Using the SonicOS Log Event Reference Guide

Transcription

1 Using the SonicOS Log Event Reference Guide This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: Log > View section on page 2 Log > Categories section on page 5 Log > Syslog section on page 9 Log > Automation section on page 10 Log > Name Resolution section on page 14 Log > Reports section on page 16 Log > ViewPoint section on page 17 Index of Log Event Messages section on page 19 Index of Syslog Tag Field Description section on page 57 SonicOS Log Event Reference Guide 1

2 Log > View Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an address for convenience and archiving. The log is displayed in a table and can be sorted by column. The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately ed, either to an address or to an pager. Each log entry contains the date and time of the event and a brief message describing the event. Log View Table The log is displayed in a table and is sortable by column. The log table columns include: Time - the date and time of the event. Priority - the level of priority associated with your log event. Syslog uses eight categories to characterize messages in descending order of severity, the categories include: Emergency Alert Critical Error Warning Notice Informational Debug Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select error as the priority level to log all messages tagged as error, as well as any messages tagged with critical, alert, and emergency. Select debug to log all messages. Note Refer to Log Event Messages section for more information on your specific log event. Category - the type of traffic, such as Network or d. Message - provides description of the event. Source - displays source network and IP address. Destination - displays the destination network and IP address. Notes - provides additional information about the event. Rule - notes Network Rule affected by event. 2 SonicOS Log Event Reference Guide

3 Log > View Navigating and Sorting Log View Table Entries The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order. Refresh To update log messages, clicking the Refresh button near the top right corner of the page. Clear Log To delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log To export the contents of the log to a defined destination, click the Export Log button below the filter table.you can export log content to two formats: Plain text format--used in log and alert . Comma-separated value (CSV) format--used for importing into Excel or other presentation development applications. Log If you have configured the SonicWALL security appliance to log files, clicking Log near the top right corner of the page sends the current log files to the address specified in the Log > Automation > section. Note The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately sent via , either to an address or to an pager. For sending alerts, you must enter your address and server information in the Log > Automation page. SonicOS Log Event Reference Guide 3

4 Log > View Filtering Log Records Viewed You can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface). Step 1 Step 2 Step 3 Step 4 Enter your filter criteria in the Log View Settings table. The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching: Source interface AND Destination interface Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again. The following example filters for log events resulting from traffic from the WAN to the LAN: Log Event Messages For a complete reference guide of log event messages, refer to the Log Event Message Index section on page SonicOS Log Event Reference Guide

5 Log > Categories Log > Categories This guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics. Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to Log Severity/Priority This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through for notification. Logging Level Alert Level The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority: Emergency (highest priority) Alert Critical Error Warning Notice Informational Debug (lowest priority) The Alert Level control determines how Alerts are sent. An event of equal or greater priority causes an alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include: None (disables alerts) Emergency (highest priority) Alert Critical Error Warning (lowest priority) SonicOS Log Event Reference Guide 5

6 Log > Categories Log Redundancy Filter The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds. Alert Redundancy Filter The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds. Log Categories SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats. All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally. SonicWALL security appliances now include an expanded list of attack categories that can be logged. The View Style menu provides the following three log category views: All Categories - Displays both Legacy Categories and Expanded Categories. Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories. Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure. The following table describes both the Legacy and Extended log categories. Log Type Category Description Management Legacy Logs WLAN IEEE connections. Advanced Routing Expanded Logs messages related to RIPv2 and OSPF routing events. Attacks Legacy Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing d Expanded Logs administrator, user, and guest account activity Blocked Java, etc. Legacy Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance. Blocked Web Sites Legacy Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering. BOOTP Expanded Logs BOOTP activity Crypto Test Expanded Logs crypto algorithm and hardware testing 6 SonicOS Log Event Reference Guide

7 Log > Categories Log Type Category Description DDNS Expanded Logs Dynamic DNS activity Denied LAN IP Legacy Logs all LAN IP addresses denied by the SonicWALL security appliance. DHCP Client Expanded Logs DHCP client protocol activity DHCP Relay Expanded Logs DHCP central and remote gateway activity Dropped ICMP Legacy Logs blocked incoming ICMP packets. Dropped TCP Legacy Logs blocked incoming TCP connections. Dropped UDP Legacy Logs blocked incoming UDP packets. Firewall Event Extended Logs internal firewall activity Firewall Hardware Extended Logs firewall hardware error events Firewall Logging Extended Logs general events and errors Firewall Rule Extended Logs firewall rule modifications GMS Extended Logs GMS status event High Availability Extended Logs High Availability activity IPcomp Extended Logs IP compression activity Intrusion Prevention Extended Logs intrusion prevention related activity L2TP Client Extended Logs L2TP client activity L2TP Server Extended Logs L2TP server activity Multicast Extended Logs multicast IGMP activity Network Extended Logs network ARP, fragmentation, and MTU activity Network Extended Logs network and firewall protocol access activity Network Debug Legacy Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Network Debug information is intended for experienced network administrators. Network Traffic Expanded Logs network traffic reporting events PPP Extended Logs generic PPP activity PPP Dial-Up Extended Logs PPP dial-up activity PPPoE Extended Logs PPPoE activity PPTP Extended Logs PPTP activity RBL Extended Logs real-time black list activity RIP Extended Logs RIP activity Remote Extended Logs RADIUS and LDAP server activity Authentication Security Services Extended Logs security services activity SonicPoint Extended Logs SonicPoint activity System Errors Legacy Logs problems with DNS or . System Legacy Logs general system activity, such as system activations. Maintenance User Activity Legacy Logs successful and unsuccessful log in attempts. VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity SonicOS Log Event Reference Guide 7

8 Log > Categories Log Type Category Description VPN Extended Logs VPN activity VPN Client Extended Logs VPN client activity VPN IKE Extended Logs VPN IKE activity VPN IPsec Extended Logs VPN IPSec activity VPN PKI Extended Logs VPN PKI activity VPN Tunnel Status Legacy Logs status information on VPN tunnels. WAN Failover Extended Logs WAN failover activity Wireless Extended Logs wireless activity Wlan IDS Extended Logs WLAN IDS activity Managing Log Categories The Log Categories table displays log category information organized into the following columns: Category - Displays log category name. Description - Provides description of the log category activity type. Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page. Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category. Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL security appliance Syslog. Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers. You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order. You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header. 8 SonicOS Log Event Reference Guide

9 Log > Syslog Log > Syslog In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.syslog Settings Syslog Facility Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol. Note See RCF The BSD Syslog Protocol for more information. Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you re using SonicWALL ViewPoint for your reporting solution. Note For more information on SonicWALL ViewPoint, go to Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering. Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you select WebTrends, however, you must have WebTrends software installed on your system. Note If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance. Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events. Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events. SonicOS Log Event Reference Guide 9

10 Log > Automation Syslog Servers Adding a Syslog Server To add syslog servers to the SonicWALL security appliance Step 1 Step 2 Step 3 Step 4 Step 5 Click Add. The Add Syslog Server window is displayed. Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers. If your syslog is not using the default port of 514, type the port number in the Port Number field. Click OK. Click Accept to save all Syslog Server settings. Log > Automation The Log > Automation page includes settings for configuring the SonicWALL to send log files using and configuring mail server settings. Log Automation Send Log to address - Enter your address ([email protected]) in this field to receive the event log via . Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not ed. Send Alerts to address - Enter your address ([email protected]) in the Send alerts to field to be immediately ed when attacks or system errors occur. Type a standard address or an paging service. If this field is left blank, alert messages are not sent. Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field. Format - Specifies whether log s will be sent in Plain Text or HTML format. Mail Server Settings The mail server settings allow you to specify the name or IP address of your mail server, the from address, and authentication method. Mail Server (name or IP address) - Enter the IP address or FQDN of the server used to send your log s in this field. From Address - Enter the address you want to display in the From field of the message. Authentication Method - You can use the default None item or select POP Before SMTP. Note If the Mail Server (name or IP address) is left blank, log and alert messages are not e- mailed. 10 SonicOS Log Event Reference Guide

11 Log > Automation Deep Packet Forensics SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any interesting-content events, it can only provide a record of the occurrence, but not the actual data of the event. Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped. Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet. While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis: Reliable storage of data Effective indexing of data Classification of interesting-content Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities. Distributed Event Detection and Replay The Solera appliance can search its data-repository, while also allowing the administrator to define interesting-content events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including: Debug/Informational Events Connection setup/tear down User-events Administrative access, single sign-on activity, user logins, content filtering details Firewall Rule/Policy Events to and from particular IP:Port combinations, also identifiable by time Interesting-content at the Network or Application Layer Port-scans, SYN floods, DPI or AF signature/policy hits The following is an example of the process of distributed event detection and replay: 1. The administrator defines the event trigger. For example, an Application Firewall policy is defined to detect and log the transmission of an official document: SonicOS Log Event Reference Guide 11

12 Log > Automation 2. A user (at IP address ) on the network retrieves the file. 3. The event is logged by the SonicWALL. 4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP: [ ], Port: [443]). The defined NPCS appliance will be the link s target. The link will include the query string parameters defining the desired connection. 5. The NPCS will (optionally) authenticate the user session. 6. The requested data will be presented to the client as a.cap file, and can be saved or viewed on the local machine. Methods of The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. from a centralized GMS console will have similar requirements. Log Persistence SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be ed to a defined recipient and flushed, or it can simply be flushed. ing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged. 12 SonicOS Log Event Reference Guide

13 Log > Automation GMS To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time. Solera Capture Stack Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data. SonicOS Log Event Reference Guide 13

14 Log > Name Resolution To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option. Configure the following options: Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host... Protocol - Select either HTTP or HTTPS. Port - Specify the port number for connecting to the Solera server. Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. User (optional) - Enter the username, if required. Password (optional) - Enter the password, if required. Confirm Password - Confirm the password. Mask Password - Leave this enabled to send the password as encrypted text. Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page. 14 SonicOS Log Event Reference Guide

15 Log > Name Resolution Selecting Name Resolution Settings The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names. In the Name Resolution Method list, select: None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. DNS: The security appliance will use the DNS server you specify to resolve addresses and names. NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary. DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS. Specifying the DNS Server To choose specific DNS servers or use the same servers as the WAN zone, perform the following steps: Step 1 Step 2 Step 3 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default. If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers. Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect. SonicOS Log Event Reference Guide 15

16 Log > Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page. Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to Data Collection The Reports window includes the following functions and commands: Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted. View Data Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period. Web Site Hits Selecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period. The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see. Click on the name of a Web site to open that site in a new window. Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period. 16 SonicOS Log Event Reference Guide

17 Log > ViewPoint Bandwidth Usage by Service Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period. The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services. Log > ViewPoint SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities. ViewPoint s broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs. ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more. For more information on SonicWALL ViewPoint, go to For complete SonicWALL ViewPoint documentation, go to the SonicWALL documentation Web site at SonicOS Log Event Reference Guide 17

18 Log > ViewPoint Activating ViewPoint The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept. Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance. Step 1 Step 2 Step 3 Step 4 Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The mysonicwall.com Login page is displayed. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL. Enabling ViewPoint Settings Once you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint, perform the following steps: Step 1 Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log > ViewPoint page. Step 2 Step 3 Step 4 Step 5 Click the Add button. The Add Syslog Server window is displayed. Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP Address field. Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number. Click Accept. Note The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page. Clicking the Edit icon displays the Add Syslog Server window for editing the ViewPoint server information. Clicking the Delete icon, deletes the ViewPoint syslog server entry. 18 SonicOS Log Event Reference Guide

19 Index of Log Event Messages This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser s Find function to search for a command. Log Event Message Symbols Key Log Event Message Symbol Description Context %s Ethernet Port Down Represents a character string. [WAN LAN DMZ] Ethernet Port Down The cache is full; %u open connections; some will be dropped Represents a numerical string. The cache is full; [40,000] open connections; some will be dropped TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message. Each log event message described in the following table provides the following log event details: SonicOS Category Displays the SonicOS Software category event type. Legacy Category Displays the SonicWALL Firmware Software category event type. Priority Level Displays the level of urgency of the log event message. Log Message ID Number Displays the ID number of the log event message. Type Displays the ID number of the log event message. SonicOS Log Event Reference Guide 19

20 Log Event Message Index Log Event Message New Category Legacy Category Priority ID Type Network Security Appliance activated Firewall Event Maintenance Alert Log cleared Firewall Logging Maintenance Information Log successfully sent via Firewall Logging Maintenance Information Log full; deactivating Network Security Firewall Logging System Error Error Appliance New URL List loaded Security Services Maintenance Information No new URL List available Security Services Maintenance Information Problem loading the URL List; check Filter Security Services System Error Error settings Problem loading the URL List; check your Security Services System Error Error DNS server Problem sending log ; check log Firewall Logging System Error Warning settings Restarting Network Security Appliance; Firewall Event Maintenance Information dumping log to Web site access denied Network Blocked Sites Error Newsgroup access denied Network Blocked Sites Notice Web site access allowed Network Blocked Sites Notice Newsgroup access allowed Network Blocked Sites Notice ActiveX access denied Network Blocked Code Notice Java access denied Network Blocked Code Notice ActiveX or Java archive access denied Network Blocked Code Notice Cookie removed Network Blocked Code Notice Ping of death dropped Intrusion Detection Attack Alert IP spoof dropped Intrusion Detection Attack Alert User logged out - user disconnect detected User Activity Information (heartbeat timer expired) Possible SYN flood attack detected Intrusion Detection Attack Warning Land attack dropped Intrusion Detection Attack Alert Fragmented packet dropped Network TCP UDP ICMP Notice Administrator login allowed User Activity Information Administrator login denied due to bad credentials User login from an internal zone allowed User login denied due to bad credentials User login denied due to bad credentials Login screen timed out Attack Alert User Activity Information User Activity Information User Activity Information User Activity Information SonicOS Log Event Reference Guide

21 Log Event Message New Category Legacy Category Priority ID Attack Alert Administrator login denied from %s; logins disabled from this interface TCP connection dropped Network TCP Notice UDP packet dropped Network UDP Notice ICMP packet dropped due to policy Network ICMP Notice PPTP packet dropped Network TCP UDP ICMP Notice IPsec packet dropped Network TCP UDP ICMP Notice Unknown protocol dropped Network Debug Notice IPsec packet dropped; waiting for pending Network Debug Debug IPsec connection IPsec connection interrupt Network Debug Debug NAT could not remap incoming packet Unused System Error Error ARP timeout Network Debug Debug Broadcast packet dropped Network Debug Debug No ICMP redirect sent Unused Debug Debug Out-of-order command packet dropped Network Debug Debug Failure to add data channel Unused Debug Debug RealAudio decode failure Unused Debug Debug Duplicate packet dropped Network Debug Debug No HOST tag found in HTTP request Network Debug Debug The cache is full; %u open connections; Firewall Event System Error Error some will be dropped License exceeded: Connection dropped Firewall Event System Error Error because too many IP addresses are in use on your LAN to proxy server denied Network Blocked Sites Notice Diagnostic Code E VPN IPsec System Error Error Dynamic IPsec client connected VPN IPsec User Activity Information Received fragmented packet or Network Debug Debug fragmentation needed Diagnostic Code D Firewall Hardware System Error Error Illegal IPsec SPI VPN IPsec User Activity Information Unknown IPsec SPI VPN IPsec Attack Error IPsec Authentication Failed VPN IPsec Attack Error IPsec Decryption Failed VPN IPsec Attack Error Incompatible IPsec Security Association VPN IPsec User Activity Information IPsec packet from or to an illegal host VPN IPsec Attack Error NetBus attack dropped Intrusion Detection Attack Alert Back Orifice attack dropped Intrusion Detection Attack Alert Net Spy attack dropped Intrusion Detection Attack Alert Sub Seven attack dropped Intrusion Detection Attack Alert Ripper attack dropped Intrusion Detection Attack Alert Striker attack dropped Intrusion Detection Attack Alert Senna Spy attack dropped Intrusion Detection Attack Alert Type SonicOS Log Event Reference Guide 21

22 Log Event Message New Category Legacy Category Priority ID Priority attack dropped Intrusion Detection Attack Alert Ini Killer attack dropped Intrusion Detection Attack Alert Smurf Amplification attack dropped Intrusion Detection Attack Alert Possible port scan detected Intrusion Detection Attack Alert Probable port scan detected Intrusion Detection Attack Alert Failed to resolve name Network Maintenance Information IKE Responder: Accepting IPsec proposal VPN IKE User Activity Information (Phase 2) IKE Responder: IPsec proposal does not VPN IKE User Activity Warning match (Phase 2) IKE negotiation complete. Adding IPsec SA. VPN IKE User Activity Information (Phase 2) Starting IKE negotiation VPN IKE User Activity Information Deleting IPsec SA for destination VPN IKE User Activity Information Deleting IPsec SA VPN IKE User Activity Information Diagnostic Code A Firewall Hardware System Error Error Diagnostic Code B Firewall Hardware System Error Error Diagnostic Code C Firewall Hardware System Error Error Status GMS Maintenance Emergency #Web site hit Network Traffic Connection Traffic Information Connection Opened Network Traffic Connection Information Retransmitting DHCP DISCOVER. DHCP Client Maintenance Information Retransmitting DHCP REQUEST DHCP Client Maintenance Information (Requesting). Retransmitting DHCP REQUEST DHCP Client Maintenance Information (Renewing). Retransmitting DHCP REQUEST DHCP Client Maintenance Information (Rebinding). Retransmitting DHCP REQUEST DHCP Client Maintenance Information (Rebooting). Retransmitting DHCP REQUEST (Verifying). DHCP Client Maintenance Information Sending DHCP DISCOVER. DHCP Client Maintenance Information DHCP Server not available. Did not get any DHCP Client Maintenance Information DHCP OFFER. Got DHCP OFFER. Selecting. DHCP Client Maintenance Information Sending DHCP REQUEST. DHCP Client Maintenance Information DHCP Client did not get DHCP ACK. DHCP Client Maintenance Information DHCP Client got NACK. DHCP Client Maintenance Information DHCP Client got ACK from server. DHCP Client Maintenance Information DHCP Client is declining address offered by DHCP Client Maintenance Information the server. DHCP Client sending REQUEST and going to REBIND state. DHCP Client Maintenance Information Type 22 SonicOS Log Event Reference Guide

23 Log Event Message New Category Legacy Category Priority ID DHCP Client sending REQUEST and going DHCP Client Maintenance Information to RENEW state. Sending DHCP REQUEST (Renewing). DHCP Client Maintenance Information Sending DHCP REQUEST (Rebinding). DHCP Client Maintenance Information Sending DHCP REQUEST (Rebooting). DHCP Client Maintenance Information Sending DHCP REQUEST (Verifying). DHCP Client Maintenance Information DHCP Client failed to verify and lease has DHCP Client Maintenance Information expired. Go to INIT state. DHCP Client failed to verify and lease is still DHCP Client Maintenance Information valid. Go to BOUND state. DHCP Client got a new IP address lease. DHCP Client Maintenance Information Sending DHCP RELEASE. DHCP Client Maintenance Information attempt from host without Anti-Virus Security Services Maintenance Information agent installed Anti-Virus agent out-of-date on host Security Services Maintenance Information Received AV Alert: %s Security Services Maintenance Warning Starting PPPoE discovery PPPoE Maintenance Information PPPoE LCP Link Up PPPoE Maintenance Information PPPoE LCP Link Down PPPoE Maintenance Information PPPoE terminated PPPoE Maintenance Information PPPoE Network Connected PPPoE Maintenance Information PPPoE Network Disconnected PPPoE Maintenance Information PPPoE discovery process complete PPPoE Maintenance Information PPPoE starting CHAP Authentication PPPoE Maintenance Information PPPoE starting PAP Authentication PPPoE Maintenance Information PPPoE CHAP Authentication Failed PPPoE Maintenance Information PPPoE PAP Authentication Failed PPPoE Maintenance Information Wan IP Changed Firewall Event System Error Warning XAUTH Succeeded with VPN client VPN Client User Activity Information XAUTH Failed with VPN client, VPN Client User Activity Error Authentication failure XAUTH Failed with VPN client, Cannot VPN Client User Activity Information Contact RADIUS Server Log Debug Firewall Event Debug Error Add an attack message Firewall Event Attack Error Primary firewall has transitioned to Active High Availability Maintenance Alert Backup firewall has transitioned to Active High Availability Maintenance Alert Primary firewall has transitioned to Idle High Availability System Error Alert Backup firewall has transitioned to Idle High Availability Maintenance Alert Primary missed heartbeats from Backup High Availability System Error Error Backup missed heartbeats from Primary High Availability System Error Error Primary received error signal from Backup High Availability System Error Error Backup received error signal from Primary High Availability System Error Error Backup firewall being preempted by Primary High Availability System Error Error Type SonicOS Log Event Reference Guide 23

24 Log Event Message New Category Legacy Category Priority ID Type Primary firewall preempting Backup High Availability System Error Error Active Backup detects Active Primary: High Availability Maintenance Information Backup going Idle Imported HA hardware ID did not match this High Availability Maintenance Information firewall Discovered HA Backup Firewall High Availability Maintenance Information HA Peer Firewall Synchronized High Availability Maintenance Information Error synchronizing HA peer firewall (%s) High Availability System Error Error Received AV Alert: Your Network Anti-Virus Security Services Maintenance Warning subscription has expired. %s Primary received heartbeat from wrong High Availability Maintenance Information source Backup received heartbeat from wrong High Availability Maintenance Information source HA packet processing error High Availability Maintenance Information Heartbeat received from incompatible source High Availability Maintenance Information Diagnostic Code F Firewall Hardware System Error Error Forbidden attachment disabled Intrusion Detection Attack Alert PPPoE PAP Authentication success. PPPoE Maintenance Information PPPoE PAP Authentication Failed. Please PPPoE Maintenance Information verify PPPoE username and password Disconnecting PPPoE due to traffic timeout PPPoE Maintenance Information No response from ISP Disconnecting PPPoE Maintenance Information PPPoE. Backup going Active in preempt mode after High Availability System Error Error reboot VPN Log Debug VPN IKE Debug Information TCP connection from LAN denied Network LAN TCP Notice UDP packet from LAN dropped Network LAN UDP LAN Notice TCP ICMP packet from LAN dropped Network LAN ICMP LAN Notice TCP Probable TCP FIN scan detected Intrusion Detection Attack Alert Probable TCP XMAS scan detected Intrusion Detection Attack Alert Probable TCP NULL scan detected Intrusion Detection Attack Alert IPsec Replay Detected VPN IPsec Attack Alert TCP FIN packet dropped Network Debug Debug Received a path MTU icmp message from Network User Activity Information router/gateway Problem loading the URL List; Appliance not Security Services System Error Error registered. Problem loading the URL List; Subscription Security Services System Error Error expired. Problem loading the URL List; Try loading it again. Security Services System Error Error SonicOS Log Event Reference Guide

25 Log Event Message New Category Legacy Category Priority ID Type Problem loading the URL List; Retrying later. Security Services System Error Error Problem loading the URL List; Flash write Security Services System Error Error failure. Received a path MTU icmp message from Network User Activity Information router/gateway The loaded content URL List has expired. Security Services System Error Error Error setting the IP address of the backup, High Availability System Error Error please manually set to backup LAN IP Error updating HA peer configuration High Availability System Error Error Fraudulent Microsoft certificate found; Intrusion Detection Attack Error access denied VPN TCP SYN VPN VPN Statistics Information VPN TCP FIN VPN VPN Statistics Information VPN TCP PSH VPN VPN Statistics Information Content filter subscription expired. Security Services System Error Error New firmware available. Firewall Event Maintenance Information CLI administrator login allowed User Activity Information CLI administrator login denied due to bad User Activity Warning credentials L2TP Tunnel Negotiation Started L2TP Client Maintenance Information L2TP Session Negotiation Started L2TP Client Maintenance Information L2TP Max Retransmission Exceeded L2TP Client Maintenance Information L2TP Tunnel Established L2TP Client Maintenance Information L2TP Tunnel Disconnect from Remote L2TP Client Maintenance Information L2TP Session Established L2TP Client Maintenance Information L2TP Session Disconnect from Remote L2TP Client Maintenance Information L2TP PPP Negotiation Started L2TP Client Maintenance Information L2TP LCP Down L2TP Client Maintenance Information L2TP PPP Session Up L2TP Client Maintenance Information L2TP PPP Down L2TP Client Maintenance Information L2TP PPP Authentication Failed L2TP Client Maintenance Information L2TP LCP Up L2TP Client Maintenance Information L2TP Disconnect Initiated by the User L2TP Client Maintenance Information Disconnecting L2TP Tunnel due to traffic L2TP Client Maintenance Information timeout L2TP Connect Initiated by the User L2TP Client Maintenance Information L2TP PPP link down L2TP Client Maintenance Information Primary WAN link down, Primary going Idle High Availability Maintenance Information Backup WAN link down, Primary going High Availability System Error Error Active Primary WAN link down, Backup going High Availability System Error Error Active Primary WAN link up, preempting Backup High Availability Maintenance Information SonicOS Log Event Reference Guide 25

26 Log Event Message New Category Legacy Category Priority ID Type DHCP RELEASE relayed to Central Gateway DHCP Relay Maintenance Information DHCP lease relayed to local device DHCP Relay Maintenance Information DHCP RELEASE received from remote DHCP Relay Debug Information device DHCP lease relayed to remote device DHCP Relay Debug Information DHCP lease to LAN device conflicts with DHCP Relay Maintenance Information remote device, deleting remote IP entry WARNING: DHCP lease relayed from DHCP Relay Maintenance Information Central Gateway conflicts with IP in Static Devices list DHCP lease dropped. Lease from Central DHCP Relay Maintenance Warning Gateway conflicts with Relay IP IP spoof detected on packet to Central DHCP Relay Attack Error Gateway, packet dropped Request for Relay IP Table from Central DHCP Relay Maintenance Information Gateway Requesting Relay IP Table from Remote DHCP Relay Maintenance Information Gateway Sent Relay IP Table to Central Gateway DHCP Relay Maintenance Information Obtained Relay IP Table from Remote DHCP Relay Maintenance Information Gateway Failed to synchronize Relay IP Table DHCP Relay System Error Warning VPN zone administrator login allowed User Activity Information WAN zone administrator login allowed User Activity Information VPN zone remote user login allowed User Activity Information WAN zone remote user login allowed User Activity Information NAT Discovery : Peer IPsec Security VPN IKE User Activity Information Gateway behind a NAT/NAPT Device NAT Discovery : Local IPsec Security VPN IKE User Activity Information Gateway behind a NAT/NAPT Device NAT Discovery : No NAT/NAPT device VPN IKE User Activity Information detected between IPsec Security gateways NAT Discovery : Peer IPsec Security VPN IKE User Activity Information Gateway doesn't support VPN NAT Traversal User login denied - RADIUS authentication RADIUS User Activity Information failure User login denied - RADIUS server timeout RADIUS User Activity Warning User login denied - RADIUS configuration error RADIUS User Activity Warning SonicOS Log Event Reference Guide

27 Log Event Message New Category Legacy Category Priority ID User Activity Information User login denied - User has no privileges for login from that location IPsec packet from an illegal host VPN IPsec Maintenance Information Forbidden attachment deleted Intrusion Detection Attack Error IKE Responder: Mode %d - not tunnel mode VPN IKE User Activity Warning IKE Responder: No matching Phase 1 ID VPN IKE User Activity Warning found for proposed remote network IKE Responder: Proposed remote network is VPN IKE User Activity Warning but not DHCP relay nor default route IKE Responder: No match for proposed VPN IKE User Activity Warning remote network address IKE Responder: Default LAN gateway is set VPN IKE User Activity Warning but peer is not proposing to use this SA as a default route IKE Responder: Tunnel terminates outside VPN IKE User Activity Warning firewall but proposed local network is not NAT public address IKE Responder: Tunnel terminates inside VPN IKE User Activity Warning firewall but proposed local network is not inside firewall IKE Responder: Tunnel terminates on DMZ VPN IKE User Activity Warning but proposed local network is on LAN IKE Responder: Tunnel terminates on LAN VPN IKE User Activity Warning but proposed local network is on DMZ IKE Responder: AH Perfect Forward VPN IKE User Activity Warning Secrecy mismatch IKE Responder: ESP Perfect Forward VPN IKE User Activity Warning Secrecy mismatch IKE Responder: Algorithms and/or keys do VPN IKE User Activity Warning not match Administrator logged out User Activity Information Administrator logged out - inactivity timer User Activity Information expired User logged out User Activity Information User logged out - max session time exceeded User logged out - inactivity timer expired NAT device may not support IPsec AH passthrough User Activity Information User Activity Information VPN IPsec Maintenance Information TCP Xmas Tree dropped Intrusion Detection Attack Alert CFL auto-download disabled, time problem Security Services Maintenance Information detected Requesting CRL from VPN PKI User Activity Information Type SonicOS Log Event Reference Guide 27

28 Log Event Message New Category Legacy Category Priority ID Type CRL loaded from VPN PKI User Activity Information Failed to get CRL from VPN PKI User Activity Alert Not enough memory to hold the CRL VPN PKI User Activity Warning Connection timed out VPN PKI User Activity Alert Cannot connect to the CRL server VPN PKI User Activity Alert Unknown reason VPN PKI User Activity Error Failed to Process CRL from VPN PKI User Activity Alert Bad CRL format VPN PKI User Activity Alert Issuer match failed VPN PKI User Activity Alert Certificate on Revoked list(crl) VPN PKI User Activity Alert No Certificate for VPN PKI User Activity Alert PPP Dial-Up: Dialing: %s PPP Dial Up User Activity Information PPP Dial-Up: No dialtone detected - check PPP Dial Up User Activity Information phone-line connection PPP Dial-Up: No link carrier detected - check PPP Dial Up User Activity Information phone number PPP Dial-Up: Dialed number is busy PPP Dial Up User Activity Information PPP Dial-Up: Dialed number did not answer PPP Dial Up User Activity Information PPP Dial-Up: Connected at %s bps - starting PPP Dial Up User Activity Information PPP PPP Dial-Up: Unknown dialing failure PPP Dial Up User Activity Information PPP Dial-Up: Link carrier lost PPP Dial Up User Activity Information PPP: Authentication successful PPP --- Information PPP: PAP Authentication failed - check PPP --- Information username / password PPP: CHAP authentication failed - check PPP --- Information username / password PPP: MS-CHAP authentication failed - check PPP --- Information username / password PPP: Starting MS-CHAP authentication PPP --- Information PPP: Starting CHAP authentication PPP --- Information PPP: Starting PAP authentication PPP --- Information PPP Dial-Up: PPP negotiation failed - PPP Dial Up User Activity Information disconnecting PPP Dial-Up: Idle time limit exceeded - PPP Dial Up User Activity Information disconnecting PPP Dial-Up: Failed to get IP address PPP Dial Up User Activity Information PPP Dial-Up: Received new IP address PPP Dial Up User Activity Information PPP Dial-Up: PPP link established PPP Dial Up User Activity Information PPP Dial-Up: PPP link down PPP Dial Up User Activity Information PPP Dial-Up: Shutting down link PPP Dial Up User Activity Information PPP Dial-Up: Initialization : %s PPP Dial Up User Activity Information PPP Dial-Up: User requested disconnect PPP Dial Up User Activity Information PPP Dial-Up: User requested connect PPP Dial Up User Activity Information SonicOS Log Event Reference Guide

29 Log Event Message New Category Legacy Category Priority ID Type PPP Dial-Up: Connect request canceled PPP Dial Up User Activity Information The network connection in use is %s WAN Failover System Error Warning L2TP Server : L2TP Tunnel Established. L2TP Server Maintenance Information L2TP Server : L2TP Session Established. L2TP Server Maintenance Information L2TP Server : L2TP PPP Session L2TP Server Maintenance Information Established. L2TP Server: RADIUS/LDAP reports L2TP Server Maintenance Information Authentication Failure L2TP Server: Local Authentication Failure L2TP Server Maintenance Information L2TP Server: RADIUS/LDAP server not L2TP Server Maintenance Information assigned IP address L2TP Server: No IP address available in the L2TP Server Maintenance Information Local IP Pool L2TP Server: L2TP Tunnel Disconnect from L2TP Server Maintenance Information the Remote. L2TP Server: L2TP Session Disconnect L2TP Server Maintenance Information from the Remote. L2TP Server: L2TP Remote terminated the L2TP Server Maintenance Information PPP session L2TP Server: Local Authentication L2TP Server Maintenance Information Success. L2TP Server: RADIUS/LDAP Authentication L2TP Server Maintenance Information Success L2TP Server: Keep alive Failure. Closing L2TP Server Maintenance Information Tunnel PPP Dial-Up: Manual intervention needed. PPP Dial Up User Activity Information Check Primary Profile or Profile details PPP Dial-Up: Trying to failover but Primary PPP Dial Up User Activity Information Profile is manual PPP Dial-Up: Startup without Ethernet cable, PPP Dial Up User Activity Information will try to dial on outbound traffic PPP Dial-Up: Dial initiated by %s PPP Dial Up Maintenance Information The current WAN interface is not ready to Firewall Event System Error Error route packets. Probing failure on %s WAN Failover System Error Alert PPP Dial-Up: Maximum connection time PPP Dial Up User Activity Information exceeded - disconnecting Administrator name changed Maintenance Information User login failure rate exceeded - logins from Attack Error user IP address denied PPP Dial-Up: The profile in use disabled PPP Dial Up Maintenance Information VPN networking. PPP Dial-Up: VPN networking restored. PPP Dial Up Maintenance Information %s Ethernet Port Up Firewall Event System Error Warning %s Ethernet Port Down Firewall Event System Error Error SonicOS Log Event Reference Guide 29

30 Log Event Message New Category Legacy Category Priority ID Type L2TP Server: Call Disconnect from Remote. L2TP Server Maintenance Information L2TP Server: Tunnel Disconnect from L2TP Server Maintenance Information Remote. L2TP Server : Deleting the Tunnel L2TP Server Maintenance Information L2TP Server : Deleting the L2TP active L2TP Server Maintenance Information Session L2TP Server : Retransmission Timeout, L2TP Server Maintenance Information Deleting the Tunnel NAT translated packet exceeds size limit, Network Debug Debug packet dropped HTTP management port has changed Firewall Event Maintenance Information HTTPS management port has changed Firewall Event Maintenance Information IKE Responder: Mode %d - not transport VPN IKE Debug Warning mode. Xauth is required but not supported by peer. L2TP Server : from L2TP VPN Client L2TP Server Maintenance Information Privilege not enabled for Radius Users. L2TP Server : User Name authentication L2TP Server Maintenance Information Failure locally. IKE Responder: Tunnel terminates outside VPN IKE User Activity Warning firewall but proposed remote network is not NAT public address IKE Initiator: Start Quick Mode (Phase 2). VPN IKE User Activity Information Port configured to receive IPsec protocol Network TCP UDP ICMP Warning ONLY; drop packet received in the clear Imported VPN SA is invalid - disabled Firewall Event Maintenance Warning IPsec SA lifetime expired. VPN IPsec User Activity Information IKE SA lifetime expired. VPN IKE User Activity Information IKE Initiator: Start Main Mode negotiation VPN IKE User Activity Information (Phase 1) IKE Responder: Received Quick Mode VPN IKE User Activity Information Request (Phase 2) IKE Initiator: Main Mode complete (Phase 1) VPN IKE User Activity Information IKE Initiator: Aggressive Mode complete VPN IKE User Activity Information (Phase 1). IKE Responder: Received Main Mode VPN IKE User Activity Information request (Phase 1) IKE Responder: Received Aggressive Mode VPN IKE User Activity Information request (Phase 1) IKE Responder: Main Mode complete VPN IKE User Activity Information (Phase 1) IKE Initiator: Start Aggressive Mode VPN IKE User Activity Information negotiation (Phase 1) Entering FIPS ERROR state Crypto Test Maintenance Error Crypto DES test failed Crypto Test Maintenance Error Crypto DH test failed Crypto Test Maintenance Error SonicOS Log Event Reference Guide

31 Log Event Message New Category Legacy Category Priority ID Type Crypto Hmac-MD5 fest failed Crypto Test Maintenance Error Crypto Hmac-Sha1 test failed Crypto Test Maintenance Error Crypto RSA test failed Crypto Test Maintenance Error Crypto Sha1 test failed Crypto Test Maintenance Error Crypto hardware DES test failed Crypto Test Maintenance Error Crypto hardware 3DES test failed Crypto Test Maintenance Error Crypto hardware DES with SHA test failed Crypto Test Maintenance Error Crypto Hardware 3DES with SHA test failed Crypto Test Maintenance Error Crypto MD5 test failed Crypto Test Maintenance Error VPN Client Policy Provisioning VPN Client User Activity Information IKE Initiator: Accepting IPsec proposal VPN IKE User Activity Information (Phase 2) IKE Responder: Aggressive Mode complete VPN IKE User Activity Information (Phase 1) Error initializing Hardware acceleration for Firewall Hardware Maintenance Error VPN PPTP Control Connection Negotiation PPTP Maintenance Information Started PPTP Session Negotiation Started PPTP Maintenance Information PPTP Max Retransmission Exceeded PPTP Maintenance Information PPTP Control Connection Established PPTP Maintenance Information PPTP Tunnel Disconnect from Remote PPTP Maintenance Information PPTP Session Established PPTP Maintenance Information PPTP Session Disconnect from Remote PPTP Maintenance Information PPTP PPP Negotiation Started PPTP Maintenance Information PPTP LCP Down PPTP Maintenance Information PPTP PPP Session Up PPTP Maintenance Information PPTP PPP Down PPTP Maintenance Information PPTP PPP Authentication Failed PPTP Maintenance Information PPTP LCP Up PPTP Maintenance Information PPTP Disconnect Initiated by the User PPTP Maintenance Information Disconnecting PPTP Tunnel due to traffic PPTP Maintenance Information timeout PPTP Connect Initiated by the User PPTP Maintenance Information PPTP PPP link down PPTP Maintenance Information PPTP starting CHAP Authentication PPTP Maintenance Information PPTP starting PAP Authentication PPTP Maintenance Information PPTP CHAP Authentication Failed. Please PPTP Maintenance Information verify PPTP username and password PPTP PAP Authentication Failed PPTP Maintenance Information PPTP PAP Authentication success. PPTP Maintenance Information PPTP PAP Authentication Failed. Please PPTP Maintenance Information verify PPTP username and password PPTP PPP Link Up PPTP Maintenance Information SonicOS Log Event Reference Guide 31

32 Log Event Message New Category Legacy Category Priority ID Type PPTP PPP Link down PPTP Maintenance Information PPTP PPP Link Finished PPTP Maintenance Information Received notify. NO_PROPOSAL_CHOSEN VPN IKE User Activity Warning IKE Responder: IKE proposal does not VPN IKE User Activity Warning match (Phase 1) IKE negotiation aborted due to timeout VPN IKE User Activity Information Failed payload verification after decryption; VPN IKE User Activity Warning possible preshared key mismatch Failed payload validation VPN IKE User Activity Warning Received packet retransmission. Drop VPN IKE User Activity Warning duplicate packet SA is disabled. Check VPN SA settings VPN IKE User Activity Information Anti-Virus Licenses Exceeded Security Services Maintenance Information Received notify: ISAKMP_AUTH_FAILED VPN IKE User Activity Warning Computed hash does not match hash VPN IKE User Activity Warning received from peer; preshared key mismatch Received notify: PAYLOAD_MALFORMED VPN IKE User Activity Warning Received IPsec SA delete request VPN IKE User Activity Information Received IKE SA delete request VPN IKE User Activity Information Received notify: INVALID_COOKIES VPN IKE User Activity Information Received notify: RESPONDER_LIFETIME VPN IKE User Activity Information Received notify: INVALID_SPI VPN IKE User Activity Information PKI Error: VPN PKI Maintenance Error IKE Responder: Proposed local network is VPN IKE User Activity Warning but SA has no LAN Default Gateway RIP disabled on interface %s RIP Maintenance Information RIPv1 enabled on interface %s RIP Maintenance Information RIPv2 enabled on interface %s RIP Maintenance Information RIPv2 compatibility (broadcast) mode RIP Maintenance Information enabled on interface %s RIP disabled on DMZ interface RIP Maintenance Information RIPv1 enabled on DMZ interface RIP Maintenance Information RIPv2 enabled on DMZ interface RIP Maintenance Information RIPv2 compatibility (broadcast) mode RIP Maintenance Information enabled on DMZ interface IPsecTunnel status changed VPN VPN Tunnel Information Status Source routed IP packet dropped Intrusion Detection Debug Warning No response from server to Echo Requests, PPTP Maintenance Information disconnecting PPTP Tunnel No response from PPTP server to control PPTP Maintenance Information connection requests No response from PPTP server to call requests PPTP Maintenance Information SonicOS Log Event Reference Guide

33 Log Event Message New Category Legacy Category Priority ID Type PPTP server rejected control connection PPTP Maintenance Information PPTP server rejected the call request PPTP Maintenance Information PPP Dial-Up: Trying to failover but Alternate Profile is manual WAN Failover User Activity Information WLB Failback initiated by %s WAN Failover System Error Alert Probing succeeded on %s WAN Failover System Error Alert fragment dropped Intrusion Detection Attack Error Locked-out user logins allowed - lockout User Activity Information period expired Locked-out user logins allowed by administrator User Activity Information rule added Firewall Rule User Activity Information rule modified Firewall Rule User Activity Information rule deleted Firewall Rule User Activity Information rules restored to defaults Firewall Rule User Activity Information PPTP Server is not responding, check if the PPTP Maintenance Information server is UP and running. IKE Initiator: Accepting peer lifetime. (Phase VPN IKE User Activity Information ) FTP: PASV response spoof attack dropped Intrusion Detection Attack Error PKI Failure VPN PKI Maintenance Error PKI Failure: Output buffer too small VPN PKI Maintenance Error PKI Failure: Cannot alloc memory VPN PKI Maintenance Error PKI Failure: Reached the limit for local certs, VPN PKI Maintenance Error cant load any more PKI Failure: Import failed VPN PKI Maintenance Error PKI Failure: Incorrect admin password VPN PKI Maintenance Error PKI Failure: CA certificates store exceeded. VPN PKI Maintenance Error Cannot verify this Local Certificate PKI Failure: Improper file format. Please VPN PKI Maintenance Error select PKCS#12 (*.p12) file PKI Failure: Certificate's ID does not match VPN PKI Maintenance Error this Network Security Appliance PKI Failure: public-private key mismatch VPN PKI Maintenance Error PKI Failure: Duplicate local certificate name VPN PKI Maintenance Error PKI Failure: Duplicate local certificate VPN PKI Maintenance Error PKI Failure: No CA certificates yet loaded VPN PKI Maintenance Error PKI Failure: Internal error VPN PKI Maintenance Error PKI Failure: Temporary memory shortage, try VPN PKI Maintenance Error again PKI Failure: The certificate chain is circular VPN PKI Maintenance Error PKI Failure: The certificate chain is VPN PKI Maintenance Error incomplete PKI Failure: The certificate chain has no root VPN PKI Maintenance Error SonicOS Log Event Reference Guide 33

34 Log Event Message New Category Legacy Category Priority ID PKI Failure: The certificate or a certificate in the chain has expired PKI Failure: The certificate or a certificate in the chain has a validity period in the future PKI Failure: The certificate or a certificate in the chain is corrupt PKI Failure: The certificate or a certificate in the chain has a bad signature VPN PKI Maintenance Error VPN PKI Maintenance Error VPN PKI Maintenance Error VPN PKI Maintenance Error PKI Failure: Loaded but could not verify VPN PKI Maintenance Error certificate PKI Failure: Loaded the certificate but could VPN PKI Maintenance Error not verify it's chain VPN Cleanup: Dynamic network settings VPN User Activity Information change WARNING: Central Gateway does not have DHCP Relay Maintenance Information a Relay IP Address. DHCP message dropped. DHCP REQUEST received from remote DHCP Relay Debug Information device DHCP DISCOVER received from remote DHCP Relay Debug Information device DHCP DECLINE received from remote DHCP Relay Debug Information device DHCP OFFER received from server DHCP Relay Debug Information DHCP NACK received from server DHCP Relay Debug Information ERROR: DHCP over VPN policy is not DHCP Relay Maintenance Information defined. Cannot start IKE. DHCP DISCOVER received from local DHCP Relay Debug Information device DHCP REQUEST received from local device DHCP Relay Debug Information PPP Dial-Up: No peer IP address from Dial- PPP Dial Up Maintenance Information Up ISP, local and remote IPs will be the same Received AV Alert: Your Network Anti-Virus Security Services Maintenance Warning subscription will expire in 7 days. %s Received notify: INVALID_ID_INFO VPN IPsec User Activity Warning DHCP lease dropped. Lease from Central DHCP Relay Maintenance Warning Gateway conflicts with Remote Management IP Category: None --- Debug User login denied - User has no privileges for guest service User Activity Information WLAN firmware image has been updated Wireless Maintenance Information Packet dropped by guest check Network TCP UDP ICMP Warning Received CFS Alert: Your Content Filtering subscription will expire in 7 days. Security Services Maintenance Warning Type 34 SonicOS Log Event Reference Guide

35 Log Event Message New Category Legacy Category Priority ID Received CFS Alert: Your Content Filtering subscription has expired. Security Services Maintenance Warning Received Filter Alert: Your Security Services Maintenance Warning Filtering subscription will expire in 7 days. Received Filter Alert: Your Security Services Maintenance Warning Filtering subscription has expired. ISDN Driver Firmware successfully updated Firewall Event Maintenance Information Global VPN Client License Exceeded: VPN Client System Error Information Connection denied. Packet dropped by WLAN vpn traversal Wireless TCP UDP ICMP Warning check Registration Update Needed: Restore your Security Services Maintenance Warning existing security service subscriptions by clicking here. Entering FIPS Error State. Crypto Test System Error Error WAN Interface not setup Firewall Event Maintenance Information PPPoE enabled but not ready PPPoE Maintenance Information L2TP enabled but not ready Unused Maintenance Information PPTP enabled but not ready PPTP Maintenance Information WAN not ready Firewall Event Maintenance Information VPN disabled for active dial up Unused Maintenance Information DHCP client enabled but not ready DHCP Client Maintenance Information Blocked Quick Mode for Client using Default VPN Client System Error Error KeyId VPN disabled by administrator Maintenance Information VPN enabled by administrator Maintenance Information WLAN disabled by administrator Maintenance Information WLAN enabled by administrator Maintenance Information WiFiSec Enforcement disabled by administrator WiFiSec Enforcement enabled by administrator Wireless MAC Filter List enabled by administrator Wireless MAC Filter List disabled by administrator PPPoE user name changed by Administrator PPPoE password changed by Administrator Maintenance Information Maintenance Information Maintenance Information Maintenance Information User Activity Information User Activity Information Type SonicOS Log Event Reference Guide 35

36 Log Event Message New Category Legacy Category Priority ID IKE Responder: Default LAN gateway is not VPN IKE Attack Error set but peer is proposing to use this SA as a default route WLAN Reboot Firewall Hardware System Error Error Management Wireless b Information Management WLAN recovery Wireless Maintenance Information CLI administrator logged out User Activity Information Network Security Appliance initializing Firewall Event Maintenance Information Malformed or unhandled IP packet dropped Network Debug Alert ICMP packet dropped no match Network ICMP Notice Web access request dropped Network TCP Notice Web management request allowed Network User Activity Notice FTP: PORT bounce attack dropped. Intrusion Detection Attack Alert FTP: PASV response bounce attack Intrusion Detection Attack Alert dropped. Global VPN Client connection is not allowed. VPN Client System Error Information Appliance is not registered. Network Modem Mode Enabled: turning off PPP Dial Up Maintenance Information NAT Network Modem Mode Disabled: re-enabling PPP Dial Up Maintenance Information NAT Internet restricted to authorized Wireless TCP UDP ICMP Warning users. Dropped packet received in the clear. IPsec (ESP) packet dropped VPN IPsec TCP UDP ICMP Notice IPsec (AH) packet dropped VPN IPsec TCP UDP ICMP Notice IPsec (ESP) packet dropped; waiting for VPN IPsec Debug Debug pending IPsec connection IPsec (AH) packet dropped; waiting for VPN IPsec Debug Debug pending IPsec connection Connection Closed Network Traffic Connection Traffic Information FTP: Data connection from non default port Network Attack Alert dropped Real time clock battery failure Time values Firewall Hardware System Error Warning may be incorrect If not already enabled, enabling NTP is Firewall Hardware System Error Warning recommended Maximum number of Bandwidth Managed Firewall Event Maintenance Notice rules exceeded upon upgrade to this version. Some Bandwith settings ignored. PPP Dial-Up: Previous session was PPP Dial Up User Activity Information connected for %s IKE Initiator: Using secondary gateway to negotiate VPN IKE User Activity Information Type 36 SonicOS Log Event Reference Guide

37 Log Event Message New Category Legacy Category Priority ID IKE Initiator drop: VPN tunnel end point does VPN IKE User Activity Information not match configured VPN Policy Bound to scope IKE Responder drop: VPN tunnel end point VPN IKE User Activity Information does not match configured VPN Policy Bound to scope Found Rogue Point WLAN IDS WLAN IDS Alert WLAN sequence number out of order WLAN IDS WLAN IDS Warning Association Flood from WLAN station WLAN IDS WLAN IDS Alert User login failed - Guest service limit reached Guest Session Timeout Guest Account Timeout User Activity Information User Activity Information User Activity Information Type RIP disabled on WAN interface RIP Maintenance Information RIPv1 enabled on WAN interface RIP Maintenance Information RIPv2 enabled on WAN interface RIP Maintenance Information RIPv2 compatibility (broadcast) mode RIP Maintenance Information enabled on WAN interface Found Rogue Point WLAN IDS WLAN IDS Alert Guest login denied. Guest '%s' is already User Activity Information logged in. Please try again later. Guest account '%s' created User Activity Information Guest account '%s' deleted User Activity Information Guest account '%s' disabled User Activity Information Guest account '%s' re-enabled User Activity Information Guest account '%s' pruned User Activity Information Guest account '%s' re-generated User Activity Information Guest Idle Timeout User Activity Information Interface %s Link Is Up Firewall Event System Error Warning Interface %s Link Is Down Firewall Event System Error Error Interface IP Assignment changed: Shutting Firewall Event Maintenance Information down %s Interface IP Assignment : Binding and Firewall Event Maintenance Information initializing %s Network for interface %s overlaps with another interface. Firewall Event Maintenance Information SonicOS Log Event Reference Guide 37

38 Log Event Message New Category Legacy Category Priority ID Type Please connect interface %s to another Firewall Event Maintenance Information network to function properly RIP Broadcasts for LAN Network %s are RIP Maintenance Information being broadcast over dialup-connection A prior version of preferences was loaded Firewall Event System Error Warning because the most recent preferences file was inaccessible The preferences file is too large to be saved Firewall Event System Error Warning in available flash memory All preference values have been set to Firewall Event System Error Warning factory default values Voltages Out of Tolerance Firewall Hardware System Error Environment Fan Failure Firewall Hardware System Alert Environment Thermal Yellow Firewall Hardware System Alert Environment Thermal Red Firewall Hardware System Alert Environment Thermal Red Timer Exceeded Firewall Hardware System Alert Environment TCP Syn/Fin packet dropped Network Attack Alert WLB Spill-over started, configured threshold WAN Failover Maintenance Warning exceeded WLB Spill-over stopped WAN Failover Maintenance Warning User login disabled from %s Attack Error WLB Failover in progress WAN Failover System Error Alert WLB Resource is now available WAN Failover System Error Alert WLB Resource failed WAN Failover System Error Alert Header verification failed VPN IKE User Activity Warning Received DHCP offer packet has errors DHCP Client Maintenance Information Received response packet for DHCP request DHCP Client Maintenance Information has errors IP type %s packet dropped Network LAN UDP LAN Notice TCP Maximum sequential failed dial attempts (10) PPP Dial Up Attack Error to a single dial-up number: %s Regulatory requirements prohibit %s from PPP Dial Up Attack Error being re-dialed for 30 minutes Received PPPoE Active Discovery Offer PPPoE Maintenance Information Received PPPoE Active Discovery PPPoE Maintenance Information Session_confirmation Sending PPPoE Active Discovery Request PPPoE Maintenance Information PPTP decode failure PPTP Debug Debug ICMP packet allowed Network Debug Information SonicOS Log Event Reference Guide

39 Log Event Message New Category Legacy Category Priority ID ICMP packet from LAN allowed Network Debug Information Diagnostic Code G Firewall Hardware System Error Error Diagnostic Code H Firewall Hardware System Error Error Diagnostic Code I Firewall Hardware System Error Error DNS packet allowed Network Debug Information Adding L2TP IP pool Address object Failed. L2TP Server System Error Error Global VPN Client version cannot enforce VPN Client User Activity Information personal firewall. Minimum Version required is 2.1 Received unencrypted packet in crypto VPN IKE User Activity Warning active state Spank attack multicast packet dropped Intrusion Detection Attack Alert Received ISAKMP packet destined to port VPN IKE Debug UDP Information %s IPS Detection Alert: %s Intrusion Detection Attack Alert IPS Prevention Alert: %s Intrusion Detection Attack Alert Crypto Hardware AES test failed Crypto Test Maintenance Error A SonicOS Standard to Enhanced Upgrade Firewall Event Maintenance Information was performed Not all configurations may have been Firewall Event Maintenance Information completely upgraded Please manually check all system Firewall Event Maintenance Information configurations for correctness of Upgrade Received IPS Alert: Your Intrusion Security Services Maintenance Warning Prevention (IDP) subscription has expired. WLAN client null probing WLAN IDS WLAN IDS Warning Payload processing failed VPN IKE Debug Error WLAN not in AP mode, DHCP server will not Wireless Maintenance Information provide lease to clients on WLAN BOOTP server response relayed to remote BOOTP Debug Debug device BOOTP Client IP address on LAN conflicts BOOTP Maintenance Information with remote device IP, deleting IP address from remote table BOOTP reply relayed to local device BOOTP Maintenance Information BOOTP Request received from remote BOOTP Debug Debug device VoIP Call Connected VoIP VoIP Information VoIP Call Disconnected VoIP VoIP Information H.323/RAS Admission Reject VoIP VoIP Debug H.323/RAS Admission Confirm VoIP VoIP Debug H.323/RAS Admission Request VoIP VoIP Debug H.323/RAS Bandwidth Reject VoIP VoIP Debug H.323/RAS Disengage Confirm VoIP VoIP Debug H.323/RAS Gatekeeper Reject VoIP VoIP Debug Type SonicOS Log Event Reference Guide 39

40 Log Event Message New Category Legacy Category Priority ID Type H.323/RAS Location Confirm VoIP VoIP Debug H.323/RAS Location Reject VoIP VoIP Debug H.323/RAS Registration Reject VoIP VoIP Debug H.323/H.225 Setup VoIP VoIP Debug H.323/H.225 Connect VoIP VoIP Debug H.323/H.245 Address VoIP VoIP Debug H.323/H.245 End Session VoIP VoIP Debug VoIP %s Endpoint added VoIP VoIP Debug VoIP %s Endpoint removed VoIP VoIP Debug VoIP %s Endpoint not added - configured VoIP VoIP Warning 'public' endpoint limit reached H.323/RAS Unknown Message Response VoIP VoIP Debug H.323/RAS Disengage Reject VoIP VoIP Debug H.323/RAS Unregistration Reject VoIP VoIP Debug SIP Request VoIP VoIP Debug SIP Response VoIP VoIP Debug SIP Register expiration exceeds configured VoIP VoIP Warning Signaling inactivity time out Packet dropped; connection limit for this Firewall Event System Error Alert source IP address has been reached Packet dropped; connection limit for this Firewall Event System Error Alert destination IP address has been reached Packet destination not in VPN list VPN IPsec Attack Error Application Filters Block Alert: %s Intrusion Detection Attack Alert Application Filter Detection Alert: %s Intrusion Detection Attack Alert IPComp connection interrupt IPComp Debug Debug IPComp packet dropped IPComp TCP UDP ICMP Notice IPComp packet dropped; waiting for pending IPComp Debug Debug IPComp connection Maximum events per second threshold Firewall Logging System Error Critical exceeded Maximum syslog data per second threshold Firewall Logging System Error Critical exceeded SMTP POP-Before-SMTP authentication Firewall Logging System Error Warning failed Syslog Server cannot be reached Network Maintenance Information IKE Responder: Proposed IKE ID mismatch VPN IKE System Error Warning IKE Responder: IP Address already exists in VPN Client System Error Error the DHCP relay table. Client traffic not allowed. IKE Responder: %s policy does not allow VPN Client System Error Error static IP for Virtual Adapter. Received notify: INVALID_PAYLOAD VPN IKE User Activity Error Drop WLAN traffic from non-sonicpoint devices Intrusion Detection Attack Error SonicOS Log Event Reference Guide

41 Log Event Message New Category Legacy Category Priority ID WPA MIC Failure Wireless b Management WPA Radius Server Timeout Wireless b Management Warning Information Type PPP Dial-Up: Dialing not allowed by PPP Dial Up --- Information schedule. %s PPP Dial-Up: Connection disconnected as PPP Dial Up --- Information scheduled. SonicPoint Status SonicPoint SonicPoint Information HA Peer Firewall Rebooted High Availability Maintenance Information Error Rebooting HA Peer Firewall High Availability System Error Error License of HA pair doesn't match: %s High Availability System Error Error Primary received reboot signal from Backup High Availability System Error Error Backup received reboot signal from Primary High Availability System Error Error Synchronizing preferences to HA Peer High Availability Maintenance Information Firewall Success to reach Interface %s probe High Availability System Error Information Failure to reach Interface %s probe High Availability System Error Error IGMP V2 client joined multicast Group : %s Multicast --- Information IGMP V3 client joined multicast Group : %s Multicast --- Information IGMP V3 Membership report received from Multicast --- Debug interface %s IGMP V2 Membership report received from Multicast --- Debug interface %s Router IGMP General query received on Multicast --- Debug interface %s Router IGMP Membership query received Multicast --- Debug on interface %s IGMP Leave group message Received on Multicast --- Information interface %s IGMP packet dropped, wrong checksum Multicast --- Notice received on interface %s Multicast packet dropped, wrong MAC Multicast --- Alert address received on interface : %s Multicast packet dropped, Invalid src IP Multicast --- Alert received on interface : %s IGMP packet dropped, decoding error Multicast --- Notice IGMP Packet Not handled. Packet type : %s Multicast --- Notice IGMP V3 packet dropped, unsupported Multicast --- Notice Record type : %s IGMP V3 reord type : %s not Handled Multicast --- Debug Multicast UDP packet dropped, no state Multicast --- Notice entry Multicast TCP packet dropped Multicast --- Notice SonicOS Log Event Reference Guide 41

42 Log Event Message New Category Legacy Category Priority ID Type IGMP state table entry time out,deleting Multicast --- Debug interface : %s for multicast address : %s IGMP state table entry time out,deleting VPN Multicast --- Debug SPI :%s for Multicast address : %s Multicast UDP packet dropped, RTP stateful Multicast --- Warning failed Multicast UDP packet dropped, RTCP Multicast --- Warning stateful failed Multicast application %s not supported Multicast --- Information Adding to multicast policylist, interface : %s Multicast --- Debug Deleting from Multicast policy list, interface : Multicast --- Debug %s Adding to Multicast policylist, VPN SPI : %s Multicast --- Debug Deleting from Multicast policy list, VPN SPI : Multicast --- Debug %s IGMP querier Router detected on interface Multicast --- Debug %s IGMP querier Router detected on VPN Multicast --- Debug tunnel, SPI %S Exceeded Max multicast address limit Multicast --- Warning Invalid Product Code Upgrade request Firewall Event --- Error received: %s Overriding Product Code Upgrade to: %s Firewall Event --- Error Network Monitor: Host %s is offline Network Monitor --- Alert Network Monitor: Host %s is online Network Monitor --- Alert TCP packet received with invalid SEQ Network Debug Debug number; TCP packet dropped TCP packet received with invalid ACK Network Debug Debug number; TCP packet dropped TCP stateful inspection: Invalid flag; TCP Network Debug Information packet dropped TCP stateful inspection: Bad header; TCP Network Debug Debug packet dropped TCP connection reject received; TCP Network Debug Debug connection dropped TCP connection abort received; TCP Network Debug Debug connection dropped EIGRP packet dropped Network Debug Notice ARP request packet sent Network --- Information ARP response packet received Network --- Information ARP request packet received Network --- Information ARP response packet sent Network --- Information VPN policy count received exceeds the limit; VPN System Error Error %s Sending LCP Echo Request PPPoE Maintenance Information SonicOS Log Event Reference Guide

43 Log Event Message New Category Legacy Category Priority ID Type Received LCP Echo Request PPPoE Maintenance Information Sending LCP Echo Reply PPPoE Maintenance Information Received LCP Echo Reply PPPoE Maintenance Information Guest Services drop traffic to deny network Network --- Information Guest Services pass traffic to access allow Network --- Information network WLAN max concurrent users reached Network --- Information already SonicPoint Provision SonicPoint SonicPoint Information WLAN disabled by schedule Maintenance Information WLAN enabled by schedule Maintenance Information Virtual Point is enabled SonicPoint b Information Management Virtual Point is disabled SonicPoint b Information Management Packet dropped by WLAN SSL-VPN Wireless TCP UDP ICMP Warning enforcement check SSL-VPN enforcement Wireless Maintenance Information Source IP address connection status: %s Firewall Event --- Information Destination IP address connection status: Firewall Event --- Information %s SMTP authentication problem:%s Firewall Logging System Error Warning PPPoE Client: Previous session was PPPoE Maintenance Information connected for %s Packet dropped. No firewall rule associated VPN System Error Alert with VPN policy. NetBIOS settings were not upgraded. Use Firewall Event Maintenance Information Network>IP Helper to configure NetBIOS support LAN Subnet configurations were not Firewall Event Maintenance Information upgraded. Time of day settings for firewall policies were Firewall Event Maintenance Information not upgraded. Hardware Failover settings were not Firewall Event Maintenance Information upgraded. User login denied - RADIUS communication RADIUS User Activity Warning problem User login denied - LDAP authentication RADIUS User Activity Information failure User login denied - LDAP server timeout RADIUS User Activity Warning User login denied - LDAP server down or RADIUS User Activity Warning misconfigured User login denied - LDAP communication problem RADIUS User Activity Warning SonicOS Log Event Reference Guide 43

44 Log Event Message New Category Legacy Category Priority ID Type User login denied - invalid credentials on RADIUS User Activity Warning LDAP server User login denied - insufficient access on RADIUS User Activity Warning LDAP server User login denied - LDAP schema mismatch RADIUS User Activity Warning Allowed LDAP server certificate with wrong RADIUS User Activity Warning host name User login denied - LDAP server name RADIUS User Activity Warning resolution failed User login denied - RADIUS server name RADIUS User Activity Warning resolution failed User login denied - LDAP server certificate RADIUS User Activity Warning not valid User login denied - TLS or local certificate RADIUS User Activity Warning problem User login denied - LDAP directory mismatch RADIUS User Activity Warning LDAP server does not allow CHAP RADIUS User Activity Warning User login denied - user already logged in User Activity Information TCP handshake violation detected; TCP Network --- Notice connection dropped attempt from host out of compliance Security Services Maintenance Information with GSC policy GSC policy out-of-date on host Security Services Maintenance Information attempt from host without GSC Security Services Maintenance Information installed Failed to synchronize license information Security Services Maintenance Warning with Licensing Server. Please see help.mysonicwall.com/licsyncfail.html (code: %s) ADConnector %s response timed-out; Microsoft AD --- Error applying caching policy DDNS Failure: Provider %s DDNS System Error Error DDNS Failure: Provider %s DDNS System Error Error DDNS Failure: Provider %s DDNS System Error Error DDNS Update success for domain %s DDNS Maintenance Information DDNS Warning: Provider %s DDNS System Error Warning DDNS association %s taken Offline locally DDNS Maintenance Information DDNS association %s added DDNS Maintenance Information DDNS association %s enabled DDNS Maintenance Information DDNS association %s disabled DDNS Maintenance Information DDNS Association %s put on line DDNS Maintenance Information All DDNS associations have been deleted DDNS Maintenance Information DDNS association %s deactivated DDNS Maintenance Information DDNS association %s deleted DDNS Maintenance Information SonicOS Log Event Reference Guide

45 Log Event Message New Category Legacy Category Priority ID Type DDNS association %s updated DDNS --- Information IPS Detection Alert: %s Intrusion Detection Attack Alert IPS Prevention Alert: %s Intrusion Detection Attack Alert DPI-SSL: %s DPI SSL Network Information Application Firewall Alert: %s Application Firewall User Activity Alert Anti-Spyware Prevention Alert: %s Intrusion Detection Attack Alert Anti-Spyware Detection Alert: %s Intrusion Detection Attack Alert Anti-Spyware Service Expired Security Services Maintenance Warning Outbound connection to RBL-listed SMTP RBL --- Notice server dropped Inbound connection from RBL-listed SMTP RBL --- Notice server dropped SMTP server found on RBL blacklist RBL --- Notice No valid DNS server specified for RBL RBL --- Error lookups Interface statistics report GMS --- Information SonicPoint statistics report GMS --- Information Gateway Anti-Virus Alert: %s Security Services Attack Alert Gateway Anti-Virus Service expired Security Services Maintenance Warning PPP Dial-Up: Invalid DNS IP address PPP Dial Up Maintenance Information returned from Dial-Up ISP; overriding using dial-up profile settings WAN node exceeded: Connection dropped Firewall Event System Error Error because too many IP addresses are in use on your LAN Adding Dynamic Entry for Bound MAC Network --- Information Address MAC address collides with Static ARP Entry Network --- Notice with Bound MAC address; packet dropped Too many gratuitous ARPs detected Network --- Warning ARP unused/spare Network --- Debug Incoming call received for Remotely Triggered Dial-out session User Activity Information Remotely Triggered Dial-out session started. Requesting authentication Incorrect authentication received for Remotely Triggered Dial-out Successful authentication received for Remotely Triggered Dial-out Authentication timeout during Remotely Triggered Dial-out session Remotely Triggered Dial-out session ended. Valid WAN bound data found. Normal dialup sequence will commence User Activity Information User Activity Information User Activity Information User Activity Information User Activity Information Backup will be shut down in %s minutes High Availability System Error Error SonicOS Log Event Reference Guide 45

46 Log Event Message New Category Legacy Category Priority ID Backup shut down because license is High Availability System Error Error expired Backup active High Availability System Error Information DHCP Scopes altered automatically due to Firewall Event --- Information change in network settings for interface %s DHCP lease file in the flash is corrupted; Firewall Event System Error Warning read failed Failed to write DHCP leases to flash Firewall Event System Error Warning DHCP leases written to flash Firewall Event Maintenance Information Invalid VLAN packet dropped Network --- Alert IP address conflict detected from ethernet Network Maintenance Warning address %s OCSP sending request. VPN PKI User Activity Information OCSP send request message failed. VPN PKI User Activity Error OCSP received response. VPN PKI User Activity Information OCSP received response error. VPN PKI User Activity Error OCSP Resolved Domain Name. VPN PKI User Activity Information OCSP Failed to Resolve Domain Name. VPN PKI User Activity Error OCSP Internal error handling received VPN PKI User Activity Error response. SYN Flood Mode changed by user to: Watch Intrusion Detection Debug Warning and report possible SYN floods SYN Flood Mode changed by user to: Watch Intrusion Detection Debug Warning and proxy WAN connections when under attack SYN Flood Mode changed by user to: Intrusion Detection Debug Warning Always proxy WAN connections Possible SYN flood detected on WAN IF %s Intrusion Detection Debug Alert switching to connection-proxy mode Possible SYN Flood on IF %s Intrusion Detection Debug Alert SYN flood ceased or flooding machines Intrusion Detection Debug Alert blacklisted - connection proxy disabled SYN Flood blacklisting enabled by user Intrusion Detection Debug Warning SYN Flood blacklisting disabled by user Intrusion Detection Debug Warning SYN-Flooding machine %s blacklisted Intrusion Detection Debug Alert Machine %s removed from SYN flood Intrusion Detection Debug Alert blacklist Possible SYN Flood on IF %s continues Intrusion Detection Debug Warning Possible SYN Flood on IF %s has ceased Intrusion Detection Debug Alert SYN Flood Blacklist on IF %s continues Intrusion Detection Debug Warning TCP SYN received Intrusion Detection Debug Debug CRL has expired VPN PKI User Activity Alert Failed to find certificate VPN PKI User Activity Alert CRL missing - Issuer requires CRL checking. VPN PKI User Activity Alert CRL validation failure for Root Certificate VPN PKI User Activity Alert Type 46 SonicOS Log Event Reference Guide

47 Log Event Message New Category Legacy Category Priority ID Type Cannot Validate Issuer Path VPN PKI User Activity Alert WLAN radio frequency threat detected RF Management --- Warning Unable to resolve dynamic address object Dynamic Address Objects Maintenance Information System clock manually updated Firewall Logging --- Notice HTTP method detected; examining stream Network TCP Debug for host header IP Header checksum error; packet dropped Network TCP UDP Notice TCP checksum error; packet dropped Network TCP Notice UDP checksum error; packet dropped Network UDP Notice ICMP checksum error; packet dropped Network UDP Notice TCP packet received with invalid header Network Debug Debug length; TCP packet dropped TCP packet received on non-existent/closed Network Debug Debug connection; TCP packet dropped TCP packet received without mandatory Network Debug Debug SYN flag; TCP packet dropped TCP packet received without mandatory Network Debug Debug ACK flag; TCP packet dropped TCP packet received on a closing Network Debug Debug connection; TCP packet dropped TCP packet received with SYN flag on an Network Debug Information existing connection; TCP packet dropped TCP packet received with invalid SACK Network Debug Debug option length; TCP packet dropped TCP packet received with invalid MSS option Network Debug Debug length; TCP packet dropped TCP packet received with invalid option Network Debug Debug length; TCP packet dropped TCP packet received with invalid source Network Debug Debug port; TCP packet dropped TCP packet received with invalid SYN Flood Network Debug Information cookie; TCP packet dropped RST-Flooding machine %s blacklisted Intrusion Detection Debug Alert RST Flood Blacklist on IF %s continues Intrusion Detection Debug Warning Machine %s removed from RST flood Intrusion Detection Debug Alert blacklist FIN-Flooding machine %s blacklisted Intrusion Detection Debug Alert FIN Flood Blacklist on IF %s continues Intrusion Detection Debug Warning Machine %s removed from FIN flood Intrusion Detection Debug Alert blacklist Possible RST Flood on IF %s Intrusion Detection Debug Alert Possible FIN Flood on IF %s Intrusion Detection Debug Alert Possible RST Flood on IF %s has ceased Intrusion Detection Debug Alert Possible FIN Flood on IF %s has ceased Intrusion Detection Debug Alert SonicOS Log Event Reference Guide 47

48 Log Event Message New Category Legacy Category Priority ID Type Possible RST Flood on IF %s continues Intrusion Detection Debug Warning Possible FIN Flood on IF %s continues Intrusion Detection Debug Warning Packet Dropped - IP TTL expired Network Debug Warning Added host entry to dynamic address object Removed host entry from dynamic address object IKE Responder: Phase 1 Authentication Method does not match IKE Responder: Phase 1 encryption algorithm does not match IKE Responder: Phase 1 encryption algorithm keylength does not match IKE Responder: Phase 1 hash algorithm does not match IKE Responder: Phase 1 XAUTH required but policy has no user name IKE Responder: Phase 1 XAUTH required but policy has no user password IKE Responder: Phase 1 DH Group does not match IKE Responder: AH authentication algorithm does not match IKE Responder: ESP encryption algorithm does not match IKE Responder: ESP authentication algorithm does not match IKE Responder: AH authentication key length does not match IKE Responder: ESP encryption key length does not match IKE Responder: ESP authentication key length does not match IKE Responder: AH authentication key rounds does not match IKE Responder: ESP encryption key rounds does not match IKE Responder: ESP authentication key rounds does not match IKE Responder: IP Compression algorithm does not match IKE Initiator: Remote party timeout - Retransmitting IKE request. IKE Responder: Remote party timeout - Retransmitting IKE request. Dynamic Address Objects Maintenance Information Dynamic Address Maintenance Information Objects VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Warning VPN IKE User Activity Information VPN IKE User Activity Information IKE Responder: IPsec protocol mismatch VPN IKE User Activity Warning SonicOS Log Event Reference Guide

49 Log Event Message New Category Legacy Category Priority ID IKE Initiator: Proposed IKE ID mismatch VPN IKE User Activity Warning IKE Responder: Peer's local network does VPN IKE User Activity Warning not match VPN policy's <b>destination Network</b> IKE Responder: Peer's destination network VPN IKE User Activity Warning does not match VPN policy's <b>local Network</b> IKE Responder: Route table overrides VPN VPN IKE User Activity Warning policy IKE Initiator: IKE proposal does not match VPN IKE User Activity Warning (Phase 1) IKEv2 Initiator: Send IKE_SA_INIT request VPN IKE User Activity Information IKEv2 Responder: Received IKE_SA_INIT VPN IKE User Activity Information request IKEv2 Initiator: Send IKE_AUTH request VPN IKE User Activity Information IKEv2 Responder: Received IKE_AUTH VPN IKE User Activity Information request IKEv2 Authentication successful VPN IKE User Activity Information IKEv2 Accept IKE SA Proposal VPN IKE User Activity Information IKEv2 Accept IPsec SA Proposal VPN IKE User Activity Information IKEv2 Initiator: Send CREATE_CHILD_SA VPN IKE User Activity Information request IKEv2 Responder: Received VPN IKE User Activity Information CREATE_CHILD_SA request IKEv2 Send delete IKE SA request VPN IKE User Activity Information IKEv2 Received delete IKE SA request VPN IKE User Activity Information IKEv2 Send delete IPsec SA request VPN IKE User Activity Information IKEv2 Received delete IPsec SA request VPN IKE User Activity Information IKEv2 Responder: Peer's destination VPN IKE User Activity Information network does not match VPN policy's <b>local Network</b> IKEv2 Responder: Peer's local network does VPN IKE User Activity Information not match VPN policy's <b>destination Network</b> IKEv2 Payload processing error VPN IKE User Activity Warning IKEv2 Initiator: Negotiations failed. Extra VPN IKE User Activity Warning payloads present. IKEv2 Initiator: Negotiations failed. Missing VPN IKE User Activity Warning required payloads. IKEv2 Initiator: Negotiations failed. Invalid VPN IKE User Activity Warning input state. IKEv2 Initiator: Negotiations failed. Invalid VPN IKE User Activity Warning output state. IKEv2 Payload validation failed. VPN IKE User Activity Warning IKEv2 Unable to find IKE SA VPN IKE User Activity Warning IKEv2 Decrypt packet failed VPN IKE User Activity Warning Type SonicOS Log Event Reference Guide 49

50 Log Event Message New Category Legacy Category Priority ID Type IKEv2 Out of memory VPN IKE User Activity Warning IKEv2 Responder: Policy for remote IKE ID VPN IKE User Activity Error not found IKEv2 Process Message queue failed VPN IKE User Activity Warning IKEv2 Invalid state VPN IKE User Activity Warning IKE Responder: Client Policy has no VPN VPN IKE System Error Error Networks assigned. Check Configuration. IKEv2 Invalid SPI size VPN IKE User Activity Warning IKEv2 VPN Policy not found VPN IKE User Activity Warning IKEv2 IPsec proposal does not match VPN IKE User Activity Warning IKEv2 IPsec attribute not found VPN IKE User Activity Warning IKEv2 IKE attribute not found VPN IKE User Activity Warning IKEv2 Peer is not responding. Negotiation VPN IKE User Activity Warning aborted. IKEv2 Initiator: Remote party timeout - VPN IKE User Activity Information Retransmitting IKEv2 request. IKEv2 Initiator: Received IKE_SA_INT VPN IKE User Activity Information response IKEv2 Initiator: Received IKE_AUTH VPN IKE User Activity Information response IKEv2 Initiator: Received VPN IKE User Activity Information CREATE_CHILD_SA response IKEv2 Responder: Send IKE_SA_INIT VPN IKE User Activity Information response IKEv2 Responder: Send IKE_AUTH VPN IKE User Activity Information response IKEv2 negotiation complete VPN IKE User Activity Information IKEv2 Function sendto() failed to transmit VPN IKE User Activity Error packet. IKEv2 Initiator: Proposed IKE ID mismatch VPN IKE User Activity Warning IKEv2 IKE proposal does not match VPN IKE User Activity Warning IKEv2 Received notify status payload VPN IKE User Activity Information IKEv2 Received notify error payload VPN IKE User Activity Warning IKEv2 No NAT device detected between VPN IKE User Activity Information negotiating peers IKEv2 NAT device detected between VPN IKE User Activity Information negotiating peers User login denied - not allowed by policy rule User Activity Information User login denied - not found locally User Activity Information User login denied - SSO agent timeout User Activity Warning SonicOS Log Event Reference Guide

51 Log Event Message New Category Legacy Category Priority ID User Activity Warning User login denied - SSO agent configuration error User login denied - SSO agent communication problem User login denied - SSO agent name resolution failed User Activity Warning User Activity Warning SSO returned a user name that is too long SSO User Activity Warning SSO returned a domain name that is too SSO User Activity Warning long Configuration mode administration session started User Activity Information Configuration mode administration session ended Read-only mode GUI administration session started Non-config mode GUI administration session started GUI administration session ended User Activity Information User Activity Information User Activity Information User Activity Information SSL Control: Website found in blacklist Network Blocked Sites Information SSL Control: Website found in whitelist Network Blocked Sites Information SSL Control: HTTPS via SSL2 Network Blocked Sites Information SSL Control: Certificate with invalid date Network Blocked Sites Information SSL Control: Self-signed certificate Network Blocked Sites Information SSL Control: Weak cipher being used Network Blocked Sites Information SSL Control: Untrusted CA Network Blocked Sites Information SSL Control: Certificate chain not complete Network Blocked Sites Information SSL Control: Failed to decode Server Hello Network Blocked Sites Information User logged out - logout detected by SSO User Activity Information Bind to LDAP server failed RADIUS System Error Error Using LDAP without TLS - highly insecure RADIUS System Error Alert LDAP using non-administrative account - RADIUS System Error Warning VPN client user will not be able to change passwords IKEv2 Responder: Send VPN IKE User Activity Information CREATE_CHILD_SA response IKEv2 Send delete IKE SA response VPN IKE User Activity Information IKEv2 Send delete IPsec SA response VPN IKE User Activity Information IKEv2 Received delete IKE SA response VPN IKE User Activity Information IKEv2 Received delete IPsec SA response VPN IKE User Activity Information G %s device detected Firewall Hardware System Information Environment PPP message: %s PPP --- Information Chat started PPP Dial Up User Activity Information Type SonicOS Log Event Reference Guide 51

52 Log Event Message New Category Legacy Category Priority ID Type Chat completed PPP Dial Up User Activity Information Chat wrote '%s' PPP Dial Up User Activity Information Chat %s PPP Dial Up User Activity Information Chat failed: %s PPP Dial Up User Activity Information Unable to send message to dial-up task PPP Dial Up System Error Error Diagnostic Code J Firewall Hardware System Error Error G Dial-up: %s. PPP Dial Up User Activity Alert G Dial-up: data usage limit reached for the PPP Dial Up User Activity Alert '%s' billing cycle. Disconnecting the 3G session. %s auto-dial failed: Current Connection PPP Dial Up System Error Alert Model is configured as Ethernet Only TCP packet received with non-permitted Network Debug Debug option; TCP packet dropped TCP packet received with invalid Window Network Debug Debug Scale option length; TCP packet dropped TCP packet received with invalid Window Network Debug Debug Scale option value; TCP packet dropped Chat started by '%s' PPP Dial Up User Activity Information Problem occurred during user group User Activity Warning membership retrieval Received AF Alert: Your Application Firewall Security Services Maintenance Warning (AF) subscription has expired. User login denied - password expired User Activity Information IKE Responder: IKE Phase 1 exchange does VPN IKE User Activity Error not match PPP Dial-Up: Starting PPP PPP Dial Up --- Information Dial-up: Traffic generated by '%s' PPP Dial Up --- Information Dial-up: Session initiated by data packet PPP Dial Up --- Information DHCP Server: IP conflict detected Firewall Event --- Alert DHCP Server: Received DHCP decline from Firewall Event --- Alert client Physical environment normal Firewall Hardware --- Information Power supply without redundancy Firewall Hardware --- Error Discovered HA %s Firewall High Availability --- Information Diagnostic Auto-restart scheduled for %s Firewall Event --- Information minutes from now Diagnostic Auto-restart canceled Firewall Event --- Information "As per Diagnostic Auto-restart configuration request, restarting system" Firewall Event --- Information User login denied - password doesn't meet constraints --- Information Settings Import: %s Firewall Event --- Information VPN Policy Added VPN --- Information SonicOS Log Event Reference Guide

53 Log Event Message New Category Legacy Category Priority ID Type VPN Policy Deleted VPN --- Information VPN Policy Modified VPN --- Information PC Card removed. Firewall Hardware --- Alert PC Card inserted. Firewall Hardware --- Alert G: No SIM detected Firewall Hardware --- Alert PC Card: No device detected Firewall Hardware --- Alert Peer firewall rebooting (%s) High Availability --- Information Primary firewall rebooting itself as it High Availability --- Information transitioned from Active to Idle while Preempt Backup firewall rebooting itself as it High Availability --- Information transitioned from Active to Idle while Preempt Crypto SHA1 based DRNG KAT test failed Crypto Test --- Error Successfully sent Preference file to remote Firewall Event Maintenance Information backup server Failed to send Preference file to remote Firewall Event Maintenance Information backup server, Error: %s Successfully sent TSR file to remote backup Firewall Event Maintenance Information server Failed to send TSR file to remote backup Firewall Event Maintenance Information server, Error: %s Successfully sent %s file to remote backup Firewall Event Maintenance Information server Failed to send file to remote backup server, Firewall Event Maintenance Information Error: %s System shutdown by administrator. Power Firewall Event --- Alert cycle required. Multiple DHCP Servers are detected on Firewall Event --- Warning network External Web Server Host Resolution Failed --- Error %s Invalid DNS Server will not be accepted by Firewall Event --- Information the dynamic client DHCP Server sanity check passed %s Firewall Event --- Critical DHCP Server sanity check failed %s Firewall Event --- Critical SSO agent returned error SSO User Activity Warning L2TP Tunnel Negotiation %s L2TP Client --- Information SSO agent is down SSO User Activity Alert SSO agent is up SSO User Activity Alert SonicPointN Status SonicPoint-N --- Information SonicPointN Provision SonicPoint-N --- Information SSLVPN zone remote user login allowed User Activity Information SonicOS Log Event Reference Guide 53

54 Log Event Message New Category Legacy Category Priority ID Type SSL Control: Certificate with MD5 Digest Signature Algorithm Network Blocked Sites Information %s is operational. Anti-Spam --- Warning %s is unavailable. Anti-Spam --- Warning Anti-Spam service is enabled by Anti-Spam --- Information administrator. Anti-Spam service is disabled by Anti-Spam --- Information administrator. Your Anti-Spam Service subscription has Anti-Spam --- Warning expired. SMTP connection limit is reached. Anti-Spam --- Warning Connection is dropped. Anti-Spam Startup Failure - %s Anti-Spam --- Warning Anti-Spam Teardown Failure - %s Anti-Spam --- Warning DHCP Server: Received DHCP message Firewall Event --- Notice from untrusted relay agent Outbound connection to GRID-listed SMTP Anti-Spam --- Notice server dropped Inbound connection from GRID-listed SMTP Anti-Spam --- Notice server dropped SMTP server found on Reject List Anti-Spam --- Notice No valid DNS server specified for GRID Anti-Spam --- Error lookups Unprocessed received from MTA on Anti-Spam --- Information Inbound SMTP port Processed received from Anti-Spam --- Information Security Service SCEP Client: %s VPN PKI --- Notice Possible DNS rebind attack detected Intrusion Detection --- Alert DNS rebind attack blocked Intrusion Detection --- Alert Network Monitor: Policy %s status is UP Network Monitor --- Alert Network Monitor: Policy %s status is DOWN Network Monitor --- Alert Network Monitor: Policy %s status is Network Monitor --- Alert UNKNOWN Network Monitor: Host %s status is Network Monitor --- Alert UNKNOWN Network Monitor Policy %s Added Network Monitor --- Information Network Monitor Policy %s Deleted Network Monitor --- Information Network Monitor Policy %s Modified Network Monitor --- Information Message blocked by Real-Time Anti-Spam --- Information Scanner CSR Generation: %s VPN PKI --- Information Assigned IP address %s DHCP Server --- Information Released IP address %s DHCP Server --- Information Ftp server accepted the connection FTP --- Debug SonicOS Log Event Reference Guide

55 Log Event Message New Category Legacy Category Priority ID Ftp client user name was sent FTP --- Debug Ftp client user logged in successfully FTP --- Debug Ftp client user logged in failed FTP --- Debug Ftp client user logged out FTP --- Debug User login denied - SSO probe failed User login denied - Mail Address(From/to) or SMTP Server is not configured RADIUS user cannot use One Time Password - no mail address set for equivalent local user User login denied - Terminal Services agent timeout User login denied - Terminal Services agent name resolution failed User login denied - No name received from Terminal Services agent User login denied - Terminal Services agent communication problem User logged out - logout reported by Terminal Services agent High Availability has been enabled and Dial- Up device(s) are not supported in High Availability processing. The High Availability monitoring IP configuration of Interface %s is incorrect. IKE Responder: ESP mode mismatch Local - Tunnel Remote - Transport IKE Responder: ESP mode mismatch Local - Transport Remote - Tunnel User Activity Warning User Activity Information User Activity Information User Activity Warning User Activity Warning User Activity Warning User Activity Warning User Activity Information High Availability --- Information High Availability --- Error VPN IKE User Activity Warning VPN IKE User Activity Warning WAN DHCPC IP Changed Firewall Event System Error Warning WLAN DHCPC IP Changed Firewall Event System Error Warning Probe Response Success - %s Anti-Spam --- Debug Probe Response Failure - %s Anti-Spam --- Debug Peer HA firewall has stateful license but this High Availability System Error Alert firewall is not yet registered The stateful license of HA peer firewall is not High Availability System Error Alert activated Received unauthenticathed GRID response Anti-Spam --- Debug Invalid key or serial number used for GRID Anti-Spam --- Debug response Invalid key version used for GRID response Anti-Spam --- Debug Host IP address not in GRID List Anti-Spam --- Debug No response received from DNS server Anti-Spam --- Debug Not blacklisted as per configuration Anti-Spam --- Debug Type SonicOS Log Event Reference Guide 55

56 Log Event Message New Category Legacy Category Priority ID Type Default to not blacklisted Anti-Spam --- Debug Failed to insert entry into GRID result IP cached table Anti-Spam --- Debug Resolved ES Cloud - %s Anti-Spam --- Debug Updated ES Cloud Address - %s Anti-Spam --- Debug Your Active/Active Clustering subscription High Availability --- Warning has expired. Terminal Services agent is down SSO User Activity Alert Terminal Services agent is up SSO User Activity Alert Active/Active Clustering license is not High Availability --- Error activated on the following cluster units: %s SSLVPN Traffic SSL VPN Connection Traffic Information Application Control Detection Alert: %s App-Control --- Alert Detection Application Control Prevention Alert: %s App-Control --- Alert Detection GMS or syslog server name lookup failed - Firewall Event --- Error try again in 60 secs. User account '%s' expired and disabled User Activity Information User account '%s' expired and pruned User Activity Information Received Alert: Your Firewall Visualization Security Services --- Warning Control subscription has expired. Attempt to contact Remote backup server for Firewall Event Maintenance Debug upload approval failed Backup remote server did not approve Firewall Event Maintenance Debug upload request Modules attached to HA units do not match: High Availability System Error Alert %s Malformed DNS packet detected Network Debug Alert A high percentage of the system packet SSO User Activity Alert buffers are held waiting for SSO A user has a very high number of SSO User Activity Alert connections waiting for SSO DOS protection on WAN begins %s Intrusion Detection Debug Alert DOS protection on WAN %s Intrusion Detection Debug Warning DOS protection on WAN %s Intrusion Detection Debug Alert Deleting IPsec SA (Phase 2) VPN IKE User Activity Debug Delete invalid scope because port ip in the DHCP Server --- Warning range of this DHCP scope. IKE Responder: Peer's network does not VPN IKE User Activity Warning match VPN policy's Network Added new LDAP mirror user group: %s RADIUS User Activity Information Deleted LDAP mirror user group: %s RADIUS User Activity Information SonicOS Log Event Reference Guide

57 Index of Syslog Tag Field Description Log Event Message New Category Legacy Category Priority ID Added a new member to an LDAP mirror RADIUS User Activity Information user group Removed a member from an LDAP mirror RADIUS User Activity Information user group Monitoring probe out interface mismatch %s High Availability --- Error Type Index of Syslog Tag Field Description This section provides an alphabetical listing of Syslog tags and the associated field description. Tag Field Description <ddd> Syslog message prefix The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the message. (See [1] Section 4.1.1) arg URL Used to render a URL: arg represents the URL path name part. bcastrx Interface statistics report Displays the broadcast packets received bcasttx Interface statistics report Displays the broadcast packets transmitted bytesrx Interface statistics report Displays the bytes received bytestx Interface statistics report Displays the bytes transmitted c Message category (legacy only) Indicates the legacy category number (Note: We are not currently sending new category information.) change Configuration change webpage Displays the basename of the firewall web page that performed the last configuration change code Blocking code Indicates the CFS block code category code ICMP type and code Indicates the ICMP code conns Firewall status report Indicates the number of connections in use cpuutil Firewall status report Displays the CPU utilization (not in use) dst Destination Destination IP address, and optionally, port, network interface, and resolved name. dstname Destination URL Displays the URL of web site hit and other legacy destination strings dstname URL Used to render a URL: dstname represents the URL host part SonicOS Log Event Reference Guide 57

58 Index of Syslog Tag Field Description dyn Firewall status report Displays the HA and dialup connection state (rendered as h.d where h is n (not enabled), b (backup), or p (primary) and d is 1 (enabled) or 0 (disabled)) fw Firewall WAN IP Indicates the WAN IP Address fwlan Firewall status report Indicates the LAN zone IP address goodrxbytes SonicPoint statistics report Indicates the well formed bytes recevied goodtxbytes SonicPoint statistics report Indicates the well formed bytes transmitted i Firewall status report Displays the GMS message interval in seconds id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by habit) if Interface statistics report Displays the interface on which statistics are reported ipscat IPS message Displays the IPS category ipspri IPS message Displays the IPS priority lic Firewall status report Indicates the number of licenses for firewalls with limited modes m Message ID Provides the message ID number mac MAC address Provides the MAC address msg Static message Displays the event message (from spreadsheet) msg Dynamically-defined message Displays a dynamically defined message string msg Static message with dynamic string Displays a message using the predefined message string containing a %s and a dynamic string argument. msg Static message with dynamic number Displays a message using the predefined string string containing a %s and a dynamic numeric argument. msg IPS message Displays a message using the predefined message string containing a %s and a dynamic string argument. msg Anti-Spyware message Displays the event message (from spreadsheet) n Message count Indicates the number of times event occurs op HTTP OP code Displays the HTTP operation (GET, POST, etc.) of web site hit pri Message priority Displays the event priority level (0=emergency..7=debug) 58 SonicOS Log Event Reference Guide

59 Index of Syslog Tag Field Description proto IP protocol Indicates the IP protocol and detail information proto Protocol and service Displays the protocol information (rendered as proto/service ) proto Protocol and service Displays the protocol information (rendered as proto/service ) pt Firewall status report Displays the HTTP/HTTPS management port (rendered as hhh.sss ) radio SonicPoint statistics report Displays the SonicPoint radio on which event occurred ramutil Firewall status report Displays the RAM utilization (not in use) rcvd Bytes received Indicates the number of bytes received within connection result HTTP Result code Displays the HTTP result code (200, 403, etc.) of web site hit rule Rule ID Displays the Rule number causing packet drop sent Bytes sent Displays the number of bytes sent within connection sid IPS message Provides the IPS signature ID sid Anti-Spyware message Provides the AntiSpyware signature ID sn Firewall serial number Indicates the device serial number spycat Anti-Spyware message Displays the antispyware category spypri Anti-Spyware message Displays the AntiSpyware priority src Source Indicates the source IP address, and optionally, port, network interface, and resolved name. station SonicPoint statistics report Displays the client (station) on which event occurred time Time Reports the time of event type ICMP type and code Indicates the ICMP type ucastrx Interface statistics report Displays the unicast packets received ucasttx Interface statistics report Displays the unicast packets transmitted unsynched Firewall status report Reports the time since last local change in seconds usesstandbysa Firewall status report Displays whether standby SA is in use ( 1 or 0 ) for GMS management SonicOS Log Event Reference Guide 59

60 Index of Syslog Tag Field Description usr (or user) User Displays the user name ( user is the tag used by WebTrends) vpnpolicy VPN policy name Displays the VPN policy name of event 60 SonicOS Log Event Reference Guide _Rev_A