SonicOS Log Event Reference Guide

Transcription

1 COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security Appliances SonicOS Log Event Reference Guide

2 Using the SonicOS Log Event Reference Guide This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: Log > View section on page 2 Log > Categories section on page 4 Log > Syslog section on page 9 Log > Automation section on page 11 Log > Name Resolution section on page 15 Log > Reports section on page 16 Log > ViewPoint section on page 18 Index of Log Event Messages section on page 20 Index of Syslog Tag Field Description section on page 115 SonicOS Log Event Reference Guide 1

3 Log > View Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an address for convenience and archiving. The log is displayed in a table and can be sorted by column. The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately ed, either to an address or to an pager. Each log entry contains the date and time of the event and a brief message describing the event. Log View Table The log is displayed in a table and is sortable by column. The log table columns include: Time - the date and time of the event. Priority - the level of priority associated with your log event. Syslog uses eight categories to characterize messages in descending order of severity, the categories include: Emergency Alert Critical Error Warning Notice Informational Debug Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select error as the priority level to log all messages tagged as error, as well as any messages tagged with critical, alert, and emergency. Select debug to log all messages. Note Refer to Log Event Messages section for more information on your specific log event. Category - the type of traffic, such as Access or Authenticated Access. Message - provides description of the event. Source - displays source network and IP address. Destination - displays the destination network and IP address. Notes - provides additional information about the event. Rule - notes Access Rule affected by event. 2 SonicOS Log Event Reference Guide

4 Log > View Navigating and Sorting Log View Table Entries The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order. Refresh To update log messages, clicking the Refresh button near the top right corner of the page. Clear Log To delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log To export the contents of the log to a defined destination, click the Export Log button below the filter table.you can export log content to two formats: Plain text format--used in log and alert . Comma-separated value (CSV) format--used for importing into Excel or other presentation development applications. Log If you have configured the SonicWALL security appliance to log files, clicking Log near the top right corner of the page sends the current log files to the address specified in the Log > Automation > section. Note The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately sent via , either to an address or to an pager. For sending alerts, you must enter your address and server information in the Log > Automation page. SonicOS Log Event Reference Guide 3

5 Log > Categories Filtering Log Records Viewed You can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface). Step 1 Step 2 Step 3 Step 4 Enter your filter criteria in the Log View Settings table. The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching: Source interface AND Destination interface Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again. The following example filters for log events resulting from traffic from the WAN to the LAN: Log Event Messages For a complete reference guide of log event messages, refer to the Log Event Message Index section on page 21. Log > Categories This guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics. Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to 4 SonicOS Log Event Reference Guide

6 Log > Categories Log Severity/Priority This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through for notification. Logging Level Alert Level The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority: Emergency (highest priority) Alert Critical Error Warning Notice Informational Debug (lowest priority) The Alert Level control determines how Alerts are sent. An event of equal or greater priority causes an alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include: None (disables alerts) Emergency (highest priority) Alert Critical Error Log Redundancy Filter Warning (lowest priority) The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds. Alert Redundancy Filter The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds. SonicOS Log Event Reference Guide 5

7 Log > Categories Log Categories SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats. All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally. SonicWALL security appliances now include an expanded list of attack categories that can be logged. The View Style menu provides the following three log category views: All Categories - Displays both Legacy Categories and Expanded Categories. Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories. Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure. The following table describes both the Legacy and Extended log categories. Log Type Category Description Management Legacy Logs WLAN IEEE connections. Advanced Routing Expanded Logs messages related to RIPv2 and OSPF routing events. Attacks Legacy Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing Authenticated Expanded Logs administrator, user, and guest account activity Access Blocked Java, etc. Legacy Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance. Blocked Web Sites Legacy Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering. BOOTP Expanded Logs BOOTP activity Crypto Test Expanded Logs crypto algorithm and hardware testing DDNS Expanded Logs Dynamic DNS activity Denied LAN IP Legacy Logs all LAN IP addresses denied by the SonicWALL security appliance. DHCP Client Expanded Logs DHCP client protocol activity DHCP Relay Expanded Logs DHCP central and remote gateway activity Dropped ICMP Legacy Logs blocked incoming ICMP packets. Dropped TCP Legacy Logs blocked incoming TCP connections. Dropped UDP Legacy Logs blocked incoming UDP packets. Event Extended Logs internal firewall activity Hardware Extended Logs firewall hardware error events Logging Extended Logs general events and errors 6 SonicOS Log Event Reference Guide

8 Log > Categories Log Type Category Description Rule Extended Logs firewall rule modifications GMS Extended Logs GMS status event High Availability Extended Logs High Availability activity IPcomp Extended Logs IP compression activity Intrusion Prevention Extended Logs intrusion prevention related activity L2TP Client Extended Logs L2TP client activity L2TP Server Extended Logs L2TP server activity Multicast Extended Logs multicast IGMP activity Extended Logs network ARP, fragmentation, and MTU activity Access Extended Logs network and firewall protocol access activity Debug Legacy Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Debug information is intended for experienced network administrators. Traffic Expanded Logs network traffic reporting events PPP Extended Logs generic PPP activity PPP Dial-Up Extended Logs PPP dial-up activity PPPoE Extended Logs PPPoE activity PPTP Extended Logs PPTP activity RBL Extended Logs real-time black list activity RIP Extended Logs RIP activity Remote Extended Logs RADIUS and LDAP server activity n Security Services Extended Logs security services activity SonicPoint Extended Logs SonicPoint activity System Errors Legacy Logs problems with DNS or . System Legacy Logs general system activity, such as system activations. Maintenance User Activity Legacy Logs successful and unsuccessful log in attempts. VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity VPN Extended Logs VPN activity VPN Client Extended Logs VPN client activity VPN IKE Extended Logs VPN IKE activity VPN IPsec Extended Logs VPN IPSec activity VPN PKI Extended Logs VPN PKI activity VPN Tunnel Status Legacy Logs status information on VPN tunnels. WAN Failover Extended Logs WAN failover activity Wireless Extended Logs wireless activity Wlan IDS Extended Logs WLAN IDS activity SonicOS Log Event Reference Guide 7

9 Log > Categories Managing Log Categories The Log Categories table displays log category information organized into the following columns: Category - Displays log category name. Description - Provides description of the log category activity type. Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page. Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category. Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL security appliance Syslog. Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers. You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order. You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header. 8 SonicOS Log Event Reference Guide

10 Log > Syslog Log > Syslog In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.syslog Settings Syslog Facility Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol. Note See RCF The BSD Syslog Protocol for more information. Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you re using SonicWALL ViewPoint for your reporting solution. Note For more information on SonicWALL ViewPoint, go to Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering. Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you select WebTrends, however, you must have WebTrends software installed on your system. Note If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance. Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events. Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events. SonicOS Log Event Reference Guide 9

11 Log > Syslog Syslog Servers Adding a Syslog Server To add syslog servers to the SonicWALL security appliance Step 1 Step 2 Step 3 Step 4 Step 5 Click Add. The Add Syslog Server window is displayed. Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers. If your syslog is not using the default port of 514, type the port number in the Port Number field. Click OK. Click Accept to save all Syslog Server settings. 10 SonicOS Log Event Reference Guide

12 Log > Automation Log > Automation The Log > Automation page includes settings for configuring the SonicWALL to send log files using and configuring mail server settings. Log Automation Send Log to address - Enter your address ([email protected]) in this field to receive the event log via . Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not ed. Send Alerts to address - Enter your address ([email protected]) in the Send alerts to field to be immediately ed when attacks or system errors occur. Type a standard address or an paging service. If this field is left blank, alert messages are not sent. Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field. Format - Specifies whether log s will be sent in Plain Text or HTML format. Mail Server Settings The mail server settings allow you to specify the name or IP address of your mail server, the from address, and authentication method. Mail Server (name or IP address) - Enter the IP address or FQDN of the server used to send your log s in this field. From Address - Enter the address you want to display in the From field of the message. n Method - You can use the default None item or select POP Before SMTP. Note If the Mail Server (name or IP address) is left blank, log and alert messages are not e- mailed. Deep Packet Forensics SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any interesting-content events, it can only provide a record of the occurrence, but not the actual data of the event. Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped. Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet. SonicOS Log Event Reference Guide 11

13 Log > Automation While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis: Reliable storage of data Effective indexing of data Classification of interesting-content Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera s appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities. Distributed Event Detection and Replay The Solera appliance can search its data-repository, while also allowing the administrator to define interesting-content events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including: Debug/Informational Events Connection setup/tear down User-events Administrative access, single sign-on activity, user logins, content filtering details Rule/Policy Events Access to and from particular IP:Port combinations, also identifiable by time Interesting-content at the or Application Layer Port-scans, SYN floods, DPI or AF signature/policy hits The following is an example of the process of distributed event detection and replay: 1. The administrator defines the event trigger. For example, an Application policy is defined to detect and log the transmission of an official document: 2. A user (at IP address ) on the network retrieves the file. 3. The event is logged by the SonicWALL. 4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP: [ ], Port: [443]). The defined NPCS appliance will be the link s target. The link will include the query string parameters defining the desired connection. 5. The NPCS will (optionally) authenticate the user session. 6. The requested data will be presented to the client as a.cap file, and can be saved or viewed on the local machine. 12 SonicOS Log Event Reference Guide

14 Log > Automation Methods of Access The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements. Log Persistence GMS SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be ed to a defined recipient and flushed, or it can simply be flushed. ing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged. To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time. SonicOS Log Event Reference Guide 13

15 Log > Automation Solera Capture Stack Solera s makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera s Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data. To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option. Configure the following options: Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host... Protocol - Select either HTTP or HTTPS. Port - Specify the port number for connecting to the Solera server. Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. User (optional) - Enter the username, if required. Password (optional) - Enter the password, if required. Confirm Password - Confirm the password. Mask Password - Leave this enabled to send the password as encrypted text. 14 SonicOS Log Event Reference Guide

16 Log > Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page. Selecting Name Resolution Settings The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names. In the Name Resolution Method list, select: None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. DNS: The security appliance will use the DNS server you specify to resolve addresses and names. NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary. DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS. Specifying the DNS Server You can choose to specify DNS servers, or to use the same servers as the WAN zone. Step 1 Step 2 Step 3 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default. If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers. Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect. SonicOS Log Event Reference Guide 15

17 Log > Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page. Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to Data Collection The Reports window includes the following functions and commands: Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted. View Data Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period. Web Site Hits Selecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period. The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see. Click on the name of a Web site to open that site in a new window. Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period. 16 SonicOS Log Event Reference Guide

18 Log > Reports Bandwidth Usage by Service Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period. The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services. SonicOS Log Event Reference Guide 17

19 Log > ViewPoint Log > ViewPoint SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities. ViewPoint s broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs. ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more. For more information on SonicWALL ViewPoint, go to For complete SonicWALL ViewPoint documentation, go to the SonicWALL documentation Web site at Activating ViewPoint The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept. Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance. 1. Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The mysonicwall.com Login page is displayed. 2. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link. 3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. 4. If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL. 18 SonicOS Log Event Reference Guide

20 Log > ViewPoint Enabling ViewPoint Settings Once you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint. 1. Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log > ViewPoint page. 2. Click the Add button. The Add Syslog Server window is displayed. 3. Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP Address field. 4. Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number. 5. Click Accept. Note The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page. Clicking the Edit icon displays the Add Syslog Server window for editing the ViewPoint server information. Clicking the Delete icon, deletes the ViewPoint syslog server entry. SonicOS Log Event Reference Guide 19

21 Index of Log Event Messages This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser s Find function to search for a command. Log Event Message Symbols Key Log Event Message Symbol Description Context %s Ethernet Port Down Represents a character string. [WAN LAN DMZ] Ethernet Port Down The cache is full; %u open connections; some will be dropped Represents a numerical string. The cache is full; [40,000] open connections; some will be dropped TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message. Each log event message described in the following table provides the following log event details: SonicOS Category Displays the SonicOS Software category event type. Legacy Category Displays the SonicWALL Firmware Software category event type. Priority Level Displays the level of urgency of the log event message. Log Message ID Number Displays the ID number of the log event message. SNMP Trap Type Displays the SNMP Trap ID number of the log event message. 20 SonicOS Log Event Reference Guide

22 Log Event Message Index Log Events Messages SonicOS Category Legacy Category Prioity Level Log Msg ID Number snmptrapty pe Log Event Type sw new category category priority id snmptrapty pe eventtype "As per Diagnostic Auto-restart configuration request, restarting system" event --- INFO SIMPLE #Web site hit Traffi c Connection Traffic INFO STD_HTTP_ TRAFFIC_R EPORT %s VPN IKE UserActivity DEBUG %s %s %s %s %s %s High Availability --- ERROR High Availability --- WARN High Availability --- INFO High Availability --- ALERT High Availability --- NOTICE High Availability --- DEBUG %s ARS --- INFO %s ARS --- NOTICE %s ARS --- DEBUG %s Security Services UserActivity NOTICE GE_ GE_ GE_ GE_ SonicOS Log Event Reference Guide 21

23 %s SSL VPN --- INFO %s event System Error ALERT %s auto-dial failed: Current Connection Model is configured as Ethernet Only PPP dialup System Error ALERT %s Ethernet Port Down %s Ethernet Port Up event System Error ERROR event System Error WARN %s is operational. Anti-Spam --- WARN %s is unavailable. Anti-Spam --- WARN ) dumped to at None --- DEBUG UNUSED *** Alert from SonicWALL *** None --- DEBUG UNUSED [not found in tip] Unused Attack WARN UNUSED [not found in tip] Unused Debug NOTICE UNUSED <b>sonicwa LL Registration Update Needed:</b> Restore your existing security service subscription s by clicking <a href="/ Security_Ser vices/ enable_servi ces.html">her e</a>. Security Services Maintenance WARN SIMPLE 22 SonicOS Log Event Reference Guide

24 3G %s device detected Hardware System Environment INFO G Dial-up: %s. PPP dialup UserActivity ALERT G Dial-up: data usage limit reached for the '%s' billing cycle. Disconnectin g the 3G session. PPP dialup UserActivity ALERT G: No SIM detected Hardware --- ALERT Management Wireless 80211bMgmt INFO A prior version of preferences was loaded because the most recent preferences file was inaccessible A SonicOS Standard to Enhanced Upgrade was performed Access attempt from host out of compliance with GSC policy Access attempt from host without Anti-Virus agent installed Access attempt from host without GSC installed SIMPLE_NO TE_ event System Error WARN SIMPLE event Maintenance INFO SIMPLE Security Services Maintenance INFO STD Security Services Maintenance INFO STD Security Services Maintenance INFO STD Access rule added Rule UserActivity INFO SIMPLE_RU LE SonicOS Log Event Reference Guide 23

25 Access rule deleted Rule UserActivity INFO Access rule modified Rule UserActivity INFO Access rules restored to defaults Rule UserActivity INFO UNUSED Access to proxy server denied Active Backup detects Active Primary: Backup going Idle ActiveX access denied ActiveX or Java archive access denied ADConnector %s response timed-out; applying caching policy Add an attack message Added host entry to dynamic address object Access BlockedSites NOTICE SIMPLE_RU LE_ SIMPLE_RU LE BLOCKED High Availability Maintenance INFO UNUSED Access BlockedCode NOTICE Access BlockedCode NOTICE Microsoft Active Directory --- ERROR event Attack ERROR Dynamic Address Objects Maintenance INFO Adding Dynamic Entry for Bound MAC Address --- INFO BLOCKED BLOCKED GE_ SIMPLE_ST R Ethernet Adding L2TP IP pool Address object Failed. L2TP Server System Error ERROR SIMPLE Adding to multicast policylist, interface : %s Multicast --- DEBUG GE_ 24 SonicOS Log Event Reference Guide

26 Adding to Multicast policylist, VPN SPI : %s Multicast --- DEBUG Administrator logged out Administrator logged out - inactivity timer expired Administrator login allowed Administrator login denied due to bad credentials Administrator login denied from %s; logins disabled from this interface Administrator name changed n Access UserActivity INFO GE_ n Access UserActivity INFO STD STD_STRIN n Access UserActivity INFO G_SERVICE n Access Attack ALERT n Access Attack ALERT n Access Maintenance INFO STD STD_STRIN G_SERVICE GE_ All DDNS associations have been deleted DDNS Maintenance INFO SIMPLE All preference values have been set to factory default values Allowed LDAP server certificate with wrong event System Error WARN SIMPLE host name RADIUS UserActivity WARN Anti-Spam service is disabled by administrator. Anti-Spam --- INFO SIMPLE Anti-Spam service is enabled by administrator. Anti-Spam --- INFO SIMPLE Anti-Spam Startup Failure - %s Anti-Spam --- WARN SonicOS Log Event Reference Guide 25

27 Anti-Spam Teardown Failure - %s Anti-Spam --- WARN Anti-Spyware Detection Alert: %s Anti-Spyware Prevention Alert: %s Anti-Spyware Service Expired Anti-Virus agent out-ofdate on host Anti-Virus Licenses Exceeded Application Filter Detection Alert: %s Application Filters Block Alert: %s Application Alert: %s Intrusion Detection Attack ALERT Intrusion Detection Attack ALERT STD_AS_ME STD_AS_ME Security Services Maintenance WARN SIMPLE Security Services Maintenance INFO STD Security Services Maintenance INFO STD Intrusion Detection Attack ALERT Intrusion Detection Attack ALERT ApplicationFir ewall UserActivity ALERT ARP request packet received --- INFO GE_ GE_ STD_Applicat ion _ME Ethernet Ethernet ARP request packet sent --- INFO ARP response packet received --- INFO ARP response packet sent --- INFO ARP timeout Debug DEBUG STD ARP unused/ spare --- DEBUG UNUSED ARS unused/ spare Unused --- DEBUG UNUSED ARS unused/ spare Unused --- DEBUG UNUSED ARS unused/ spare Unused --- DEBUG UNUSED Ethernet Ethernet 26 SonicOS Log Event Reference Guide

28 ARS unused/ spare Unused --- DEBUG UNUSED Assigned IP address %s DHCP Server --- INFO Association Flood from WLAN station WLAN IDS WLAN IDS ALERT n timeout during Remotely Triggered Dial-out session SIMPLE_NO TE_ n Access UserActivity INFO SIMPLE AV unused/ spare Unused 0 DEBUG UNUSED Back Orifice attack dropped Backup active Backup firewall being preempted by Primary Backup firewall has transitioned to Active Backup firewall has transitioned to Idle Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt Backup going Active in preempt mode after reboot Backup missed heartbeats from Primary Intrusion Detection Attack ALERT STD High Availability System Error INFO SIMPLE High Availability System Error ERROR SIMPLE High Availability Maintenance ALERT SIMPLE High Availability Maintenance ALERT SIMPLE High Availability --- INFO SIMPLE High Availability System Error ERROR SIMPLE High Availability System Error ERROR SIMPLE SonicOS Log Event Reference Guide 27

29 Backup received error signal from Primary High Availability System Error ERROR SIMPLE Backup received heartbeat from wrong source High Availability Maintenance INFO UNUSED Backup received reboot signal from Primary High Availability System Error ERROR SIMPLE Backup shut down because license is expired High Availability System Error ERROR SIMPLE Backup WAN link down, Primary going Active High Availability System Error ERROR UNUSED Backup will be shut down in %s minutes High Availability System Error ERROR Bad CRL format VPN PKI UserActivity ALERT SIMPLE Bind to LDAP server failed RADIUS System Error ERROR SIMPLE_NO TE_ Blocked Quick Mode for Client using Default KeyId VPN Client System Error ERROR STD BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table Bootp Maintenance INFO BOOTP reply relayed to local device Bootp Maintenance INFO BOOTP Request received from remote device Bootp Debug DEBUG UNUSED 28 SonicOS Log Event Reference Guide

30 BOOTP server response relayed to remote device Bootp Debug DEBUG Broadcast packet dropped Access Debug DEBUG PROTOCOL Cannot connect to the CRL server VPN PKI UserActivity ALERT SIMPLE Cannot Validate Issuer Path VPN PKI UserActivity ALERT SIMPLE_NO TE_ Category: None 0 DEBUG UNUSED Certificate on Revoked list(crl) VPN PKI UserActivity ALERT CFL autodownload disabled, time problem detected SIMPLE_NO TE_ Security Services Maintenance INFO SIMPLE Chat %s PPP dialup UserActivity INFO GE_ Chat completed PPP dialup UserActivity INFO GE_ Chat failed: %s PPP dialup UserActivity INFO GE_ Chat started PPP dialup UserActivity INFO GE_ Chat started by '%s' PPP dialup UserActivity INFO GE_ Chat wrote '%s' PPP dialup UserActivity INFO GE_ CLI administrator logged out n Access UserActivity INFO SIMPLE CLI administrator login allowed CLI administrator login denied due to bad credentials n Access UserActivity INFO n Access UserActivity WARN Code: None --- DEBUG UNUSED SonicOS Log Event Reference Guide 29

31 Computed hash does not match hash received from peer; preshared key mismatch VPN IKE UserActivity WARN Configuration mode administratio n session ended Configuration mode administratio n session started n Access UserActivity INFO n Access UserActivity INFO Traffi Connection c Traffic INFO Traffi c Connection INFO STD_TRAFFI C_REPORT STD_TRAFFI C_REPORT Connection Closed Connection Opened Connection timed out VPN PKI UserActivity ALERT SIMPLE Content filter subscription expired. Security Services System Error ERROR UNUSED Cookie removed Access BlockedCode NOTICE STD_STRIN G_SERVICE CRL has expired VPN PKI UserActivity ALERT SIMPLE_NO TE_ CRL loaded from VPN PKI UserActivity INFO SIMPLE_NO TE_ CRL missing - Issuer requires CRL checking. VPN PKI UserActivity ALERT SIMPLE_NO TE_ CRL validation failure for Root Certificate VPN PKI UserActivity ALERT SIMPLE_NO TE_ Crypto DES test failed Crypto Test Maintenance ERROR SIMPLE Crypto DH test failed Crypto Test Maintenance ERROR SIMPLE Crypto hardware 3DES test failed Crypto Test Maintenance ERROR SIMPLE 30 SonicOS Log Event Reference Guide

32 Crypto Hardware 3DES with SHA test failed Crypto Test Maintenance ERROR SIMPLE Crypto Hardware AES test failed Crypto Test Maintenance ERROR STD Crypto hardware DES test failed Crypto Test Maintenance ERROR SIMPLE Crypto hardware DES with SHA test failed Crypto Test Maintenance ERROR SIMPLE Crypto Hmac-MD5 fest failed Crypto Test Maintenance ERROR SIMPLE Crypto Hmac-Sha1 test failed Crypto Test Maintenance ERROR SIMPLE Crypto MD5 test failed Crypto Test Maintenance ERROR SIMPLE Crypto RSA test failed Crypto Test Maintenance ERROR SIMPLE Crypto SHA1 based DRNG KAT test failed Crypto Test --- ERROR SIMPLE Crypto Sha1 test failed Crypto Test Maintenance ERROR SIMPLE CSR Generation: %s VPN PKI --- INFO DDNS association %s disabled DDNS Maintenance INFO DDNS association %s enabled DDNS Maintenance INFO DDNS association %s added DDNS Maintenance INFO DDNS association %s deactivated DDNS Maintenance INFO DDNS association %s deleted DDNS Maintenance INFO SonicOS Log Event Reference Guide 31

33 DDNS Association %s put on line DDNS Maintenance INFO DDNS association %s taken Offline locally DDNS Maintenance INFO DDNS Failure: Provider %s DDNS System Error ERROR DDNS Failure: Provider %s DDNS System Error ERROR DDNS Failure: Provider %s DDNS System Error ERROR DDNS Update success for domain %s DDNS Maintenance INFO DDNS Warning: Provider %s DDNS System Error WARN Deleting from Multicast policy list, interface : %s Multicast --- DEBUG Deleting from Multicast policy list, VPN SPI : %s Multicast --- DEBUG Deleting IPsec SA VPN IKE UserActivity INFO Deleting IPsec SA for destination VPN IKE UserActivity INFO UNUSED Destination IP address connection status: %s GE_ GE_ GE_ SPI event --- INFO Destination: None --- DEBUG UNUSED DHCP client enabled but not ready DHCP Client Maintenance INFO SIMPLE DHCP Client did not get DHCP ACK. DHCP Client Maintenance INFO STD GE_ 32 SonicOS Log Event Reference Guide

34 DHCP Client failed to verify and lease has expired. Go to INIT state. DHCP Client Maintenance INFO STD DHCP Client failed to verify and lease is still valid. Go to BOUND state. DHCP Client Maintenance INFO UNUSED DHCP Client got a new IP address lease. DHCP Client Maintenance INFO DHCP Client got ACK from server. DHCP Client Maintenance INFO DHCP Client got NACK. DHCP Client Maintenance INFO STD DHCP Client is declining address offered by the server. DHCP Client Maintenance INFO DHCP Client sending REQUEST and going to REBIND state. DHCP Client Maintenance INFO DHCP Client sending REQUEST and going to RENEW state. DHCP Client Maintenance INFO DHCP DECLINE received from remote device DHCP Relay Debug INFO UNUSED DHCP DISCOVER received from local device DHCP Relay Debug INFO UNUSED DHCP DISCOVER received from remote device DHCP Relay Debug INFO SonicOS Log Event Reference Guide 33

35 DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP DHCP Relay Maintenance WARN DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP DHCP Relay Maintenance WARN DHCP lease file in the flash is corrupted; read failed event System Error WARN SIMPLE DHCP lease relayed to local device DHCP Relay Maintenance INFO DHCP lease relayed to remote device DHCP Relay Debug INFO DHCP lease to LAN device conflicts with remote device, deleting remote IP entry DHCP Relay Maintenance INFO DHCP leases written to flash event Maintenance INFO SIMPLE DHCP NACK received from server DHCP Relay Debug INFO DHCP OFFER received from server DHCP Relay Debug INFO SonicOS Log Event Reference Guide

36 DHCP Ranges altered automatically due to change in network settings for interface %s DHCP RELEASE received from remote event --- INFO device DHCP Relay Debug INFO DHCP RELEASE relayed to Central Gateway DHCP Relay Maintenance INFO DHCP REQUEST received from local device DHCP Relay Debug INFO UNUSED DHCP REQUEST received from remote device DHCP Relay Debug INFO DHCP Server not available. Did not get any DHCP OFFER. DHCP Client Maintenance INFO STD DHCP Server sanity check failed %s event --- CRITICAL DHCP Server sanity check passed %s DHCP Server: IP conflict detected DHCP Server: Received DHCP decline from client event --- CRITICAL event --- ALERT event --- ALERT SonicOS Log Event Reference Guide 35

37 DHCP Server: Received DHCP message from untrusted relay agent event --- NOTICE Diagnostic Auto-restart canceled event --- INFO SIMPLE Diagnostic Auto-restart scheduled for %s minutes from now event --- INFO Diagnostic Code A Hardware System Error ERROR Diagnostic Code B Hardware System Error ERROR Diagnostic Code C Hardware System Error ERROR Diagnostic Code D Hardware System Error ERROR CODE Diagnostic Code E VPN IPsec System Error ERROR CODE Diagnostic Code F Hardware System Error ERROR Diagnostic Code G Hardware System Error ERROR Diagnostic Code H Hardware System Error ERROR Diagnostic Code I Hardware System Error ERROR Diagnostic Code J Hardware System Error ERROR Dial-up: Session initiated by data packet PPP dialup --- INFO Dial-up: Traffic generated by '%s' PPP dialup --- INFO SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ STD_SERVI CE GE_ Disconnectin g L2TP Tunnel due to traffic timeout L2TP Client Maintenance INFO SIMPLE Disconnectin g PPPoE due to traffic timeout PPPoE Maintenance INFO SIMPLE 36 SonicOS Log Event Reference Guide

38 Disconnectin g PPTP Tunnel due to traffic timeout PPTP Maintenance INFO SIMPLE Discovered HA %s Discovered HA Backup DNS packet allowed DNS rebind attack blocked Drop WLAN traffic from non- SonicPoint devices Duplicate packet dropped High Availability --- INFO High Availability Maintenance INFO SIMPLE STD_POLIC Access Debug INFO Y Intrusion Detection --- ALERT Intrusion Detection Attack ERROR STD Access Debug DEBUG UNUSED Dynamic IPsec client connected VPN IPsec UserActivity INFO EIGRP packet dropped fragment dropped Access Debug NOTICE Intrusion Detection Attack ERROR STD Entering FIPS ERROR state Crypto Test Maintenance ERROR UNUSED Entering FIPS Error State. Crypto Test System Error ERROR UNUSED Error initializing Hardware acceleration for VPN Error Rebooting HA Peer Hardware Maintenance ERROR SIMPLE High Availability System Error ERROR SIMPLE SonicOS Log Event Reference Guide 37

39 Error setting the IP address of the backup, please manually set to backup LAN IP High Availability System Error ERROR SIMPLE Error synchronizing HA peer firewall (%s) High Availability System Error ERROR Error updating HA peer High configuration Availability System Error ERROR UNUSED ERROR: DHCP over VPN policy is not defined. Cannot start IKE. DHCP Relay Maintenance INFO UNUSED Exceeded Max multicast address limit Multicast --- WARN STD External Web Server Host Resolution Failed %s n Access --- ERROR Failed payload validation VPN IKE UserActivity WARN Failed payload verification after decryption; possible preshared key mismatch VPN IKE UserActivity WARN Failed to find certificate VPN PKI UserActivity ALERT Failed to get CRL from VPN PKI UserActivity ALERT Failed to Process CRL from VPN PKI UserActivity ALERT Failed to resolve name Maintenance INFO SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ 38 SonicOS Log Event Reference Guide

40 Failed to send file to remote backup server, Error: %s event Maintenance INFO Failed to send Preference file to remote backup server, Error: %s event Maintenance INFO Failed to send TSR file to remote backup server, Error: %s event Maintenance INFO Failed to synchronize license information with Licensing Server. Please see help.mysonic WALL.com/ licsyncfail.ht Security ml (code: %s) Services Maintenance WARN Failed to synchronize Relay IP Table DHCP Relay System Error WARN STD Failed to write DHCP leases to flash event System Error WARN SIMPLE Failure to add data channel Unused Debug DEBUG STD Failure to reach Interface %s probe Fan Failure FIN Flood Blacklist on IF %s continues High Availability System Error ERROR Hardware System Environment ALERT SIMPLE Intrusion Detection Debug WARN SonicOS Log Event Reference Guide 39

41 FIN-Flooding machine %s blacklisted Intrusion Detection Debug ALERT Forbidden E- Mail attachment Intrusion deleted Detection Attack ERROR Forbidden E- Mail attachment Intrusion disabled Detection Attack ALERT Found Rogue Access Point WLAN IDS WLAN IDS ALERT Found Rogue Access Point WLAN IDS WLAN IDS ALERT Fragmented packet TCP UDP dropped ICMP NOTICE Fraudulent Microsoft certificate found; access denied Intrusion Detection Attack ERROR STD FTP client user logged in failed FTP --- DEBUG FTP client user logged in successfully FTP --- DEBUG FTP client user logged out FTP --- DEBUG FTP client user name was sent FTP --- DEBUG FTP server accepted the connection FTP --- DEBUG FTP: Data connection from non default port dropped FTP: PASV response bounce attack dropped. Access Attack ALERT STD Intrusion Detection Attack ALERT STD_DESTI NATION STD_DESTI NATION SIMPLE_NO TE_ SIMPLE_NO TE_ PROTOCOL 40 SonicOS Log Event Reference Guide

42 FTP: PASV response spoof attack dropped Intrusion Detection Attack ERROR STD FTP: PORT bounce attack dropped. Intrusion Detection Attack ALERT Gateway Anti-Virus Security Alert: %s Services Attack ALERT Gateway Anti-Virus Service Security expired Services Maintenance WARN SIMPLE Global VPN Client connection is not allowed. Appliance is not registered. VPN Client System Error INFO STD Global VPN Client License Exceeded: Connection denied. VPN Client System Error INFO STD Global VPN Client version cannot enforce personal firewall. Minimum Version required is 2.1 VPN Client UserActivity INFO Got DHCP OFFER. Selecting. DHCP Client Maintenance INFO GSC policy out-of-date on host Guest account '%s' created Guest account '%s' deleted Security Services Maintenance INFO STD n Access UserActivity INFO n Access UserActivity INFO GE_ GE_ GE_ SonicOS Log Event Reference Guide 41

43 Guest account '%s' disabled n Access UserActivity INFO Guest account '%s' pruned n Access UserActivity INFO Guest account '%s' re-enabled n Access UserActivity INFO Guest account '%s' re-generated n Access UserActivity INFO Guest Account Timeout n Access UserActivity INFO Guest Idle Timeout n Access UserActivity INFO Guest login denied. Guest '%s' is already logged in. Please try again later. n Access UserActivity INFO Guest Services drop traffic to deny network Access --- INFO Guest Services pass traffic to access allow network Access --- INFO Guest Session Timeout n Access UserActivity INFO GUI administratio n session ended n Access UserActivity INFO H.323/H.225 Connect VOIP VOIP DEBUG H.323/H.225 Setup VOIP VOIP DEBUG H.323/H.245 Address VOIP VOIP DEBUG H.323/H.245 End Session VOIP VOIP DEBUG H.323/RAS Admission Confirm VOIP VOIP DEBUG GE_ GE_ GE_ GE_ GE_ 42 SonicOS Log Event Reference Guide

44 H.323/RAS Admission Reject VOIP VOIP DEBUG H.323/RAS Admission Request VOIP VOIP DEBUG H.323/RAS Bandwidth Reject VOIP VOIP DEBUG H.323/RAS Disengage Confirm VOIP VOIP DEBUG H.323/RAS Disengage Reject VOIP VOIP DEBUG H.323/RAS Gatekeeper Reject VOIP VOIP DEBUG H.323/RAS Location Confirm VOIP VOIP DEBUG H.323/RAS Location Reject VOIP VOIP DEBUG H.323/RAS Registration Reject VOIP VOIP DEBUG H.323/RAS Unknown Message Response VOIP VOIP DEBUG H.323/RAS Unregistratio n Reject VOIP VOIP DEBUG HA packet processing error HA Peer Rebooted HA Peer Synchronized Hardware Failover settings were not upgraded. High Availability Maintenance INFO SIMPLE High Availability Maintenance INFO SIMPLE High Availability Maintenance INFO SIMPLE event Maintenance INFO SIMPLE Header verification failed VPN IKE UserActivity WARN STD SonicOS Log Event Reference Guide 43

45 Heartbeat received from incompatible source HTTP management port has changed event Maintenance INFO HTTP method detected; examining stream for host header Access TCP DEBUG HTTPS management port has changed event Maintenance INFO ICMP checksum error; packet dropped ICMP packet allowed ICMP packet dropped due to policy Access ICMP NOTICE ICMP packet dropped no match Access ICMP NOTICE ICMP packet from LAN allowed Access Debug INFO ICMP packet from LAN LanICMP dropped Access LanTCP NOTICE If not already enabled, enabling NTP is recommende d IGMP packet dropped, wrong checksum received on interface %s Multicast --- NOTICE High Availability Maintenance INFO UNUSED SIMPLE_NO TE_ STD_POLIC Y SIMPLE_NO TE_ Access UDP NOTICE STD STD_POLIC Access Debug INFO Y STD_POLIC Y STD_ICMP_ SERVICE STD_ICMP_ SERVICE STD_ICMP_ SERVICE Hardware System Error WARN SIMPLE GE_ 44 SonicOS Log Event Reference Guide

46 IGMP Leave group message Received on interface %s Multicast --- INFO IGMP packet dropped, decoding error Multicast --- NOTICE STD IGMP Packet Not handled. Packet type : %s Multicast --- NOTICE IGMP querier Router detected on interface %s Multicast --- DEBUG IGMP querier Router detected on VPN tunnel, SPI %S Multicast --- DEBUG IGMP state table entry time out,deleting interface : %s for multicast address : %s Multicast --- DEBUG IGMP state table entry time out,deleting VPN SPI :%s for Multicast address : %s Multicast --- DEBUG IGMP V2 client joined multicast Group : %s Multicast --- INFO IGMP V2 Membership report received from interface %s Multicast --- DEBUG IGMP V3 client joined multicast Group : %s Multicast --- INFO GE_ GE_ GE_ GE_ GE_ GE_ GE_ GE_ GE_ SonicOS Log Event Reference Guide 45

47 IGMP V3 Membership report received from interface %s Multicast --- DEBUG IGMP V3 packet dropped, unsupported Record type : %s Multicast --- NOTICE IGMP V3 record type : %s not Handled Multicast --- DEBUG IKE Initiator drop: VPN tunnel end point does not match configured VPN Policy Bound to scope VPN IKE UserActivity INFO STD IKE Initiator: Accepting IPsec proposal (Phase 2) VPN IKE UserActivity INFO IKE Initiator: Accepting peer lifetime. (Phase 1) VPN IKE UserActivity INFO IKE Initiator: Aggressive Mode complete (Phase 1). VPN IKE UserActivity INFO IKE Initiator: IKE proposal does not match (Phase 1) VPN IKE UserActivity WARN IKE Initiator: Main Mode complete (Phase 1) VPN IKE UserActivity INFO IKE Initiator: Proposed IKE ID mismatch VPN IKE UserActivity WARN GE_ GE_ GE_ 46 SonicOS Log Event Reference Guide

48 IKE Initiator: Remote party timeout - Retransmittin g IKE request. VPN IKE UserActivity INFO IKE Initiator: Start Aggressive Mode negotiation (Phase 1) VPN IKE UserActivity INFO IKE Initiator: Start Main Mode negotiation (Phase 1) VPN IKE UserActivity INFO IKE Initiator: Start Quick Mode (Phase 2). VPN IKE UserActivity INFO IKE Initiator: Using secondary gateway to negotiate VPN IKE UserActivity INFO IKE negotiation aborted due to timeout VPN IKE UserActivity INFO IKE negotiation complete. Adding IPsec SA. (Phase 2) VPN IKE UserActivity INFO IKE Responder drop: VPN tunnel end point does not match configured VPN Policy Bound to scope VPN IKE UserActivity INFO STD SonicOS Log Event Reference Guide 47

49 IKE Responder: %s policy does not allow static IP for Virtual Adapter. VPN Client System Error ERROR IKE Responder: Accepting IPsec proposal (Phase 2) VPN IKE UserActivity INFO IKE Responder: Aggressive Mode complete (Phase 1) VPN IKE UserActivity INFO IKE Responder: AH authenticatio n algorithm does not match VPN IKE UserActivity WARN IKE Responder: AH authenticatio n key length does not match VPN IKE UserActivity WARN IKE Responder: AH authenticatio n key rounds does not match VPN IKE UserActivity WARN IKE Responder: AH Perfect Forward Secrecy mismatch VPN IKE UserActivity WARN IKE Responder: Algorithms and/or keys do not match VPN IKE UserActivity WARN GE_ 48 SonicOS Log Event Reference Guide

50 IKE Responder: Client Policy has no VPN Access s assigned. Check Configuration. VPN IKE System Error ERROR IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route VPN IKE Attack ERROR IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route VPN IKE UserActivity WARN IKE Responder: ESP authenticatio n algorithm does not match VPN IKE UserActivity WARN IKE Responder: ESP authenticatio n key length does not match VPN IKE UserActivity WARN IKE Responder: ESP authenticatio n key rounds does not match VPN IKE UserActivity WARN SonicOS Log Event Reference Guide 49

51 IKE Responder: ESP encryption algorithm does not match VPN IKE UserActivity WARN IKE Responder: ESP encryption key length does not match VPN IKE UserActivity WARN IKE Responder: ESP encryption key rounds does not match VPN IKE UserActivity WARN IKE Responder: ESP Perfect Forward Secrecy mismatch VPN IKE UserActivity WARN IKE Responder: IKE Phase 1 exchange does not match VPN IKE UserActivity ERROR IKE Responder: IKE proposal does not match (Phase 1) VPN IKE UserActivity WARN IKE Responder: IP Address already exists in the DHCP relay table. Client traffic not allowed. VPN Client System Error ERROR SonicOS Log Event Reference Guide

52 IKE Responder: IP Compression algorithm does not match VPN IKE UserActivity WARN IKE Responder: IPsec proposal does not match (Phase 2) VPN IKE UserActivity WARN IKE Responder: IPsec protocol mismatch VPN IKE UserActivity WARN IKE Responder: Main Mode complete (Phase 1) VPN IKE UserActivity INFO IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer. VPN IKE Debug WARN IKE Responder: Mode %d - not tunnel mode VPN IKE UserActivity WARN IKE Responder: No match for proposed remote network address VPN IKE UserActivity WARN GE_NUMBE R GE_NUMBE R SonicOS Log Event Reference Guide 51

53 IKE Responder: No matching Phase 1 ID found for proposed remote network VPN IKE UserActivity WARN IKE Responder: Peer's destination network does not match VPN policy's <b>local </b> VPN IKE UserActivity WARN IKE Responder: Peer's local network does not match VPN policy's <b>destinati on </ b> VPN IKE UserActivity WARN IKE Responder: Phase 1 n Method does not match VPN IKE UserActivity WARN IKE Responder: Phase 1 DH Group does not match VPN IKE UserActivity WARN IKE Responder: Phase 1 encryption algorithm does not match VPN IKE UserActivity WARN SonicOS Log Event Reference Guide

54 IKE Responder: Phase 1 encryption algorithm keylength does not match VPN IKE UserActivity WARN IKE Responder: Phase 1 hash algorithm does not match VPN IKE UserActivity WARN IKE Responder: Phase 1 XAUTH required but policy has no user name VPN IKE UserActivity WARN IKE Responder: Phase 1 XAUTH required but policy has no user password VPN IKE UserActivity WARN IKE Responder: Proposed IKE ID mismatch VPN IKE System Error WARN IKE Responder: Proposed local network is but SA has no LAN Default Gateway VPN IKE UserActivity WARN IKE Responder: Proposed remote network is but not DHCP relay nor default route VPN IKE UserActivity WARN SonicOS Log Event Reference Guide 53

55 IKE Responder: Received Aggressive Mode request (Phase 1) VPN IKE UserActivity INFO IKE Responder: Received Main Mode request (Phase 1) VPN IKE UserActivity INFO IKE Responder: Received Quick Mode Request (Phase 2) VPN IKE UserActivity INFO IKE Responder: Remote party timeout - Retransmittin g IKE request. VPN IKE UserActivity INFO IKE Responder: Route table overrides VPN policy VPN IKE UserActivity WARN IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall VPN IKE UserActivity WARN IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN VPN IKE UserActivity WARN SonicOS Log Event Reference Guide

56 IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ VPN IKE UserActivity WARN IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address VPN IKE UserActivity WARN IKE Responder: Tunnel terminates outside firewall but proposed remote network is not NAT public address VPN IKE UserActivity WARN IKE SA lifetime expired. VPN IKE UserActivity INFO IKEv2 Accept IKE SA Proposal VPN IKE UserActivity INFO IKEv2 Accept IPsec SA Proposal VPN IKE UserActivity INFO IKEv2 n successful VPN IKE UserActivity INFO IKEv2 Decrypt packet failed VPN IKE UserActivity WARN IKEv2 Function sendto() failed to transmit packet. VPN IKE UserActivity ERROR SonicOS Log Event Reference Guide 55

57 IKEv2 IKE attribute not found VPN IKE UserActivity WARN IKEv2 IKE proposal does not match VPN IKE UserActivity WARN IKEv2 Initiator: Negotiations failed. Extra payloads present. VPN IKE UserActivity WARN IKEv2 Initiator: Negotiations failed. Invalid input state. VPN IKE UserActivity WARN IKEv2 Initiator: Negotiations failed. Invalid output state. VPN IKE UserActivity WARN IKEv2 Initiator: Negotiations failed. Missing required payloads. VPN IKE UserActivity WARN IKEv2 Initiator: Proposed IKE ID mismatch VPN IKE UserActivity WARN IKEv2 Initiator: Received CREATE_CH ILD_SA response VPN IKE UserActivity INFO IKEv2 Initiator: Received IKE_AUTH response VPN IKE UserActivity INFO IKEv2 Initiator: Received IKE_SA_INT response VPN IKE UserActivity INFO SonicOS Log Event Reference Guide

58 IKEv2 Initiator: Remote party timeout - Retransmittin g IKEv2 request. VPN IKE UserActivity INFO IKEv2 Initiator: Send CREATE_CH ILD_SA request VPN IKE UserActivity INFO IKEv2 Initiator: Send IKE_AUTH request VPN IKE UserActivity INFO IKEv2 Initiator: Send IKE_SA_INIT request VPN IKE UserActivity INFO IKEv2 Invalid SPI size VPN IKE UserActivity WARN IKEv2 Invalid state VPN IKE UserActivity WARN IKEv2 IPsec attribute not found VPN IKE UserActivity WARN IKEv2 IPsec proposal does not match VPN IKE UserActivity WARN IKEv2 NAT device detected between negotiating peers VPN IKE UserActivity INFO IKEv2 negotiation complete VPN IKE UserActivity INFO IKEv2 No NAT device detected between negotiating peers VPN IKE UserActivity INFO IKEv2 Out of memory VPN IKE UserActivity WARN SonicOS Log Event Reference Guide 57

59 IKEv2 Payload processing error VPN IKE UserActivity WARN IKEv2 Payload validation failed. VPN IKE UserActivity WARN IKEv2 Peer is not responding. Negotiation aborted. VPN IKE UserActivity WARN IKEv2 Process Message queue failed VPN IKE UserActivity WARN IKEv2 Received delete IKE SA request VPN IKE UserActivity INFO IKEv2 Received delete IKE SA response VPN IKE UserActivity INFO IKEv2 Received delete IPsec SA request VPN IKE UserActivity INFO IKEv2 Received delete IPsec SA response VPN IKE UserActivity INFO IKEv2 Received notify error payload VPN IKE UserActivity WARN IKEv2 Received notify status payload VPN IKE UserActivity INFO IKEv2 Responder: Peer's destination network does not match VPN policy's <b>local </b> VPN IKE UserActivity INFO SonicOS Log Event Reference Guide

60 IKEv2 Responder: Peer's local network does not match VPN policy's <b>destinati on </ b> VPN IKE UserActivity INFO IKEv2 Responder: Policy for remote IKE ID not found VPN IKE UserActivity ERROR IKEv2 Responder: Received CREATE_CH ILD_SA request VPN IKE UserActivity INFO IKEv2 Responder: Received IKE_AUTH request VPN IKE UserActivity INFO IKEv2 Responder: Received IKE_SA_INIT request VPN IKE UserActivity INFO IKEv2 Responder: Send CREATE_CH ILD_SA response VPN IKE UserActivity INFO IKEv2 Responder: Send IKE_AUTH response VPN IKE UserActivity INFO IKEv2 Responder: Send IKE_SA_INIT response VPN IKE UserActivity INFO IKEv2 Send delete IKE SA request VPN IKE UserActivity INFO IKEv2 Send delete IKE SA response VPN IKE UserActivity INFO SonicOS Log Event Reference Guide 59

61 IKEv2 Send delete IPsec SA request VPN IKE UserActivity INFO IKEv2 Send delete IPsec SA response VPN IKE UserActivity INFO IKEv2 Unable to find IKE SA VPN IKE UserActivity WARN IKEv2 VPN Policy not found VPN IKE UserActivity WARN Illegal IPsec SPI VPN IPsec UserActivity INFO Imported HA hardware ID did not match this firewall Imported VPN SA is invalid - disabled High Availability Maintenance INFO UNUSED event Maintenance WARN Inbound connection from GRIDlisted SMTP server dropped Anti-Spam --- NOTICE STD Inbound connection from RBLlisted SMTP server dropped RBL --- NOTICE STD Incoming call received for Remotely Triggered Dial-out session Incompatible IPsec Security n Access UserActivity INFO SIMPLE Association VPN IPsec UserActivity INFO Incorrect authenticatio n received for Remotely Triggered Dial-out n Access UserActivity INFO SIMPLE 60 SonicOS Log Event Reference Guide

62 Ini Killer attack dropped Interface %s Link Is Down Intrusion Detection Attack ALERT STD event System Error ERROR Interface %s Link Is Up event System Error WARN Interface IP Assignment : Binding and initializing %s event Maintenance INFO Interface IP Assignment changed: Shutting down %s event Maintenance INFO Interface statistics report GMS --- INFO Internet Access restricted to authorized users. Dropped packet received in the clear. Wireless Invalid DNS Server will not be accepted by the dynamic client Invalid Product Code Upgrade request received: %s SIMPLE_INT ERFACE_ST ATS TCP UDP ICMP WARN UNUSED event --- INFO event --- ERROR Invalid VLAN packet dropped --- ALERT IP address conflict detected from ethernet address %s Maintenance WARN GE_ GE_ SonicOS Log Event Reference Guide 61

63 IP Header checksum error; packet dropped Access TCP UDP NOTICE STD IP spoof detected on packet to Central Gateway, packet dropped DHCP Relay Attack ERROR IP spoof dropped Intrusion Detection Attack ALERT IP type %s packet LanUDP dropped Access LanTCP NOTICE IPcomp connection interrupt IPcomp Debug DEBUG STD IPcomp packet dropped IPcomp TCP UDP ICMP NOTICE IPcomp packet dropped; waiting for pending IPcomp connection IPcomp Debug DEBUG STD IPS Detection Alert: %s Intrusion Detection Attack ALERT IPS Detection Intrusion Alert: %s Detection Attack ALERT IPS Prevention Intrusion Alert: %s Detection Attack ALERT IPS Prevention Intrusion Alert: %s Detection Attack ALERT IPsec (AH) packet TCP UDP dropped VPN IPsec ICMP NOTICE IPsec (AH) packet dropped; waiting for pending IPsec connection VPN IPsec Debug DEBUG STD Ethernet Ethernet GE_ STD_IDP_M ESSAGE_ST R GE_ STD_IDP_M ESSAGE_ST R GE_ 62 SonicOS Log Event Reference Guide

64 IPsec (ESP) packet dropped TCP UDP ICMP NOTICE VPN IPsec IPsec (ESP) packet dropped; waiting for pending IPsec connection VPN IPsec Debug DEBUG STD IPsec n Failed VPN IPsec Attack ERROR IPsec connection interrupt Access Debug DEBUG STD IPsec Decryption Failed VPN IPsec Attack ERROR IPsec packet dropped IPsec packet dropped; waiting for pending IPsec connection Access TCP UDP ICMP NOTICE STD Access Debug DEBUG STD IPsec packet from an illegal host VPN IPsec Maintenance INFO IPsec packet from or to an illegal host VPN IPsec Attack ERROR IPsec Replay Detected VPN IPsec Attack ALERT IPsec SA lifetime expired. VPN IPsec UserActivity INFO UNUSED IPsecTunnel status changed ISDN Driver Firmware successfully updated VPN VPNTunnelSt atus INFO SIMPLE event Maintenance INFO SIMPLE Issuer match failed VPN PKI UserActivity ALERT SIMPLE_NO TE_ Java access denied Access BlockedCode NOTICE BLOCKED L2TP Connect Initiated by the User L2TP Client Maintenance INFO UNUSED SonicOS Log Event Reference Guide 63

65 L2TP Disconnect Initiated by the User L2TP Client Maintenance INFO UNUSED L2TP enabled but not ready Unused Maintenance INFO SIMPLE L2TP LCP Down L2TP Client Maintenance INFO UNUSED L2TP LCP Up L2TP Client Maintenance INFO UNUSED L2TP Max Retransmissi on Exceeded L2TP Client Maintenance INFO SIMPLE L2TP PPP n Failed L2TP Client Maintenance INFO SIMPLE L2TP PPP Down L2TP Client Maintenance INFO SIMPLE L2TP PPP link down L2TP Client Maintenance INFO SIMPLE L2TP PPP Negotiation Started L2TP Client Maintenance INFO SIMPLE L2TP PPP Session Up L2TP Client Maintenance INFO SIMPLE L2TP Server : Access from L2TP VPN Client Privilege not enabled for RADIUS Users. L2TP Server Maintenance INFO UNUSED L2TP Server : Deleting the L2TP active Session L2TP Server Maintenance INFO L2TP Server : Deleting the Tunnel L2TP Server Maintenance INFO STD L2TP Server : L2TP PPP Session Established. L2TP Server Maintenance INFO UNUSED L2TP Server : L2TP Session Established. L2TP Server Maintenance INFO L2TP Server : L2TP Tunnel Established. L2TP Server Maintenance INFO SonicOS Log Event Reference Guide

66 L2TP Server : Retransmissi on Timeout, Deleting the Tunnel L2TP Server Maintenance INFO L2TP Server : User Name authenticatio n Failure locally. L2TP Server Maintenance INFO L2TP Server: Keep alive Failure. Closing Tunnel L2TP Server Maintenance INFO UNUSED L2TP Server: L2TP Remote terminated the PPP session L2TP Server Maintenance INFO UNUSED L2TP Server: L2TP Session Disconnect from the Remote. L2TP Server Maintenance INFO UNUSED L2TP Server: L2TP Tunnel Disconnect from the Remote. L2TP Server Maintenance INFO UNUSED L2TP Server: Local n Failure L2TP Server Maintenance INFO L2TP Server: Local n Success. L2TP Server Maintenance INFO L2TP Server: No IP address available in the Local IP Pool L2TP Server Maintenance INFO UNUSED L2TP Server: RADIUS/ LDAP n Success L2TP Server Maintenance INFO SonicOS Log Event Reference Guide 65

67 L2TP Server: RADIUS/ LDAP reports n Failure L2TP Server Maintenance INFO L2TP Server: RADIUS/ LDAP server not assigned IP address L2TP Server Maintenance INFO L2TP Server: Call Disconnect from Remote. L2TP Server Maintenance INFO L2TP Server: Tunnel Disconnect from Remote. L2TP Server Maintenance INFO L2TP Session Disconnect from Remote L2TP Client Maintenance INFO SIMPLE L2TP Session Established L2TP Client Maintenance INFO SIMPLE L2TP Session Negotiation Started L2TP Client Maintenance INFO SIMPLE L2TP Tunnel Disconnect from Remote L2TP Client Maintenance INFO SIMPLE L2TP Tunnel Established L2TP Client Maintenance INFO SIMPLE L2TP Tunnel Negotiation %s L2TP Client --- INFO GE_ L2TP Tunnel Negotiation Started L2TP Client Maintenance INFO SIMPLE LAN Subnet configuration s were not upgraded. Land attack event Maintenance INFO SIMPLE Intrusion Detection Attack ALERT STD dropped LDAP server does not allow CHAP RADIUS UserActivity WARN STD_STRIN G_SERVICE 66 SonicOS Log Event Reference Guide

68 LDAP using nonadministrativ e account - VPN client user will not be able to change passwords RADIUS System Error WARN License exceeded: Connection dropped because too many IP addresses are in use on your LAN License of HA pair doesn't match: %s event System Error ERROR STD SIMPLE_NO TE_ High Availability System Error ERROR local range: None --- DEBUG UNUSED Locked-out user logins allowed - lockout period expired Locked-out user logins allowed by administrator n Access UserActivity INFO n Access UserActivity INFO Log (part None --- DEBUG UNUSED Log Cleared logging Maintenance INFO SIMPLE Log Debug event Debug ERROR SIMPLE_ST R Log file from SonicWALL None --- DEBUG UNUSED Log full; deactivating SonicWALL Log successfully sent via Login screen timed out logging System Error ERROR UNUSED logging Maintenance INFO SIMPLE STD_STRIN n Access UserActivity INFO G_SERVICE SonicOS Log Event Reference Guide 67

69 MAC address collides with Static ARP Entry with Bound MAC address; packet dropped --- NOTICE Machine %s removed from FIN flood blacklist Machine %s removed from RST flood blacklist Machine %s removed from SYN flood blacklist Malformed or unhandled IP packet dropped Maximum events per second threshold exceeded Maximum number of Bandwidth Managed rules exceeded upon upgrade to this version. Some Bandwith settings ignored. Intrusion Detection Debug ALERT Intrusion Detection Debug ALERT Intrusion Detection Debug ALERT Access Debug ALERT Ethernet PROTOCOL logging System Error CRITICAL SIMPLE event Maintenance NOTICE UNUSED Maximum sequential failed dial attempts (10) to a single dial-up number: %s PPP dialup Attack ERROR GE_ 68 SonicOS Log Event Reference Guide

70 Maximum syslog data per second threshold exceeded logging System Error CRITICAL SIMPLE Message blocked by Real-Time Scanner Anti-Spam --- INFO STD MTU: None --- DEBUG UNUSED Multicast application %s not supported Multicast --- INFO Multicast packet dropped, Invalid src IP received on interface : %s Multicast --- ALERT Multicast packet dropped, wrong MAC address received on interface : %s Multicast --- ALERT Multicast TCP packet dropped Multicast --- NOTICE STD Multicast UDP packet dropped, no state entry Multicast --- NOTICE STD Multicast UDP packet dropped, RTCP stateful failed Multicast --- WARN STD Multicast UDP packet dropped, RTP stateful failed Multicast --- WARN STD Multiple DHCP Servers are detected on network event --- WARN GE_ GE_ GE_ SonicOS Log Event Reference Guide 69

71 NAT could not remap incoming packet Unused System Error ERROR UNUSED NAT device may not support IPsec AH passthrough VPN IPsec Maintenance INFO SIMPLE NAT Discovery : No NAT/ NAPT device detected between IPsec Security gateways VPN IKE UserActivity INFO NAT Discovery : Local IPsec Security Gateway behind a NAT/NAPT Device VPN IKE UserActivity INFO NAT Discovery : Peer IPsec Security Gateway behind a NAT/NAPT Device VPN IKE UserActivity INFO NAT Discovery : Peer IPsec Security Gateway doesn't support VPN NAT Traversal VPN IKE UserActivity INFO NAT translated packet exceeds size limit, packet dropped Debug DEBUG STD 70 SonicOS Log Event Reference Guide

72 Net Spy attack dropped Intrusion Detection Attack ALERT STD NetBIOS settings were not upgraded. Use >IP Helper to configure NetBIOS support event Maintenance INFO SIMPLE NetBus attack dropped Intrusion Detection Attack ALERT STD for interface %s overlaps with another interface. event Maintenance INFO Modem Mode Disabled: reenabling NAT PPP dialup Maintenance INFO SIMPLE Modem Mode Enabled: turning off NAT PPP dialup Maintenance INFO SIMPLE Monitor Policy %s Added Monitor Policy %s Deleted Monitor Policy %s Modified Monitor: Host %s is offline Monitor: Host %s is online Monitor: Host %s status is UNKNOWN Monit or --- INFO Monit or --- INFO Monit or --- INFO Monit or --- ALERT Monit or --- ALERT Monit or --- ALERT SonicOS Log Event Reference Guide 71

73 Monitor: Policy %s status is DOWN Monit or --- ALERT Monitor: Policy %s status is UNKNOWN Monit or --- ALERT Monitor: Policy %s status is UP Monit or --- ALERT New firmware available. event Maintenance INFO UNUSED New URL List loaded Security Services Maintenance INFO SIMPLE Newsgroup access allowed Access BlockedSites NOTICE BLOCKED Newsgroup access denied Access BlockedSites NOTICE BLOCKED No Certificate for VPN PKI UserActivity ALERT SIMPLE_NO TE_ No HOST tag found in HTTP request Access Debug DEBUG UNUSED No ICMP redirect sent Unused Debug DEBUG UNUSED No new URL List available Security Services Maintenance INFO SIMPLE No response from ISP Disconnectin g PPPoE. PPPoE Maintenance INFO SIMPLE No response from PPTP server to call requests PPTP Maintenance INFO SIMPLE No response from PPTP server to control connection requests PPTP Maintenance INFO SIMPLE 72 SonicOS Log Event Reference Guide

74 No response from server to Echo Requests, disconnecting PPTP Tunnel PPTP Maintenance INFO SIMPLE No valid DNS server specified for GRID lookups Anti-Spam --- ERROR SIMPLE No valid DNS server specified for RBL lookups RBL --- ERROR SIMPLE Non-config mode GUI administratio n session started Not all configuration s may have been completely n Access UserActivity INFO event Maintenance INFO SIMPLE upgraded Not enough memory to hold the CRL VPN PKI UserActivity WARN SIMPLE Obtained Relay IP Table from Remote Gateway DHCP Relay Maintenance INFO STD OCSP Failed to Resolve Domain Name. VPN PKI UserActivity ERROR OCSP Internal error handling received response. VPN PKI UserActivity ERROR OCSP received response error. VPN PKI UserActivity ERROR OCSP received response. VPN PKI UserActivity INFO SonicOS Log Event Reference Guide 73

75 OCSP Resolved Domain Name. VPN PKI UserActivity INFO OCSP send request message failed. VPN PKI UserActivity ERROR OCSP sending request. VPN PKI UserActivity INFO OCSP unused/spare Unused --- DEBUG UNUSED Outbound connection to GRID-listed SMTP server dropped Anti-Spam --- NOTICE STD Outbound connection to RBL-listed SMTP server dropped RBL --- NOTICE STD Out-of-order command packet dropped Access Debug DEBUG STD Overriding Product Code Upgrade to: %s event --- ERROR Packet destination not in VPN Access list VPN IPsec Attack ERROR Packet Dropped - IP TTL expired Debug WARN Packet dropped by guest check Packet dropped by WLAN SSL- VPN enforcement check Packet dropped by WLAN VPN traversal check Access Wireless Wireless TCP UDP ICMP WARN STD TCP UDP ICMP WARN TCP UDP ICMP WARN GE_ 74 SonicOS Log Event Reference Guide

76 Packet dropped. No firewall rule associated with VPN policy. VPN System Error ALERT Packet dropped; connection limit for this destination IP address has been reached Packet dropped; connection limit for this source IP address has been reached event System Error ALERT event System Error ALERT Payload processing failed VPN IKE Debug ERROR PC Card inserted. Rebooting. PC Card removed. Rebooting. PC Card: No device detected Peer firewall rebooting (%s) Physical environment normal Hardware --- ALERT Hardware --- ALERT Hardware --- ALERT High Availability --- INFO Hardware --- INFO SIMPLE Ping of death dropped Intrusion Detection Attack ALERT STD PKI Error: VPN PKI Maintenance ERROR UNUSED PKI Failure VPN PKI Maintenance ERROR UNUSED PKI Failure: CA certificates store exceeded. Cannot verify this Local Certificate VPN PKI Maintenance ERROR SIMPLE SonicOS Log Event Reference Guide 75

77 PKI Failure: Cannot allocate memory VPN PKI Maintenance ERROR SIMPLE PKI Failure: Certificate's ID does not match this SonicWALL VPN PKI Maintenance ERROR SIMPLE PKI Failure: Duplicate local certificate VPN PKI Maintenance ERROR SIMPLE PKI Failure: Duplicate local certificate name VPN PKI Maintenance ERROR SIMPLE PKI Failure: Import failed VPN PKI Maintenance ERROR SIMPLE PKI Failure: Improper file format. Please select PKCS#12 (*.p12) file VPN PKI Maintenance ERROR SIMPLE PKI Failure: Incorrect admin password VPN PKI Maintenance ERROR SIMPLE PKI Failure: Internal error VPN PKI Maintenance ERROR SIMPLE PKI Failure: Loaded but could not verify certificate VPN PKI Maintenance ERROR SIMPLE PKI Failure: Loaded the certificate but could not verify it's chain VPN PKI Maintenance ERROR SIMPLE PKI Failure: No CA certificates yet loaded VPN PKI Maintenance ERROR SIMPLE PKI Failure: Output buffer too small VPN PKI Maintenance ERROR SIMPLE 76 SonicOS Log Event Reference Guide

78 PKI Failure: public-private key mismatch VPN PKI Maintenance ERROR SIMPLE PKI Failure: Reached the limit for local certificates, cant load any more VPN PKI Maintenance ERROR SIMPLE PKI Failure: Temporary memory shortage, try again VPN PKI Maintenance ERROR SIMPLE PKI Failure: The certificate chain has no root VPN PKI Maintenance ERROR SIMPLE PKI Failure: The certificate chain is circular VPN PKI Maintenance ERROR SIMPLE PKI Failure: The certificate chain is incomplete VPN PKI Maintenance ERROR SIMPLE PKI Failure: The certificate or a certificate in the chain has a bad signature VPN PKI Maintenance ERROR SIMPLE PKI Failure: The certificate or a certificate in the chain has a validity period in the future VPN PKI Maintenance ERROR SIMPLE PKI Failure: The certificate or a certificate in the chain has expired VPN PKI Maintenance ERROR SIMPLE SonicOS Log Event Reference Guide 77

79 PKI Failure: The certificate or a certificate in the chain is corrupt VPN PKI Maintenance ERROR SIMPLE Please connect interface %s to another network to function properly Please manually check all system configuration s for correctness of Upgrade Port configured to receive IPsec protocol ONLY; drop packet received in the clear Possible DNS rebind attack detected Possible FIN Flood on IF %s Possible FIN Flood on IF %s continues Possible FIN Flood on IF %s has ceased Possible port scan detected Possible RST Flood on IF %s Possible RST Flood on IF %s continues event Maintenance INFO event Maintenance INFO SIMPLE Access TCP UDP ICMP WARN Intrusion Detection --- ALERT Intrusion Detection Debug ALERT Intrusion Detection Debug WARN Intrusion Detection Debug ALERT Intrusion Detection Attack ALERT Intrusion Detection Debug ALERT Intrusion Detection Debug WARN SonicOS Log Event Reference Guide

80 Possible RST Flood on IF %s has ceased Intrusion Detection Debug ALERT Possible SYN flood attack Intrusion detected Detection Attack WARN STD Possible SYN flood detected on WAN IF %s - switching to connectionproxy Intrusion mode Detection Debug ALERT Possible SYN Flood on IF Intrusion %s Detection Debug ALERT Possible SYN Flood on IF Intrusion %s continues Detection Debug WARN Possible SYN Flood on IF %s has Intrusion ceased Detection Debug ALERT Power supply without redundancy Hardware --- ERROR SIMPLE PPP Dial-Up: Connect request canceled PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: Connected at %s bps - starting PPP PPP dialup UserActivity INFO PPP Dial-Up: Connection disconnected as scheduled. PPP dialup --- INFO STD PPP Dial-Up: Dial initiated by %s PPP dialup Maintenance INFO GE_ PPP Dial-Up: Dialed number did not answer PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: Dialed number is busy PPP dialup UserActivity INFO SIMPLE SonicOS Log Event Reference Guide 79

81 PPP Dial-Up: Dialing not allowed by schedule. %s PPP dialup --- INFO GE_ PPP Dial-Up: Dialing: %s PPP dialup UserActivity INFO PPP Dial-Up: Failed to get IP address PPP dialup UserActivity INFO UNUSED PPP Dial-Up: Idle time limit exceeded - disconnecting PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: Initialization : %s PPP dialup UserActivity INFO PPP Dial-Up: Invalid DNS IP address returned from Dial-Up ISP; overriding using dial-up profile settings PPP dialup Maintenance INFO SIMPLE PPP Dial-Up: Link carrier lost PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: Maximum connection time exceeded - disconnecting PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: No dialtone detected - check phoneline connection PPP dialup UserActivity INFO SIMPLE 80 SonicOS Log Event Reference Guide

82 PPP Dial-Up: No link carrier detected - check phone number PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: No peer IP address from Dial-Up ISP, local and remote IPs will be the same PPP dialup Maintenance INFO SIMPLE PPP Dial-Up: PPP link down PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: PPP link established PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: PPP negotiation failed - disconnecting PPP dialup UserActivity INFO UNUSED PPP Dial-Up: Previous session was connected for %s PPP dialup UserActivity INFO PPP Dial-Up: Received new IP address PPP dialup UserActivity INFO STD PPP Dial-Up: Shutting down link PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: Starting PPP PPP dialup --- INFO PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic PPP dialup UserActivity INFO UNUSED PPP Dial-Up: The profile in use disabled VPN networking. PPP dialup Maintenance INFO SIMPLE SonicOS Log Event Reference Guide 81

83 PPP Dial-Up: Trying to failover but Alternate Profile is manual Wan Failover UserActivity INFO SIMPLE PPP Dial-Up: Trying to failover but Primary Profile is manual PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: Unknown dialing failure PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: User requested connect PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: User requested disconnect PPP dialup UserActivity INFO SIMPLE PPP Dial-Up: VPN networking restored. PPP dialup Maintenance INFO SIMPLE PPP message: %s PPP System Environment INFO PPP: n successful PPP UserActivity INFO SIMPLE PPP: CHAP authenticatio n failed - check username / password PPP UserActivity INFO SIMPLE PPP: MS- CHAP authenticatio n failed - check username / password PPP UserActivity INFO SIMPLE PPP: PAP n failed - check username / password PPP UserActivity INFO SIMPLE GE_ 82 SonicOS Log Event Reference Guide

84 PPP: Starting CHAP authenticatio n PPP UserActivity INFO SIMPLE PPP: Starting MS-CHAP authenticatio n PPP UserActivity INFO SIMPLE PPP: Starting PAP authenticatio n PPP UserActivity INFO SIMPLE PPPoE terminated PPPoE Maintenance INFO SIMPLE PPPoE CHAP n Failed PPPoE Maintenance INFO UNUSED PPPoE Client: Previous session was connected for %s PPPoE Maintenance INFO PPPoE discovery process complete PPPoE Maintenance INFO SIMPLE PPPoE enabled but not ready PPPoE Maintenance INFO SIMPLE PPPoE LCP Link Down PPPoE Maintenance INFO SIMPLE PPPoE LCP Link Up PPPoE Maintenance INFO SIMPLE PPPoE Connected PPPoE Maintenance INFO SIMPLE PPPoE Disconnected PPPoE Maintenance INFO SIMPLE PPPoE PAP n Failed PPPoE Maintenance INFO UNUSED PPPoE PAP n Failed. Please verify PPPoE username and password PPPoE Maintenance INFO UNUSED SonicOS Log Event Reference Guide 83

85 PPPoE PAP n success. PPPoE Maintenance INFO UNUSED PPPoE password changed by Administrator n Access UserActivity INFO UNUSED PPPoE starting CHAP n PPPoE Maintenance INFO SIMPLE PPPoE starting PAP n PPPoE Maintenance INFO UNUSED PPPoE user name changed by Administrator n Access UserActivity INFO UNUSED PPTP enabled but not ready PPTP Maintenance INFO SIMPLE PPTP CHAP n Failed. Please verify PPTP username and password PPTP Maintenance INFO UNUSED PPTP Connect Initiated by the User PPTP Maintenance INFO PPTP Control Connection Established PPTP Maintenance INFO SIMPLE PPTP Control Connection Negotiation Started PPTP Maintenance INFO SIMPLE PPTP decode failure PPTP Debug DEBUG STD PPTP Disconnect Initiated by the User PPTP Maintenance INFO PPTP LCP Down PPTP Maintenance INFO UNUSED 84 SonicOS Log Event Reference Guide

86 PPTP LCP Up PPTP Maintenance INFO UNUSED PPTP Max Retransmissi on Exceeded PPTP Maintenance INFO UNUSED PPTP packet dropped Access TCP UDP ICMP NOTICE UNUSED PPTP PAP n Failed PPTP Maintenance INFO UNUSED PPTP PAP n Failed. Please verify PPTP username and password PPTP Maintenance INFO UNUSED PPTP PAP n success. PPTP Maintenance INFO SIMPLE PPTP PPP n Failed PPTP Maintenance INFO UNUSED PPTP PPP Down PPTP Maintenance INFO SIMPLE PPTP PPP link down PPTP Maintenance INFO UNUSED PPTP PPP Link down PPTP Maintenance INFO SIMPLE PPTP PPP Link Finished PPTP Maintenance INFO SIMPLE PPTP PPP Link Up PPTP Maintenance INFO SIMPLE PPTP PPP Negotiation Started PPTP Maintenance INFO SIMPLE PPTP PPP Session Up PPTP Maintenance INFO SIMPLE PPTP Server is not responding, check if the server is UP and running. PPTP Maintenance INFO SIMPLE PPTP server rejected control connection PPTP Maintenance INFO SIMPLE PPTP server rejected the call request PPTP Maintenance INFO SIMPLE SonicOS Log Event Reference Guide 85

87 PPTP Session Disconnect from Remote PPTP Maintenance INFO SIMPLE PPTP Session Established PPTP Maintenance INFO SIMPLE PPTP Session Negotiation Started PPTP Maintenance INFO SIMPLE PPTP starting CHAP n PPTP Maintenance INFO SIMPLE PPTP starting PAP n PPTP Maintenance INFO SIMPLE PPTP Tunnel Disconnect from Remote PPTP Maintenance INFO SIMPLE Primary firewall has transitioned to Active Primary firewall has transitioned to Idle Primary firewall preempting Backup Primary firewall rebooting itself as it transitioned from Active to Idle while Preempt Primary missed heartbeats from Backup Primary received error signal from Backup High Availability Maintenance ALERT SIMPLE High Availability System Error ALERT SIMPLE High Availability System Error ERROR SIMPLE High Availability --- INFO SIMPLE High Availability System Error ERROR SIMPLE High Availability System Error ERROR SIMPLE 86 SonicOS Log Event Reference Guide

88 Primary received heartbeat from wrong source High Availability Maintenance INFO UNUSED Primary received reboot signal from Backup High Availability System Error ERROR SIMPLE Primary WAN link down, Backup going Active High Availability System Error ERROR UNUSED Primary WAN link down, Primary going Idle High Availability Maintenance INFO UNUSED Primary WAN link up, preempting Backup High Availability Maintenance INFO UNUSED Priority attack dropped Intrusion Detection Attack ALERT STD Probable port scan detected Intrusion Detection Attack ALERT Probable TCP FIN scan detected Intrusion Detection Attack ALERT Probable TCP NULL scan detected Intrusion Detection Attack ALERT Probable TCP XMAS scan detected Intrusion Detection Attack ALERT Probing failure on %s Wan Failover System Error ALERT GE_ Probing succeeded on %s Wan Failover System Error ALERT GE_ Problem loading the URL List; Appliance not registered. Security Services System Error ERROR SIMPLE SonicOS Log Event Reference Guide 87

89 Problem loading the URL List; check Filter settings Security Services System Error ERROR Problem loading the URL List; check your Security DNS server Services System Error ERROR SIMPLE Problem loading the URL List; Flash write Security failure. Services System Error ERROR SIMPLE Problem loading the URL List; Retrying Security later. Services System Error ERROR STD Problem loading the URL List; SubscRIPtion Security expired. Services System Error ERROR STD Problem loading the URL List; Try loading it Security again. Services System Error ERROR SIMPLE Problem occurred during user group membership retrieval n Access UserActivity WARN Problem sending log ; check log settings logging System Error WARN SIMPLE Processed received from Security Service Anti-Spam --- INFO STD Protocol: None --- DEBUG UNUSED Read-only mode GUI administratio n session started n Access UserActivity INFO CODE 88 SonicOS Log Event Reference Guide

90 Real time clock battery failure Time values may be incorrect Hardware System Error WARN SIMPLE RealAudio decode failure Unused Debug DEBUG UNUSED Received a path MTU icmp message from router/ gateway UserActivity INFO Received a path MTU icmp message from router/ gateway UserActivity INFO Received Application Alert: Your SonicWALL Application subscription Security has expired. Services Maintenance WARN SIMPLE Received AV Alert: %s Received AV Alert: Your SonicWALL Anti- Virus subscription has expired. %s Received AV Alert: Your SonicWALL Anti- Virus subscription will expire in 7 days. %s Security Services Maintenance WARN Security Services Maintenance WARN Security Services Maintenance WARN SPI MTU SonicOS Log Event Reference Guide 89

91 Received CFS Alert: Your SonicWALL Content Filtering subscription has expired. Security Services Maintenance WARN SIMPLE Received CFS Alert: Your SonicWALL Content Filtering subscription will expire in 7 days. Security Services Maintenance WARN SIMPLE Received DHCP offer packet has errors DHCP Client Maintenance INFO Received E- Mail Filter Alert: Your SonicWALL Filtering subscription has expired. Received E- Mail Filter Alert: Your SonicWALL Filtering subscription will expire in 7 days. Security Services Maintenance WARN SIMPLE Security Services Maintenance WARN SIMPLE Received fragmented packet or fragmentation needed Debug DEBUG STD Received IKE SA delete request VPN IKE UserActivity INFO SonicOS Log Event Reference Guide

92 Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscription has expired. Received IPsec SA delete Security Services Maintenance WARN SIMPLE request VPN IKE UserActivity INFO Received ISAKMP packet destined to port %s VPN IKE Debug UDP INFO Received LCP Echo Reply PPPoE Maintenance INFO SIMPLE Received LCP Echo Request PPPoE Maintenance INFO SIMPLE Received notify. NO_PROPO SAL_CHOSE N VPN IKE UserActivity WARN Received notify: INVALID_CO OKIES VPN IKE UserActivity INFO Received notify: INVALID_ID_ INFO VPN IPsec UserActivity WARN Received notify: INVALID_PA YLOAD VPN IKE UserActivity ERROR Received notify: INVALID_SPI VPN IKE UserActivity INFO Received notify: ISAKMP_AU TH_FAILED VPN IKE UserActivity WARN Received notify: PAYLOAD_M ALFORMED VPN IKE UserActivity WARN GE_ SonicOS Log Event Reference Guide 91

93 Received notify: RESPONDE R_LIFETIME VPN IKE UserActivity INFO Received packet retransmissio n. Drop duplicate packet VPN IKE UserActivity WARN Received PPPoE Active Discovery Offer PPPoE Maintenance INFO SIMPLE Received PPPoE Active Discovery Session_conf irmation PPPoE Maintenance INFO SIMPLE Received response packet for DHCP request has errors DHCP Client Maintenance INFO Received unencrypted packet in crypto active state VPN IKE UserActivity WARN Regulatory requirements prohibit %s from being re-dialed for 30 minutes PPP dialup Attack ERROR GE_ Released IP address %s DHCP Server --- INFO remote range: None --- DEBUG UNUSED 92 SonicOS Log Event Reference Guide

94 Remotely Triggered Dial-out session ended. Valid WAN bound data found. Normal dialup sequence will commence n Access UserActivity INFO SIMPLE Remotely Triggered Dial-out session started. Requesting authenticatio n n Access UserActivity INFO SIMPLE Removed host entry from dynamic address object Dynamic Address Objects Maintenance INFO Request for Relay IP Table from Central Gateway DHCP Relay Maintenance INFO STD Requesting CRL from VPN PKI UserActivity INFO Requesting Relay IP Table from Remote Gateway DHCP Relay Maintenance INFO STD Restarting SonicWALL; dumping log to Retransmittin g DHCP SIMPLE_NO TE_ event Maintenance INFO UNUSED DISCOVER. DHCP Client Maintenance INFO Retransmittin g DHCP REQUEST (Rebinding). DHCP Client Maintenance INFO Retransmittin g DHCP REQUEST (Rebooting). DHCP Client Maintenance INFO SonicOS Log Event Reference Guide 93

95 Retransmittin g DHCP REQUEST (Renewing). DHCP Client Maintenance INFO Retransmittin g DHCP REQUEST (Requesting). DHCP Client Maintenance INFO Retransmittin g DHCP REQUEST (Verifying). DHCP Client Maintenance INFO RIP Broadcasts for LAN %s are being broadcast over dialupconnection RIP Maintenance INFO UNUSED RIP disabled on DMZ interface RIP Maintenance INFO UNUSED RIP disabled on interface %s RIP Maintenance INFO RIP disabled on WAN interface RIP Maintenance INFO UNUSED RIPper attack dropped Intrusion Detection Attack ALERT STD RIPv1 enabled on DMZ interface RIP Maintenance INFO UNUSED RIPv1 enabled on interface %s RIP Maintenance INFO RIPv1 enabled on WAN interface RIP Maintenance INFO UNUSED RIPv2 compatibility (broadcast) mode enabled on DMZ interface RIP Maintenance INFO UNUSED 94 SonicOS Log Event Reference Guide

96 RIPv2 compatibility (broadcast) mode enabled on interface %s RIP Maintenance INFO RIPv2 compatibility (broadcast) mode enabled on WAN interface RIP Maintenance INFO UNUSED RIPv2 enabled on DMZ interface RIP Maintenance INFO UNUSED RIPv2 enabled on interface %s RIP Maintenance INFO RIPv2 enabled on WAN interface RIP Maintenance INFO UNUSED Router IGMP General query received on interface %s Multicast --- DEBUG Router IGMP Membership query received on interface %s Multicast --- DEBUG RST Flood Blacklist on IF %s Intrusion continues Detection Debug WARN RST- Flooding machine %s Intrusion blacklisted Detection Debug ALERT GE_ GE_ Rule None --- DEBUG UNUSED SA is disabled. Check VPN SA settings VPN IKE UserActivity INFO UNUSED SCEP Client: %s VPN PKI --- NOTICE SonicOS Log Event Reference Guide 95

97 Sending DHCP DISCOVER. DHCP Client Maintenance INFO Sending DHCP RELEASE. DHCP Client Maintenance INFO Sending DHCP REQUEST (Rebinding). DHCP Client Maintenance INFO Sending DHCP REQUEST (Rebooting). DHCP Client Maintenance INFO Sending DHCP REQUEST (Renewing). DHCP Client Maintenance INFO Sending DHCP REQUEST (Verifying). DHCP Client Maintenance INFO Sending DHCP REQUEST. DHCP Client Maintenance INFO Sending LCP Echo Reply PPPoE Maintenance INFO SIMPLE Sending LCP Echo Request PPPoE Maintenance INFO SIMPLE Sending PPPoE Active Discovery Request PPPoE Maintenance INFO SIMPLE Senna Spy attack dropped Intrusion Detection Attack ALERT STD Sent Relay IP Table to Central Gateway DHCP Relay Maintenance INFO STD Settings Import: %s event --- INFO SIP Register expiration exceeds configured Signaling inactivity time out VOIP VOIP WARN SonicOS Log Event Reference Guide

98 SIP Request VOIP VOIP DEBUG SIP Response VOIP VOIP DEBUG SMTP authenticatio n problem:%s logging System Error WARN GE_ SMTP connection limit is reached. Connection is dropped. Anti-Spam --- WARN SIMPLE SMTP POP- Before-SMTP authenticatio n failed SMTP server found on RBL logging System Error WARN SIMPLE blacklist RBL --- NOTICE SMTP server found on Reject List Anti-Spam --- NOTICE Smurf Amplification attack dropped Intrusion Detection Attack ALERT STD SonicPoint Provision SonicPoint SonicPoint INFO SIMPLE_NO TE_ SonicPoint statistics report GMS --- INFO SIMPLE_SO NICPOINT_S TATS SonicPoint Status SonicPoint SonicPoint INFO SIMPLE_NO TE_ SonicPointN Provision SonicPointN --- INFO SIMPLE_NO TE_ SonicPointN Status SonicPointN --- INFO SIMPLE_NO TE_ SonicWALL activated event Maintenance ALERT SIMPLE SonicWALL initializing event Maintenance INFO SIMPLE SonicWALL SSO agent is down CIA UserActivity ALERT SonicWALL SSO agent is up CIA UserActivity ALERT SonicWALL SSO agent returned domain name too long CIA UserActivity WARN SonicOS Log Event Reference Guide 97

99 SonicWALL SSO agent returned error CIA UserActivity WARN SonicWALL SSO agent returned user name too long CIA UserActivity WARN Source IP address connection status: %s event --- INFO Source routed IP packet dropped Intrusion Detection Debug WARN STD GE_ Source: None --- DEBUG UNUSED Spank attack multicast packet dropped Intrusion Detection Attack ALERT STD SPI: None --- DEBUG UNUSED SSL Control: Certificate chain not complete SSL Control: Certificate with invalid date SSL Control: Certificate with MD5 Digest Signature Algorithm SSL Control: Failed to decode Server Hello SSL Control: HTTPS via SSL2 SSL Control: Self-signed certificate SSL Control: Untrusted CA SSL Control: Weak cipher being used Access BlockedSites INFO Access BlockedSites INFO Access BlockedSites INFO Access BlockedSites INFO Access BlockedSites INFO Access BlockedSites INFO Access BlockedSites INFO Access BlockedSites INFO SonicOS Log Event Reference Guide

100 SSL Control: Website found in blacklist Access BlockedSites INFO SSL Control: Website found in whitelist Access BlockedSites INFO SSL VPN zone remote user login allowed n Access --- INFO STD_STRIN G_SERVICE SSL-VPN enforcement Wireless Maintenance INFO SIMPLE_NO TE_ Starting IKE negotiation VPN IKE UserActivity INFO Starting PPPoE discovery PPPoE Maintenance INFO SIMPLE EMERGENC SIMPLE_GM Y S_STATUS Status GMS Maintenance Striker attack dropped Sub Seven attack dropped Success to reach Interface %s probe Successful authenticatio n received for Remotely Triggered Dial-out Successfully sent %s file to remote backup server Successfully sent Preference file to remote backup server Successfully sent TSR file to remote backup server Intrusion Detection Attack ALERT STD Intrusion Detection Attack ALERT STD High Availability System Error INFO n Access UserActivity INFO SIMPLE event Maintenance INFO event Maintenance INFO SIMPLE event Maintenance INFO SIMPLE SonicOS Log Event Reference Guide 99

101 SYN Flood Blacklist on IF %s continues Intrusion Detection Debug WARN SYN Flood blacklisting disabled by user Intrusion Detection Debug WARN STD SYN Flood blacklisting enabled by user Intrusion Detection Debug WARN STD SYN flood ceased or flooding machines blacklisted - connection proxy disabled Intrusion Detection Debug ALERT STD SYN Flood Mode changed by user to: Always proxy WAN connections Intrusion Detection Debug WARN STD SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack Intrusion Detection Debug WARN STD SYN Flood Mode changed by user to: Watch and report possible SYN floods Intrusion Detection Debug WARN STD SYN unused/ spare Unused --- DEBUG UNUSED SYN unused/ spare Unused --- DEBUG UNUSED Synchronizin g preferences to HA Peer High Availability Maintenance INFO SIMPLE 100 SonicOS Log Event Reference Guide

102 SYN- Flooding machine %s blacklisted Intrusion Detection Debug ALERT Syslog Server cannot be reached Maintenance INFO STD System clock manually updated System shutdown by administrator. Power cycle required. TCP checksum error; packet dropped logging --- NOTICE SIMPLE_NO TE_ event --- ALERT SIMPLE Access TCP NOTICE STD TCP connection abort received; TCP connection dropped Debug DEBUG TCP connection dropped TCP connection from LAN denied Access TCP NOTICE Access LanTCP NOTICE TCP connection reject received; TCP connection dropped Debug DEBUG TCP FIN packet dropped Debug DEBUG STD TCP handshake violation detected; TCP connection dropped Access --- NOTICE STD_POLIC Y STD_SERVI CE SonicOS Log Event Reference Guide 101

103 TCP packet received on a closing connection; TCP packet dropped Debug DEBUG TCP packet received on non-existent/ closed connection; TCP packet dropped Debug DEBUG TCP packet received with invalid ACK number; TCP packet dropped Debug DEBUG TCP packet received with invalid header length; TCP packet dropped Debug DEBUG TCP packet received with invalid MSS option length; TCP packet dropped Debug DEBUG TCP packet received with invalid option length; TCP packet dropped Debug DEBUG TCP packet received with invalid SACK option length; TCP packet dropped Debug DEBUG TCP packet received with invalid SEQ number; TCP packet dropped Debug DEBUG SonicOS Log Event Reference Guide

104 TCP packet received with invalid source port; TCP packet dropped Debug DEBUG TCP packet received with invalid SYN Flood cookie; TCP packet dropped Debug INFO TCP packet received with invalid Window Scale option length; TCP packet dropped Debug DEBUG TCP packet received with invalid Window Scale option value; TCP packet dropped Debug DEBUG TCP packet received with nonpermitted option; TCP packet dropped Debug DEBUG TCP packet received with SYN flag on an existing connection; TCP packet dropped Debug INFO TCP packet received without mandatory ACK flag; TCP packet dropped Debug DEBUG SonicOS Log Event Reference Guide 103

105 TCP packet received without mandatory SYN flag; TCP packet dropped Debug DEBUG TCP stateful inspection: Bad header; TCP packet dropped Debug DEBUG UNUSED TCP stateful inspection: Invalid flag; TCP packet dropped Debug INFO UNUSED TCP SYN received TCP Syn/Fin packet dropped TCP Xmas Tree dropped The cache is full; %u open connections; some will be dropped The current WAN interface is not ready to route packets. The loaded content URL List has expired. Intrusion Detection Debug DEBUG STD Access Attack ALERT Intrusion Detection Attack ALERT STD event System Error ERROR GE_NUMBE R event System Error ERROR UNUSED Security Services System Error ERROR SIMPLE The network connection in use is %s Wan Failover System Error WARN The preferences file is too large to be saved in available flash memory Thermal Red GE_ event System Error WARN SIMPLE System Hardware Environment ALERT SIMPLE 104 SonicOS Log Event Reference Guide

106 Thermal Red Timer Exceeded Hardware System Environment ALERT SIMPLE Thermal Yellow Hardware System Environment ALERT SIMPLE Time of day settings for firewall policies were not upgraded. event Maintenance INFO SIMPLE Too many gratuitous ARPs detected --- WARN SIMPLE Type: None --- DEBUG UNUSED UDP checksum error; packet dropped Access UDP NOTICE STD UDP packet dropped Access UDP NOTICE STD_POLIC Y UDP packet from LAN dropped Access LanUDP LanTCP NOTICE STD_SERVI CE Unable to download IPS/GAV/ Anti-Spyware Signature database. must first be restarted to free memory used by downloaded firmware. Unused --- WARN SIMPLE Unable to resolve dynamic address object Unable to send message to Dynamic Address Objects Maintenance INFO dial-up task PPP dialup System Error ERROR Unknown IPsec SPI VPN IPsec Attack ERROR UNUSED Unknown protocol dropped Access Debug NOTICE SonicOS Log Event Reference Guide 105

107 Unknown reason VPN PKI UserActivity ERROR SIMPLE Unprocessed received from MTA on Inbound SMTP port Anti-Spam --- INFO STD unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED unused/spare Unused --- DEBUG UNUSED User logged out User logged out - inactivity timer expired User logged out - logout reported by SSO agent User logged out - max session time exceeded User logged out - user disconnect detected (heartbeat timer expired) n Access UserActivity INFO n Access UserActivity INFO n Access UserActivity INFO n Access UserActivity INFO n Access UserActivity INFO User login denied - insufficient access on LDAP server RADIUS UserActivity WARN STD_STRIN G_SERVICE STD_STRIN G_SERVICE 106 SonicOS Log Event Reference Guide

108 User login denied - invalid credentials on LDAP server RADIUS UserActivity WARN User login denied - LDAP authenticatio n failure RADIUS UserActivity INFO User login denied - LDAP communicati on problem RADIUS UserActivity WARN User login denied - LDAP directory mismatch RADIUS UserActivity WARN User login denied - LDAP schema mismatch RADIUS UserActivity WARN User login denied - LDAP server certificate not valid RADIUS UserActivity WARN User login denied - LDAP server down or misconfigure d RADIUS UserActivity WARN User login denied - LDAP server name resolution failed RADIUS UserActivity WARN User login denied - LDAP server timeout RADIUS UserActivity WARN User login denied - not allowed by policy rule n Access UserActivity INFO STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE SonicOS Log Event Reference Guide 107

109 User login denied - not found locally n Access UserActivity INFO User login denied - password doesn't meet constraints n Access --- INFO User login denied - password expired n Access UserActivity INFO User login denied - RADIUS authenticatio n failure RADIUS UserActivity INFO User login denied - RADIUS communicati on problem RADIUS UserActivity WARN User login denied - RADIUS configuration error RADIUS UserActivity WARN User login denied - RADIUS server name resolution failed RADIUS UserActivity WARN User login denied - RADIUS server timeout RADIUS UserActivity WARN User login denied - SonicWALL SSO agent communicati on problem n Access UserActivity WARN User login denied - SonicWALL SSO agent configuration error n Access UserActivity WARN STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE 108 SonicOS Log Event Reference Guide

110 User login denied - SonicWALL SSO agent name resolution failed n Access UserActivity WARN User login denied - SonicWALL SSO agent timeout n Access UserActivity WARN User login denied - TLS or local certificate problem RADIUS UserActivity WARN User login denied - user already logged in n Access UserActivity INFO User login denied - User has no privileges for guest service User login denied - User has no privileges for login from that location User login denied due to bad credentials User login denied due to bad credentials User login disabled from %s User login failed - Guest service limit reached n Access UserActivity INFO n Access UserActivity INFO n Access UserActivity INFO n Access UserActivity INFO n Access Attack ERROR n Access UserActivity INFO STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE GE_ SonicOS Log Event Reference Guide 109

111 User login failure rate exceeded - logins from user IP address denied User login from an internal zone n Access Attack ERROR n Access UserActivity INFO STD_STRIN G_SERVICE allowed Using LDAP without TLS - highly insecure RADIUS System Error ALERT SIMPLE Virtual Access Point is disabled SonicPoint 80211bMgmt INFO Virtual Access Point is enabled SonicPoint 80211bMgmt INFO SIMPLE_NO TE_ SIMPLE_NO TE_ VLAN unused/spare Unused --- DEBUG UNUSED VLAN unused/spare Unused --- DEBUG UNUSED VLAN unused/spare Unused --- DEBUG UNUSED VOIP %s Endpoint added VOIP VOIP DEBUG VOIP %s Endpoint not added - configured 'public' endpoint limit reached VOIP VOIP WARN VOIP %s Endpoint removed VOIP VOIP DEBUG VOIP Call Connected VOIP VOIP INFO VOIP Call Disconnected VOIP VOIP INFO Voltages Out System of Tolerance Hardware Environment ERROR SIMPLE VPN Cleanup: Dynamic network settings change VPN UserActivity INFO STD 110 SonicOS Log Event Reference Guide

112 VPN Client Policy Provisioning VPN Client UserActivity INFO VPN disabled by administrator n Access Maintenance INFO SIMPLE VPN disabled for active dial up Unused Maintenance INFO SIMPLE VPN enabled by administrator n Access Maintenance INFO SIMPLE VPN Log Debug VPN IKE Debug INFO GE_ VPN Policy Added VPN --- INFO VPN policy count received exceeds the limit; %s VPN System Error ERROR VPN Policy Deleted VPN --- INFO VPN Policy Modified VPN --- INFO VPN TCP FIN VPN VPNStat INFO UNUSED VPN TCP PSH VPN VPNStat INFO UNUSED VPN TCP SYN VPN VPNStat INFO UNUSED VPN zone administrator login allowed VPN zone remote user login allowed WAN Interface not setup Wan IP Changed WAN node exceeded: Connection dropped because too many IP addresses are in use on your LAN WAN not ready n Access UserActivity INFO n Access UserActivity INFO STD_STRIN G_SERVICE STD_STRIN G_SERVICE event Maintenance INFO SIMPLE event System Error WARN STD event System Error ERROR STD event Maintenance INFO SIMPLE SonicOS Log Event Reference Guide 111

113 WAN zone administrator login allowed WAN zone remote user n Access UserActivity INFO n Access UserActivity INFO STD_STRIN G_SERVICE STD_STRIN G_SERVICE login allowed WARN: Central Gateway does not have a Relay IP Address. DHCP message dropped. DHCP Relay Maintenance INFO UNUSED WARN: DHCP lease relayed from Central Gateway conflicts with IP in Static Devices list DHCP Relay Maintenance INFO Web access request dropped Web management request allowed Web site access allowed Web site access denied WiFiSec Enforcement disabled by administrator WiFiSec Enforcement enabled by administrator Wireless MAC Filter List disabled by administrator Access TCP NOTICE Access UserActivity NOTICE Access BlockedSites NOTICE Access BlockedSites ERROR STD_POLIC Y STD_SERVI CE BLOCKED BLOCKED n Access Maintenance INFO UNUSED n Access Maintenance INFO UNUSED n Access Maintenance INFO SIMPLE 112 SonicOS Log Event Reference Guide

114 Wireless MAC Filter List enabled by administrator WLAN client n Access Maintenance INFO SIMPLE null probing WLAN IDS WLAN IDS WARN WLAN disabled by administrator n Access Maintenance INFO SIMPLE WLAN disabled by schedule WLAN enabled by administrator WLAN enabled by schedule n Access Maintenance INFO SIMPLE n Access Maintenance INFO SIMPLE n Access Maintenance INFO SIMPLE WLAN firmware image has been updated Wireless Maintenance INFO WLAN max concurrent users reached already Access --- INFO SIMPLE_ST R WLAN not in AP mode, DHCP server will not provide lease to clients on WLAN Wireless Maintenance INFO SIMPLE WLAN radio frequency threat detected WLAN Reboot WLAN RFManagem ent --- WARN Hardware System Error ERROR recovery Wireless Maintenance INFO WLAN sequence number out of order WLAN IDS WLAN IDS WARN WLB Failback initiated by %s Wan Failover System Error ALERT SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_ST R SIMPLE_NO TE_ GE_ SonicOS Log Event Reference Guide 113

115 WLB Failover in progress Wan Failover System Error ALERT STD WLB Resource failed Wan Failover System Error ALERT STD WLB Resource is now available Wan Failover System Error ALERT STD WLB SPIllover started, configured threshold exceeded Wan Failover Maintenance WARN SIMPLE WLB SPIllover stopped Wan Failover Maintenance WARN SIMPLE WPA MIC Failure Wireless 80211bMgmt WARN WPA RADIUS Server Timeout Wireless 80211bMgmt INFO XAUTH Failed with VPN client, n failure VPN Client UserActivity ERROR XAUTH Failed with VPN client, Cannot Contact RADIUS Server VPN Client UserActivity INFO XAUTH Succeeded with VPN client VPN Client UserActivity INFO SIMPLE_NO TE_ SIMPLE_NO TE_ Your SonicWALL Anti-Spam Service subscription has expired. Anti-Spam --- WARN SIMPLE 114 SonicOS Log Event Reference Guide

116 Index of Syslog Tag Field Description a Index of Syslog Tag Field Description This section provides an alphabetical listing of Syslog tags and the associated field description. Tag Field Description <ddd> Syslog message prefix The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the message. (See [1] Section 4.1.1) arg URL Used to render a URL: arg represents the URL path name part. bcastrx Interface statistics report Displays the broadcast packets received bcasttx Interface statistics report Displays the broadcast packets transmitted bytesrx Interface statistics report Displays the bytes received bytestx Interface statistics report Displays the bytes transmitted c Message category (legacy only) Indicates the legacy category number (Note: We are not currently sending new category information.) change Configuration change webpage Displays the basename of the firewall web page that performed the last configuration change code Blocking code Indicates the CFS block code category code ICMP type and code Indicates the ICMP code conns status report Indicates the number of connections in use cpuutil status report Displays the CPU utilization (not in use) dst Destination Destination IP address, and optionally, port, network interface, and resolved name. dstname Destination URL Displays the URL of web site hit and other legacy destination strings dstname URL Used to render a URL: dstname represents the URL host part dyn status report Displays the HA and dialup connection state (rendered as h.d where h is n (not enabled), b (backup), or p (primary) and d is 1 (enabled) or 0 (disabled)) SonicOS Log Event Reference Guide 115

117 Index of Syslog Tag Field Description fw WAN IP Indicates the WAN IP Address fwlan status report Indicates the LAN zone IP address goodrxbytes SonicPoint statistics report Indicates the well formed bytes recevied goodtxbytes SonicPoint statistics report Indicates the well formed bytes transmitted i status report Displays the GMS message interval in seconds id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by habit) if Interface statistics report Displays the interface on which statistics are reported ipscat IPS message Displays the IPS category ipspri IPS message Displays the IPS priority lic status report Indicates the number of licenses for firewalls with limited modes m Message ID Provides the message ID number mac MAC address Provides the MAC address msg Static message Displays the event message (from spreadsheet) msg Dynamically-defined message Displays a dynamically defined message string msg Static message with dynamic string Displays a message using the predefined message string containing a %s and a dynamic string argument. msg Static message with dynamic number Displays a message using the predefined string string containing a %s and a dynamic numeric argument. msg IPS message Displays a message using the predefined message string containing a %s and a dynamic string argument. msg Anti-Spyware message Displays the event message (from spreadsheet) n Message count Indicates the number of times event occurs op HTTP OP code Displays the HTTP operation (GET, POST, etc.) of web site hit pri Message priority Displays the event priority level (0=emergency..7=debug) proto IP protocol Indicates the IP protocol and detail information proto Protocol and service Displays the protocol information (rendered as proto/service ) 116 SonicOS Log Event Reference Guide

118 Index of Syslog Tag Field Description proto Protocol and service Displays the protocol information (rendered as proto/service ) pt status report Displays the HTTP/HTTPS management port (rendered as hhh.sss ) radio SonicPoint statistics report Displays the SonicPoint radio on which event occurred ramutil status report Displays the RAM utilization (not in use) rcvd Bytes received Indicates the number of bytes received within connection result HTTP Result code Displays the HTTP result code (200, 403, etc.) of web site hit rule Rule ID Displays the Access Rule number causing packet drop sent Bytes sent Displays the number of bytes sent within connection sid IPS message Provides the IPS signature ID sid Anti-Spyware message Provides the AntiSpyware signature ID sn serial number Indicates the device serial number spycat Anti-Spyware message Displays the antispyware category spypri Anti-Spyware message Displays the AntiSpyware priority src Source Indicates the source IP address, and optionally, port, network interface, and resolved name. station SonicPoint statistics report Displays the client (station) on which event occurred time Time Reports the time of event type ICMP type and code Indicates the ICMP type ucastrx Interface statistics report Displays the unicast packets received ucasttx Interface statistics report Displays the unicast packets transmitted unsynched status report Reports the time since last local change in seconds usesstandbysa status report Displays whether standby SA is in use ( 1 or 0 ) for GMS management usr (or user) User Displays the user name ( user is the tag used by WebTrends) vpnpolicy VPN policy name Displays the VPN policy name of event SonicOS Log Event Reference Guide 117

119 Index of Syslog Tag Field Description 118 SonicOS Log Event Reference Guide

120 Index of Syslog Tag Field Description SonicOS Log Event Reference Guide 119

121 Index of Syslog Tag Field Description 120 SonicOS Log Event Reference Guide

122 SonicWALL, Inc Borregas Avenue T Sunnyvale CA F P/N: Rev A, 07/ descriptions subject to change without notice. 07/07 SW 145 PROTECTION AT THE SPEED OF BUSINESS