinder. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting Is your version of Sidewinder supported? For more information, see Prerequisites on page 8. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. If Sidewinder events are not appearing on the LogLogic Appliance... Sidewinder might not be configured correctly. Make sure that audit logging is configured using the SEF format, Syslog is configured, and that a Syslog Server (i.e., the LogLogic Appliance) has been defined. If you have not properly configured Syslog on Sidewinder to send logs to the LogLogic Appliance, then Sidewinder will write the logs to a file on the local system (i.e., /var/ log/messages). Make sure that Sidewinder is not sending log messages the local file. Configuration steps for Sidewinder vary depending on the version. For more information see, Configuring Sidewinder on page 8. If events are not displaying on the LogLogic Appliance even after configuring Sidewinder correctly... Sidewinder sends the logs, via UDP or TCP via Syslog, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on Sidewinder. For more information on supported protocols and ports, see the LogLogic Administration Guide. 18 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

19 Frequently Asked Questions How does the LogLogic Appliance collect logs from Sidewinder? Sidewinder forwards logs using the SEF event format through Syslog. SEF-formatted Syslog messages are sent via UDP or TCP to the LogLogic Appliance. The LogLogic Appliance acts as a Syslog Server for Sidewinder and recognizes messages using the Syslog Listener. For more information, see How LogLogic Captures Sidewinder Data on page 14. What access permissions are required? To configure auditing and Syslog on Sidewinder, the user needs to have the proper access permissions to edit configuration files and start/stop the auditing and syslog daemons. How do I configure Syslog on Sidewinder? Follow the procedures on Configuring Sidewinder on page 8. Also make sure that you verify your configuration changes on the LogLogic Appliance (Verifying the Configuration on page 12). McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 19

20 20 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

21 Appendix A Reference This appendix lists the LogLogic-supported Sidewinder events. The Sidewinder event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Sidewinder s The following list describes the contents of each of the columns in the table below. ID # Item Number Name Value of event field in 7.x Version or status field in 6.2 or 6.1 Version is displayed otherwise it is Not Applicable (N/A) Agile Defines if the Sidewinder event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Sidewinder version number and comments if available. Comments are displayed if particular type in a version as more than one format supported. Category Audit or Operational Type Type of event such as t_iptraffic or t_attack Appears In LogLogic-provided reports that the event appears in Sample Log Message Sample Sidewinder log messages converted into text (.txt) format. The Collector captures invaluable log data to track actions such as modifications to files, account changes, machine access, and other actions that can represent fraudulent activity. The LogLogic appliance can be configured to provide administrators with real-time alerts whenever data integrity and confidentiality is compromised. In addition, LogLogic s Agile and search capabilities can be used to analyze the captured log data. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 21

22 Table 1 Sidewinder s ID # Name Agile Title Category Type Appears In Sample Log Message 1 ACL allow Agile 7.x Audit t_aclallow Accepted 2 ACL deny Agile 7.x Audit t_attack Denied 3 auth deny Agile 7.x Audit t_attack User Last Activity /User Authentication 4 auth allow Agile 7.x Audit t_auth_attempt User Last Activity /User Authentication <131>Jan 15 14:51:23 auditd: date="mar 15 15:55:21 CDT",fac=f_ssh_server,area=a_general_area,type=t_ aclallow,pri=p_major,pid=11596,ruid=0,euid=0,pgid=1 1596,logid=0,cmd=sshd,domain=ssh1,edomain=ssh1,hostname=xxxx.x.com,event=ACL allow,srcip= ,srcport=33180,srcburb=exter nal,dstip= ,dstport=22,dstburb=external,pr otocol=6,service_name=sshd,user_name=x,auth_met hod=password,acl_id="secure Shell Server",cache_hit=0,reason="Traffic allowed by policy." <131>Jan 15 14:48:01 auditd: date="jan 15 22:48:01 UTC",fac=f_login_sidewinder,area=a_general_area,ty pe=t_attack,pri=p_major,pid=95290,ruid=0,euid=0,pgi d=95263,logid=0,cmd=login_sidewinder,domain=log n,edomain=logn,hostname=sidewinder1.loglabs.com,category=policy_violation,event=acl deny,attackip= ,attackburb=firewall,srcip= ,srcport=0,srcburb=Firewall,dstip= ,dst port=0,dstburb=firewall,protocol=6,service_name=log in,user_name=admin,auth_method=failed-password, acl_id="deny All",cache_hit=0,reason="Traffic denied by policy." <179>Jun 24 05:07:27 auditd: date="aug 11 12:51:09 PDT",fac=f_login,area=a_general_area,type=t_attack, pri=p_major,pid=2374,ruid=0,euid=0,pgid=2374,logid =0,cmd=login,domain=Logn,edomain=Logn,hostnam e=sidewinder1.loglabs.com,category=policy_violation, event=auth deny,user_name=admin,auth_method=password,rea son="authentication failed.",information="cobra login authentication failed for user `admin', method Password, from " <179>Jun 24 05:07:27 auditd: date="aug 11 08:25:23 PDT",fac=f_ssh_server,area=a_server,type=t_auth_a ttempt,pri=p_major,pid=1198,ruid=0,euid=0,pgid=119 8,logid=0,cmd=sshd,domain=ssh2,edomain=ssh2,hos tname=sidewinder1.loglabs.com,event=auth allow,user_name=spippari,auth_method=password,re ason="authentication succeeded.",information="authentication Accepted for user `spippari', method Password from port 1037" 5 authentication failure lockout Agile 7.x Audit t_auth_lockout User Last Activity <179>Jun 6 18:32:37 auditd: date="aug 25 22:29:34 PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid =0,cmd=acld,domain=Acld,edomain=Acld,hostname= sidewinder1.loglabs.com,event=authentication failure lockout,user_name=spippari,reason="authentication failure limit exceeded." 22 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

23 ID # Name Agile Title Category Type Appears In Sample Log Message 6 authentication failure clear Agile 7.x Audit t_auth_lockout User Last Activity <179>Jun 6 18:32:37 auditd: date="aug 25 22:25:28 PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid =0,cmd=acld,domain=Acld,edomain=Acld,hostname= sidewinder1.loglabs.com,event=authentication failure clear,user_name=rathna,admin=rathna 7 config Modify Agile 7.x/ format 1 8 config Modify Agile 7.x/ format 2 9 config Modify Agile 7.x/ format 3 10 config Modify Agile 7.x/ format 4 Audit t_cfg_change User Last Activity Audit t_cfg_change User Last Activity,User Created/ Deleted Audit t_cfg_change User Last Activity,User Created/ Deleted Audit t_cfg_change User Last Activity,User Created/ Deleted <139>Sep 10 07:54:25 auditd: date="sep 10 21:52:12 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="admin user database",config_item=admins:testuser,information=" Changed Firewall administrator testuser: office='wipro Technologies'" <139>Sep 10 07:54:25 auditd: date="sep 10 14:54:25 UTC",fac=f_system,area=a_general_area,type=t_cfg _change,pri=p_major,pid=48475,ruid=0,euid=0,pgid= 48475,logid=102,cmd=AdminConsole,domain=CARW,edomain=CARW,hostname=sidewinder1.loglabs.co m,event=config modify,user_name=spippari,config_area="admin user database",config_item=admins:cwee,information="ad ded Firewall administrator cwee: crypt_password='_v...03/fz4a0ycyz/yu', directory='/ home/cwee', full_name='chris Wee', home_phone=' ', office='home', office_phone=' ', roles=[], shell='nologin'" <139>Sep 10 07:54:25 auditd: date="sep 10 21:48:11 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="user database",config_item=udb:testuser,information="add ed User testuser: crypt='_x...mucbglf3lh4uf7q', placeholder='not used', swede_crypt_last_mod_time= , swede_expire_last_mod_time=0.0" <139>Sep 10 07:54:25 auditd: date="sep 10 21:54:35 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="admin user database",config_item=admins:testuser,information=" Deleted Firewall administrator testuser" McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 23

24 ID # Name Agile Title Category Type Appears In Sample Log Message 11 config Modify Agile 7.x/ format 5 Audit t_cfg_change User Last Activity,User Created/ Deleted <139>Sep 10 07:54:25 auditd: date="sep 10 21:54:35 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="user database",config_item=udb:testuser,information="del eted User testuser" 12 IP session open 13 IP session timeout 14 IP session close 15 proxy traffic begin Agile 7.x Audit t_ipftraffic Accepted Agile 7.x Audit t_ipftraffic Accepted Agile 7.x Audit t_ipftraffic Accepted Agile 7.x Audit t_nettraffic Accepted <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=ip session open,rule_name=scobra_out_filter,srcip= , srcport=1662,dstip= ,dstport=9003,protoco l=6,netsessid=45eba8ff <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=ip session timeout,rule_name=scobra_out_filter,srcip= ,srcport=1662,dstip= ,dstport=9003,byte s_written_to_client= ,bytes_written_to_server =122272,protocol=6,netsessid=45eba8ff <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=ip session close,rule_name=scobra_out_filter,srcip= , srcport=1662,dstip= ,dstport=9003,bytes_ written_to_client=800,bytes_written_to_server=80,pro tocol=6,netsessid=45eba8ff <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:01 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic begin,service_name=http-all,netsessid=45f8e0e1000 ea505,srcip= ,srcport=57961,srcburb=inter nal,protocol=6,dstip= ,dstport=80,dstburb= external,acl_id=nt_http_out-nt_http_servicesproxy-aut h-internal,cache_hit=0,request_status=0,start_time=" Thu Mar 15 02:00:01 " 24 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

25 ID # Name Agile Title Category Type Appears In Sample Log Message 16 proxy traffic continue 17 proxy traffic end 18 proxy authentication failure 19 remote server authentication failure 20 server traffic begin Agile 7.x Audit t_nettraffic Accepted Agile 7.x Audit t_nettraffic Accepted Agile 7.x Audit t_proxyauth Denied Agile 7.x Audit t_proxyauth Denied Agile 7.x Audit t_servtraffic Accepted <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic continue,service_name=http-all,netsessid=45f8e0e10 00ea505,srcip= ,srcport=57961,srcburb=in ternal,protocol=6,dstip= ,dstport=80,dstbur b=external,bytes_written_to_client=476,bytes_written _to_server=99,acl_id=nt_http_out-nt_http_services-pr oxy-auth-internal,cache_hit=0,request_status=0,start_ time="thu Mar 15 02:00:01 " <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic end,service_name=http-all,netsessid=45f8e0e1000ea 505,srcip= ,srcport=57961,srcburb=interna l,protocol=6,dstip= ,dstport=80,dstburb=ex ternal,bytes_written_to_client=476,bytes_written_to_s erver=99,acl_id=nt_http_out-nt_http_services-proxy-a uth-internal,cache_hit=0,request_status=0,start_time= "Thu Mar 15 02:00:01 " <131>Jan 15 14:51:23 auditd: date="mar 16 16:33:55 CDT",fac=f_sendmail_daemon,area=a_server,type=t _proxyauth,pri=p_major,pid=2076,ruid=0,euid=0,pgid =2071,logid=0,cmd=sendmail,domain=mta1,edomain =mta1,hostname=carp.b.com,event=proxy authentication failure,srcip= ,srcport=3578,srcburb=exter nal,protocol=6,dstip= ,dstport=456,dstburb =dmz,interface=eth3,acl_id=acl_rul_1,reason="send mail determined that this session is not allowed." <131>Jan 15 14:51:23 auditd: date="mar 16 16:33:55 CDT",fac=f_sendmail_daemon,area=a_server,type=t _proxyauth,pri=p_major,pid=2076,ruid=0,euid=0,pgid =2071,logid=0,cmd=sendmail,domain=mta1,edomain =mta1,hostname=carp.b.com,event=remote server authentication failure,srcip= ,srcport=3578,srcburb=exter nal,protocol=6,dstip= ,dstport=456,dstburb =dmz,interface=eth3,acl_id=acl_rul_1,reason="send mail determined that this session is not allowed." <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:01 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_servtraffic,pri=p_major,pid=32152,ruid=0,euid=0,p gid=32152,logid=0,cmd=httpp,domain=htpp,edomain =htpp,hostname=xxxxxxx.xxxx.com,event=server traffic begin,service_name=http-all,netsessid=45f8e0e1000 ea505,srcip= ,srcport=57961,srcburb=inter nal,protocol=6,dstip= ,dstport=80,dstburb= external,acl_id=nt_http_out-nt_http_servicesproxy-aut h-internal,cache_hit=0,request_status=0,start_time=" Thu Mar 15 02:00:01 " McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 25

26 ID # Name Agile Title Category Type Appears In Sample Log Message 21 server traffic continue 22 server traffic end Agile 7.x Audit t_servtraffic Accepted Agile 7.x Audit t_servtraffic Accepted <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_servtraffic,pri=p_major,pid=32152,ruid=0,euid=0,p gid=32152,logid=0,cmd=httpp,domain=htpp,edomain =htpp,hostname=xxxxxxx.xxxx.com,event=server traffic continue,service_name=http-all,netsessid=45f8e0e10 00ea505,srcip= ,srcport=57961,srcburb=in ternal,protocol=6,dstip= ,dstport=80,dstbur b=external,bytes_written_to_client=476,bytes_written _to_server=99,acl_id=nt_http_out-nt_http_services-pr oxy-auth-internal,cache_hit=0,request_status=0,start_ time="thu Mar 15 02:00:01 " <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_servtraffic,pri=p_major,pid=32152,ruid=0,euid=0,p gid=32152,logid=0,cmd=httpp,domain=htpp,edomain =htpp,hostname=xxxxxxx.xxxx.com,event=server traffic end,service_name=http-all,netsessid=45f8e0e1000ea 505,srcip= ,srcport=57961,srcburb=interna l,protocol=6,dstip= ,dstport=80,dstburb=ex ternal,bytes_written_to_client=476,bytes_written_to_s erver=99,acl_id=nt_http_out-nt_http_services-proxy-a uth-internal,cache_hit=0,request_status=0,start_time= "Thu Mar 15 02:00:01 " 23 N/A Agile 6.2. Audit t_aclallow Accepted 24 N/A Agile 6.2 Audit t_acldeny Denied 25 N/A Agile 6.2 Audit t_auth_attempt User Last Activity /User Authentication 26 ipf_open Agile 6.2 Audit t_ipftraffic Accepted <179>May 22 17:16:52 auditd: date="may 22 17:16:52 GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo w,pri=p_major,pid=1545,ruid=0,euid=0,pgid=1545,fid =0,logid=0,cmd=httpp,domain=htpp,edomain=htpp,sr cip= ,dstip= ,protocol=6,servic e_name=http,agent_type=proxy,user_name=(null),acl _id="internet Services" <131>Jan 15 14:51:23 auditd: date="may 14 17:02: CDT",fac=f_nss,area=a_server,type=t_acldeny,pri=p_ major,pid=22800,ruid=0,euid=0,pgid=220,fid=0,logid= 0,cmd=nss,domain=nss2,edomain=nss2,srcip= ,dstip= ,protocol=6,service_ name=telnet,agent_type=server,user_name=null),acl _id=deny_all,acl_pos=7 <179>Jun 24 05:07:27 auditd: date="may 16 13:18: CDT",fac=f_ftpproxy,area=a_server,type=t_auth_atte mpt,pri=p_major,pid=464,ruid=0,euid=0,pgid=464,logi d=0,cmd=pftp,domain=pftx,edomain=pftx,user_aut h_name=a,auth_method=password,result=1,info="aut hentication Accepted for user `a:password', method password" <131>Jan 15 14:51:23 auditd: date="oct 30 11:17: CST",fac=f_kern_ipfilt,area=a_general_area,type=t_ip ftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,fid=0,l ogid=0,cmd=abc,domain=,edomain=,status=ipf_open, rule_name=some-rule,srcip= ,srcport= 1153,dstip= ,dstport=122,protocolname=tc p,netsessid=454633bd a 26 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

27 ID # Name Agile Title Category Type Appears In Sample Log Message 27 ipf_close Agile 6.2 Audit t_ipftraffic Accepted 28 conn_open Agile 6.2 Audit t_nettraffic Accepted 29 conn_cont Agile 6.2 Audit t_nettraffic Accepted 30 conn_close Agile 6.2 Audit t_nettraffic Accepted 31 N/A Agile 6.2 Audit t_proxyauth Denied <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,fid =0,logid=0,cmd=kernel,domain=,edomain=,status=ipf _close,rule_name=scobra_out_filter,srcip= ,srcport=1662,dstip= ,dstport=9003,bytes _written_to_client=900,bytes_written_to_server=90,pr otocol=6,netsessid=45eba8ff <179>Jan 1 00:00:00 auditd: date="apr 19 12:25: CDT",fac=f_telnetproxy,area=a_server,type=t_nettraff ic,pri=p_major,pid=3544,ruid=0,euid=0,pgid=3544,fid = ,logid=0,cmd=tnauthp,domain=Atnx,edomai n=atnx,srcip= ,srcport=49566,srcburb =2,dstip= ,dstport=23,dstburb=1,protoc ol=6,service_name=nt_tnauthp,status=conn_open,net sessid=3cc f <179>Jan 1 00:00:00 auditd: date="apr 19 12:25: CDT",fac=f_telnetproxy,area=a_server,type=t_nettraff ic,pri=p_major,pid=3544,ruid= 0,euid=0,pgid=3544,fid= ,logid=0,cmd=tnauth p,domain=atnx,edomain=atnx,srcip= ,sr cport=49566,srcburb=2,dstip= ,dstport =23,dstburb=1,protocol=6,bytes_written_to_client=0,b ytes_written_to_server=0,service_name=nt_tnauthp,r eason=" continue ",status=conn_cont,auth_metho d=password,user_name=a,request_status=1,start_tim e="fri Apr 19 12:25: ",netsessid=3cc f <179>Jan 1 00:00:00 auditd: date="apr 19 12:25: CDT",fac=f_telnetproxy,area=a_server,type=t_nettraff ic,pri=p_major,pid=3544,ruid= 0,euid=0,pgid=3544,fid= ,logid=0,cmd=tnauth p,domain=atnx,edomain=atnx,srcip= ,sr cport=49566,srcburb=2,dstip= ,dstport =23,dstburb=1,protocol=6,bytes_written_to_client=0,b ytes_written_to_server=0,service_name=nt_tnauthp,r eason="proxy traffic end",status=conn_close,auth_method=password,user _name=a,request_status=1,start_time="fri Apr 19 12:25: ",netsessid=3cc f <135>Jan 1 00:00:03 sidewinder1 auditd: date="jan 1 00:00:03 PST",fac=f_ssod,area=a_auditlib,type=t_proxyauth,pr i=p_major,pid=94704,ruid=161,euid=194,pgid=1137,fi d=0,logid=138,cmd=find,domain=ssh2,edomain=pas w,srcip= ,srcport=2010,dstip= , dstport=3002,protocol=5,srchost= ,dstho st=desthost 32 N/A Agile 6.2/ format 1 (action is add or delete) Audit t_udb_useract User Last Activity,User Created/ Deleted <179>Jun 6 18:32:37 auditd: date="may 14 17:27: CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_useract,pri=p_major,pid=22821,ruid=0,euid=0,pgi d=247,logid=0,cmd=pasw,domain=pasw,edomain=pa sw,udb_admin=root,udb_user=a,udb_class=common, udb_action=add McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 27

28 ID # Name Agile Title Category Type Appears In Sample Log Message 33 N/A Agile 6.2/ format 1 (action is modify) Audit t_udb_useract User Last Activity <179>Jun 6 18:32:37 auditd: date="may 14 17:27: CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_useract,pri=p_major,pid=22821,ruid=0,euid=0,pgi d=247,logid=0,cmd=pasw,domain=pasw,edomain=pa sw,udb_admin=root,udb_user=a,udb_class=common, udb_action=modify 34 N/A Agile 6.1 Audit t_aclallow Accepted 35 N/A Agile 6.1 Audit t_acldeny Denied 36 N/A Agile 6.1 Audit t_auth_attempt User Last Activity /User Authentication 37 ipf_open Agile 6.1 Audit t_ipftraffic Accepted 38 ipf_close Agile 6.1 Audit t_ipftraffic Accepted <179>May 22 17:16:52 auditd: date="may 22 17:16:52 GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo w,pri=p_major,pid=1545,ruid=0,euid=0,pgid=1545,fid =0,logid=0,cmd=httpp,domain=htpp,edomain=htpp,ho stname=xxx,srcip= ,srcburb=internal,dstip = ,dstburb=external,protocol=6,service_na me=http,agent_type=proxy,user_name=(null),auth_m ethod=(null),acl_id="internet Services",cache_hit=1,acl_position=6 <179>Jun 24 05:15:57 auditd: date="jun 24 05:15:57 EDT",fac=f_smtp_proxy,area=a_server,type=t_aclden y,pri=p_major,pid=1350,ruid=0,euid=0,pgid=1350,fid= 0,logid=0,cmd=smtpp,domain=SMTp,edomain=SMTp,hostname=xxx,srcip= ,srcburb=internal,ds tip= ,dstburb=internal,protocol=6,service _name=smtp,agent_type=proxy,attackip= ,attackburb=internal,user_name=(null),auth_method =(null),acl_id="deny All",cache_hit=1,acl_position=23 <179>Jun 24 05:07:57 auditd: date="jun 24 05:07:57 EDT",fac=f_login,area=a_general_area,type=t_auth_ attempt,pri=p_major,pid=1880,ruid=0,euid=0,pgid=18 80,fid=0,logid=0,cmd=login,domain=Logn,edomain=L ogn,hostname=xxx,user_name=abc,auth_method=-p assword,result=1,information="cobra login authentication Accepted for user `abc, method -password, from " <179>Aug 13 14:49:19 auditd: date="aug 13 14:49:19 JST",fac=f_kern_ipfilt,area=a_general_area,type=t_ip ftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid= 0,cmd=kernel,domain=htpp,edomain=htpp,hostname =xxx,status=ipf_open,rule_name=web-proxy-out _high,srcip= ,srcport=600,dstip= ,dstport=4000,protocolname=tcp,netsessid=48a275 df0006e3da <179>Aug 13 14:50:47 auditd: date="aug 13 14:50:47 JST",fac=f_kern_ipfilt,area=a_general_area,type=t_ip ftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid= 0,cmd=kernel,domain=htpp,edomain=htpp,hostname =xxx,status=ipf_close,rule_name=web-proxy-out _high,srcip= ,srcport=650,dstip= ,dstport=6000,bytes_written_to_client=226,bytes_w ritten_to_server=652,protocolname=tcp,netsessid=48 a275dd000276e4 28 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

29 ID # Name Agile Title Category Type Appears In Sample Log Message 39 conn_open Agile 6.1 Audit t_nettraffic Accepted 40 conn_cont Agile 6.1 Audit t_nettraffic Accepted <179>Jan 1 00:00:00 auditd: date="jan 1 00:00:00 PST",fac=f_udp_proxy,area=a_liblicense,type=t_nettr affic,pri=p_major,pid=23589,ruid=159,euid=188,pgid= 1137,fid=0,logid=276,cmd=dnsp,domain=Htps,edoma in=htps,hostname=xxx,srcip= ,srcport=50 12,srcburb=external,dstip= ,dstport=6008, dstburb=external,protocol=6,service_name=httpp,stat us=conn_open,acl_id="internet Services",cache_hit=0,netsessid= fa72 <179>Aug 13 14:16:09 auditd: date="aug 13 14:16:09 JST",fac=f_wwwproxy,area=a_libproxycommon,type= t_nettraffic,pri=p_major,pid=1309,ruid=0,euid=0,pgid= 1309,logid=0,cmd=httpp,domain=htpp,edomain=htpp, hostname=xxx,srcip= ,srcport=1011,srcbur b=int,dstip= ,dstport=5660,dstburb=ext,pro tocol=6,bytes_written_to_client=722,bytes_written_to _server=1452,service_name=httpp,reason= continu e,status=conn_cont,acl_id=web-proxy-http_o ut,cache_hit=0,request_status=0,start_time="wed Aug 13 14:12:56 ",netsessid=48a26d e99 41 conn_close Agile 6.1/ format 1 42 conn_close Agile 6.1/ format 2 Audit t_nettraffic Accepted Audit t_nettraffic Accepted <179>May 22 17:16:52 auditd: date="may 22 17:16:52 GMT",fac=f_wwwproxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=1545,ruid=0,euid=0,pgid =1545,fid=0,logid=0,cmd=httpp,domain=htpp,edomai n=htpp,hostname=xxx,srcip= ,srcport=900,srcburb=internal,dstip= ,dstport=900,dstb urb=external,protocol=6,bytes_written_to_client=500, bytes_written_to_server=60,service_name=httpp,stat us=conn_close,acl_id="internet Services",cache_hit=1,request_status=0,start_time=" Tue May 22 17:16:53 ",netsessid= d <179>Aug 13 14:28:31 auditd: date="aug 13 14:28:31 JST",fac=f_mail,area=a_server,type=t_nettraffic,pri=p _major,pid=20756,ruid=0,euid=0,pgid=20756,logid=0, cmd=sendmail,domain=mta2,edomain=mta2,hostnam e=xxx,srcip= ,srcport=344,srcburb=ext,dsti p= ,dstport=2500,dstburb=int,protocol=6,b ytes_written_to_client=0,bytes_written_to_server=201 2,service_name=sendmail(2),reason="Normal delivery of message m7d5sp6z020754",status=conn_close,acl_id=smtp_ all,cache_hit=0,queueid=m7d5sp6z020754,mail_sen der=xxx@xxx.com,recipient=xxx@xxx.mil,start_time= "Wed Aug 13 14:28:31 ",netsessid=48a270ff McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 29