COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security Appliances SonicOS Log Event Reference Guide
Using the SonicOS Log Event Reference Guide This reference guide lists and describes SonicOS log event messages. Reference a log event message by using the alphabetical index of log event messages. This document contains the following sections: Log > View section on page 2 Log > Categories section on page 4 Log > Syslog section on page 9 Log > Automation section on page 11 Log > Name Resolution section on page 15 Log > Reports section on page 16 Log > ViewPoint section on page 18 Index of Log Event Messages section on page 20 Index of Syslog Tag Field Description section on page 115 SonicOS Log Event Reference Guide 1
Log > View Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column. The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event. Log View Table The log is displayed in a table and is sortable by column. The log table columns include: Time - the date and time of the event. Priority - the level of priority associated with your log event. Syslog uses eight categories to characterize messages in descending order of severity, the categories include: Emergency Alert Critical Error Warning Notice Informational Debug Specify a priority level on a SonicWALL security appliance on the Log > Categories page to log messages for that priority level, plus all messages tagged with a higher severity. For example, select error as the priority level to log all messages tagged as error, as well as any messages tagged with critical, alert, and emergency. Select debug to log all messages. Note Refer to Log Event Messages section for more information on your specific log event. Category - the type of traffic, such as Access or Authenticated Access. Message - provides description of the event. Source - displays source network and IP address. Destination - displays the destination network and IP address. Notes - provides additional information about the event. Rule - notes Access Rule affected by event. 2 SonicOS Log Event Reference Guide
Log > View Navigating and Sorting Log View Table Entries The Log View table provides easy pagination for viewing large numbers of log events. You can navigate these log events by using the navigation control bar located at the top right of the Log View table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order. Refresh To update log messages, clicking the Refresh button near the top right corner of the page. Clear Log To delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log To export the contents of the log to a defined destination, click the Export Log button below the filter table.you can export log content to two formats: Plain text format--used in log and alert e-mail. Comma-separated value (CSV) format--used for importing into Excel or other presentation development applications. E-mail Log If you have configured the SonicWALL security appliance to e-mail log files, clicking E-mail Log near the top right corner of the page sends the current log files to the e-mail address specified in the Log > Automation > E-mail section. Note The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance. Alerts are immediately sent via e-mail, either to an e-mail address or to an e-mail pager. For sending alerts, you must enter your e-mail address and server information in the Log > Automation page. SonicOS Log Event Reference Guide 3
Log > Categories Filtering Log Records Viewed You can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface). Step 1 Step 2 Step 3 Step 4 Enter your filter criteria in the Log View Settings table. The fields you enter values into are combined into a search string with a logical AND. For example, if you select an interface for Source and for Destination, the search string will look for connections matching: Source interface AND Destination interface Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Click Apply Filter to apply the filter immediately to the Log View Settings table. Click Reset to clear the filter and display the unfiltered results again. The following example filters for log events resulting from traffic from the WAN to the LAN: Log Event Messages For a complete reference guide of log event messages, refer to the Log Event Message Index section on page 21. Log > Categories This guide provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics. Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports. For more information on the SonicWALL ViewPoint reporting tool, refer to www.sonicwall.com. 4 SonicOS Log Event Reference Guide
Log > Categories Log Severity/Priority This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification. Logging Level Alert Level The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped. The Logging Level menu includes the following priority scale items from highest to lowest priority: Emergency (highest priority) Alert Critical Error Warning Notice Informational Debug (lowest priority) The Alert Level control determines how E-mail Alerts are sent. An event of equal or greater priority causes an E-mail alert to be issued. Lower priority events do not cause an alert to be sent. Events are pre-filtered by the Logging Level control, so if the Logging Level control is set to a higher priority than that of the Alert Level control, only alerts at the Logging Level or higher are sent. Alert levels include: None (disables e-mail alerts) Emergency (highest priority) Alert Critical Error Log Redundancy Filter Warning (lowest priority) The Log Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The Log Redundancy Filter has a default setting of 60 seconds. Alert Redundancy Filter The Alert Redundancy Filter allows you to define the time in seconds that the same attack is logged on the Log > View page as a single entry in the SonicWALL log before an alert is issued. The Alert Redundancy Filter has a default setting of 900 seconds. SonicOS Log Event Reference Guide 5
Log > Categories Log Categories SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats. All SonicWALL security appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL security appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally. SonicWALL security appliances now include an expanded list of attack categories that can be logged. The View Style menu provides the following three log category views: All Categories - Displays both Legacy Categories and Expanded Categories. Legacy Categories - Displays log categories carried over from earlier SonicWALL log event categories. Expanded Categories - Displays the expanded listing of categories that includes the older Legacy Categories log events rearranged into the new structure. The following table describes both the Legacy and Extended log categories. Log Type Category Description 802.11 Management Legacy Logs WLAN IEEE 802.11 connections. Advanced Routing Expanded Logs messages related to RIPv2 and OSPF routing events. Attacks Legacy Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP spoofing Authenticated Expanded Logs administrator, user, and guest account activity Access Blocked Java, etc. Legacy Logs Java, ActiveX, and Cookies blocked by the SonicWALL security appliance. Blocked Web Sites Legacy Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering. BOOTP Expanded Logs BOOTP activity Crypto Test Expanded Logs crypto algorithm and hardware testing DDNS Expanded Logs Dynamic DNS activity Denied LAN IP Legacy Logs all LAN IP addresses denied by the SonicWALL security appliance. DHCP Client Expanded Logs DHCP client protocol activity DHCP Relay Expanded Logs DHCP central and remote gateway activity Dropped ICMP Legacy Logs blocked incoming ICMP packets. Dropped TCP Legacy Logs blocked incoming TCP connections. Dropped UDP Legacy Logs blocked incoming UDP packets. Event Extended Logs internal firewall activity Hardware Extended Logs firewall hardware error events Logging Extended Logs general events and errors 6 SonicOS Log Event Reference Guide
Log > Categories Log Type Category Description Rule Extended Logs firewall rule modifications GMS Extended Logs GMS status event High Availability Extended Logs High Availability activity IPcomp Extended Logs IP compression activity Intrusion Prevention Extended Logs intrusion prevention related activity L2TP Client Extended Logs L2TP client activity L2TP Server Extended Logs L2TP server activity Multicast Extended Logs multicast IGMP activity Extended Logs network ARP, fragmentation, and MTU activity Access Extended Logs network and firewall protocol access activity Debug Legacy Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also, detailed messages for VPN connections are displayed to assist the network administrator with troubleshooting problems with active VPN tunnels. Debug information is intended for experienced network administrators. Traffic Expanded Logs network traffic reporting events PPP Extended Logs generic PPP activity PPP Dial-Up Extended Logs PPP dial-up activity PPPoE Extended Logs PPPoE activity PPTP Extended Logs PPTP activity RBL Extended Logs real-time black list activity RIP Extended Logs RIP activity Remote Extended Logs RADIUS and LDAP server activity n Security Services Extended Logs security services activity SonicPoint Extended Logs SonicPoint activity System Errors Legacy Logs problems with DNS or e-mail. System Legacy Logs general system activity, such as system activations. Maintenance User Activity Legacy Logs successful and unsuccessful log in attempts. VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.245 activity VPN Extended Logs VPN activity VPN Client Extended Logs VPN client activity VPN IKE Extended Logs VPN IKE activity VPN IPsec Extended Logs VPN IPSec activity VPN PKI Extended Logs VPN PKI activity VPN Tunnel Status Legacy Logs status information on VPN tunnels. WAN Failover Extended Logs WAN failover activity Wireless Extended Logs wireless activity Wlan IDS Extended Logs WLAN IDS activity SonicOS Log Event Reference Guide 7
Log > Categories Managing Log Categories The Log Categories table displays log category information organized into the following columns: Category - Displays log category name. Description - Provides description of the log category activity type. Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page. Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category. Syslog - Provides checkbox for enabling/disabling the capture of the log events into the SonicWALL security appliance Syslog. Event Count - Displays the number of events for that category. Clicking the Refresh button updates these numbers. You can sort the log categories in the Log Categories table by clicking on the column header. For example, clicking on the Category header sorts the log categories in descending order from the default ascending order. An up or down arrow to the left of the column name indicates whether the column is assorted in ascending or descending order. You can enable or disable Log, Alerts, and Syslog on a category by category basis by clicking on the check box for the category in the table. You can enable or disable Log, Alerts, and Syslog for all categories by clicking the checkbox on the column header. 8 SonicOS Log Event Reference Guide
Log > Syslog Log > Syslog In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.syslog Settings Syslog Facility Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol. Note See RCF 3164 - The BSD Syslog Protocol for more information. Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you re using SonicWALL ViewPoint for your reporting solution. Note For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com. Syslog Event Redundancy Filter (seconds) - This setting prevents repetitive messages from being written to Syslog. If duplicate events occur during the period specified in the Syslog Event Redundancy Rate field, they are not written to Syslog as unique events. Instead, the additional events are counted, and then at the end of the period, a message is written to the Syslog that includes the number of times the event occurred. The Syslog Event Redundancy Filter default value is 60 seconds and the maximum value is 86,400 seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering. Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you select WebTrends, however, you must have WebTrends software installed on your system. Note If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance. Enable Event Rate Limiting - This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events. Enable Data Rate Limiting - This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events. SonicOS Log Event Reference Guide 9
Log > Syslog Syslog Servers Adding a Syslog Server To add syslog servers to the SonicWALL security appliance Step 1 Step 2 Step 3 Step 4 Step 5 Click Add. The Add Syslog Server window is displayed. Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers. If your syslog is not using the default port of 514, type the port number in the Port Number field. Click OK. Click Accept to save all Syslog Server settings. 10 SonicOS Log Event Reference Guide
Log > Automation Log > Automation The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings. E-mail Log Automation Send Log to E-mail address - Enter your e-mail address (username@mydomain.com) in this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed. Send Alerts to E-mail address - Enter your e-mail address (username@mydomain.com) in the Send alerts to field to be immediately e-mailed when attacks or system errors occur. Type a standard e-mail address or an e-mail paging service. If this field is left blank, e-mail alert messages are not sent. Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field. Email Format - Specifies whether log emails will be sent in Plain Text or HTML format. Mail Server Settings The mail server settings allow you to specify the name or IP address of your mail server, the from e-mail address, and authentication method. Mail Server (name or IP address) - Enter the IP address or FQDN of the e-mail server used to send your log e-mails in this field. From E-mail Address - Enter the E-mail address you want to display in the From field of the message. n Method - You can use the default None item or select POP Before SMTP. Note If the Mail Server (name or IP address) is left blank, log and alert messages are not e- mailed. Deep Packet Forensics SonicWALL UTM appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWALL can reliably detect and prevent any interesting-content events, it can only provide a record of the occurrence, but not the actual data of the event. Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped. Although the SonicWALL can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet. SonicOS Log Event Reference Guide 11
Log > Automation While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis: Reliable storage of data Effective indexing of data Classification of interesting-content Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera s appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities. Distributed Event Detection and Replay The Solera appliance can search its data-repository, while also allowing the administrator to define interesting-content events on the SonicWALL. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including: Debug/Informational Events Connection setup/tear down User-events Administrative access, single sign-on activity, user logins, content filtering details Rule/Policy Events Access to and from particular IP:Port combinations, also identifiable by time Interesting-content at the or Application Layer Port-scans, SYN floods, DPI or AF signature/policy hits The following is an example of the process of distributed event detection and replay: 1. The administrator defines the event trigger. For example, an Application policy is defined to detect and log the transmission of an official document: 2. A user (at IP address 192.168.19.1) on the network retrieves the file. 3. The event is logged by the SonicWALL. 4. The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWALL (e.g. IP: [192.168.169.100], Port: [443]). The defined NPCS appliance will be the link s target. The link will include the query string parameters defining the desired connection. 5. The NPCS will (optionally) authenticate the user session. 6. The requested data will be presented to the client as a.cap file, and can be saved or viewed on the local machine. 12 SonicOS Log Event Reference Guide
Log > Automation Methods of Access The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements. Log Persistence GMS SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged. To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time. SonicOS Log Event Reference Guide 13
Log > Automation Solera Capture Stack Solera s makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera s Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data. To configure your SonicWALL appliance with Solera select the Enable Solera Capture Stack Integration option. Configure the following options: Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host... Protocol - Select either HTTP or HTTPS. Port - Specify the port number for connecting to the Solera server. Interface(s) - Specify which interfaces you want to transmit data for to the Solera server. User (optional) - Enter the username, if required. Password (optional) - Enter the password, if required. Confirm Password - Confirm the password. Mask Password - Leave this enabled to send the password as encrypted text. 14 SonicOS Log Event Reference Guide
Log > Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page. Selecting Name Resolution Settings The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names. In the Name Resolution Method list, select: None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. DNS: The security appliance will use the DNS server you specify to resolve addresses and names. NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary. DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS. Specifying the DNS Server You can choose to specify DNS servers, or to use the same servers as the WAN zone. Step 1 Step 2 Step 3 Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default. If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers. Click Accept in the top right corner of the Log > Name Resolution page to make your changes take effect. SonicOS Log Event Reference Guide 15
Log > Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page. Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com Data Collection The Reports window includes the following functions and commands: Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted. View Data Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period. Web Site Hits Selecting Web Site Hits from the Report to view menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period. The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see. Click on the name of a Web site to open that site in a new window. Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period. 16 SonicOS Log Event Reference Guide
Log > Reports Bandwidth Usage by Service Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period. The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services. SonicOS Log Event Reference Guide 17
Log > ViewPoint Log > ViewPoint SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities. ViewPoint s broad reporting capabilities allow administrators to easily monitor network access and Internet usage, enhance security, assess risks, understand more about employee Internet use and productivity, and anticipate future bandwidth needs. ViewPoint creates dynamic, real-time and historical network summaries, providing a flexible, comprehensive view of network events and activities. Reports are based on syslog data streams received from each SonicWALL appliance through LAN, Wireless LAN, WAN or VPN connections. With ViewPoint, your organization can generate individual or aggregate reports about virtually any aspect of appliance activity, including individual user or group usage patterns, evens on specific appliances or groups of appliances, types and times of attacks, resource consumption and constraints, and more. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com. For complete SonicWALL ViewPoint documentation, go to the SonicWALL documentation Web site at http://www.sonicwall.com/us/support/3340.html. Activating ViewPoint The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept. Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance. 1. Click the Upgrade link in Click here to Upgrade on the Log > ViewPoint page. The mysonicwall.com Login page is displayed. 2. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link. 3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. 4. If you activated SonicWALL ViewPoint at mysonicwall.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL. 18 SonicOS Log Event Reference Guide
Log > ViewPoint Enabling ViewPoint Settings Once you have installed the SonicWALL ViewPoint software, you can point the SonicWALL security appliance to the server running ViewPoint. 1. Check the Enable ViewPoint Settings checkbox in the Syslog Servers section of the Log > ViewPoint page. 2. Click the Add button. The Add Syslog Server window is displayed. 3. Enter the IP address or FQDN of the SonicWALL ViewPoint server in the Name or IP Address field. 4. Enter the port number for the SonicWALL ViewPoint server traffic in the Port field or use the default port number. 5. Click Accept. Note The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page. Clicking the Edit icon displays the Add Syslog Server window for editing the ViewPoint server information. Clicking the Delete icon, deletes the ViewPoint syslog server entry. SonicOS Log Event Reference Guide 19
Index of Log Event Messages This section contains a list of log event messages for all SonicWALL Firmware and SonicOS Software Releases, ordered alphabetically. Use your web browser s Find function to search for a command. Log Event Message Symbols Key Log Event Message Symbol Description Context %s Ethernet Port Down Represents a character string. [WAN LAN DMZ] Ethernet Port Down The cache is full; %u open connections; some will be dropped Represents a numerical string. The cache is full; [40,000] open connections; some will be dropped TCP IP Layered-Data Packet Processing and SonicOS Log Event Handling In specific cases of multi-layer packet processing, a TCP connection initially logged as "open," will be rejected by a deeper layer of packet processing. In these cases, the connection request has not been forwarded by the SonicWALL security appliance, and the initial Connection Open SonicOS log event message should be ignored in favor of the TCP Connection Dropped log event message. Each log event message described in the following table provides the following log event details: SonicOS Category Displays the SonicOS Software category event type. Legacy Category Displays the SonicWALL Firmware Software category event type. Priority Level Displays the level of urgency of the log event message. Log Message ID Number Displays the ID number of the log event message. SNMP Trap Type Displays the SNMP Trap ID number of the log event message. 20 SonicOS Log Event Reference Guide
Log Event Message Index Log Events Messages SonicOS Category Legacy Category Prioity Level Log Msg ID Number snmptrapty pe Log Event Type sw new category category priority id snmptrapty pe eventtype "As per Diagnostic Auto-restart configuration request, restarting system" event --- INFO 1047 --- SIMPLE #Web site hit Traffi c Connection Traffic INFO 97 --- STD_HTTP_ TRAFFIC_R EPORT %s VPN IKE UserActivity DEBUG 171 --- %s %s %s %s %s %s High Availability --- ERROR 826 --- High Availability --- WARN 827 --- High Availability --- INFO 828 --- High Availability --- ALERT 829 --- High Availability --- NOTICE 830 --- High Availability --- DEBUG 831 --- %s ARS --- INFO 840 --- %s ARS --- NOTICE 841 --- %s ARS --- DEBUG 842 --- %s Security Services UserActivity NOTICE 872 --- GE_ GE_ GE_ GE_ SonicOS Log Event Reference Guide 21
%s SSL VPN --- INFO 1079 --- %s event System Error ALERT 1107 --- %s auto-dial failed: Current Connection Model is configured as Ethernet Only PPP dialup System Error ALERT 1028 --- %s Ethernet Port Down %s Ethernet Port Up event System Error ERROR 333 641 event System Error WARN 332 640 %s is operational. Anti-Spam --- WARN 1082 --- %s is unavailable. Anti-Spam --- WARN 1083 --- ) dumped to email at None --- DEBUG 1 --- UNUSED *** Alert from SonicWALL *** None --- DEBUG 3 --- UNUSED [not found in tip] Unused Attack WARN 26 504 UNUSED [not found in tip] Unused Debug NOTICE 176 --- UNUSED <b>sonicwa LL Registration Update Needed:</b> Restore your existing security service subscription s by clicking <a href="/ Security_Ser vices/ enable_servi ces.html">her e</a>. Security Services Maintenance WARN 496 --- SIMPLE 22 SonicOS Log Event Reference Guide
3G %s device detected Hardware System Environment INFO 1017 --- 3G Dial-up: %s. PPP dialup UserActivity ALERT 1026 --- 3G Dial-up: data usage limit reached for the '%s' billing cycle. Disconnectin g the 3G session. PPP dialup UserActivity ALERT 1027 7643 3G: No SIM detected Hardware --- ALERT 1055 --- 802.11 Management Wireless 80211bMgmt INFO 518 --- A prior version of preferences was loaded because the most recent preferences file was inaccessible A SonicOS Standard to Enhanced Upgrade was performed Access attempt from host out of compliance with GSC policy Access attempt from host without Anti-Virus agent installed Access attempt from host without GSC installed SIMPLE_NO TE_ event System Error WARN 572 648 SIMPLE event Maintenance INFO 611 --- SIMPLE Security Services Maintenance INFO 761 --- STD Security Services Maintenance INFO 123 --- STD Security Services Maintenance INFO 763 8627 STD Access rule added Rule UserActivity INFO 440 --- SIMPLE_RU LE SonicOS Log Event Reference Guide 23
Access rule deleted Rule UserActivity INFO 442 --- Access rule modified Rule UserActivity INFO 441 --- Access rules restored to defaults Rule UserActivity INFO 443 --- UNUSED Access to proxy server denied Active Backup detects Active Primary: Backup going Idle ActiveX access denied ActiveX or Java archive access denied ADConnector %s response timed-out; applying caching policy Add an attack message Added host entry to dynamic address object Access BlockedSites NOTICE 60 705 SIMPLE_RU LE_ SIMPLE_RU LE BLOCKED High Availability Maintenance INFO 154 --- UNUSED Access BlockedCode NOTICE 18 --- Access BlockedCode NOTICE 20 --- Microsoft Active Directory --- ERROR 769 --- event Attack ERROR 143 525 Dynamic Address Objects Maintenance INFO 911 --- Adding Dynamic Entry for Bound MAC Address --- INFO 813 --- BLOCKED BLOCKED GE_ SIMPLE_ST R Ethernet Adding L2TP IP pool Address object Failed. L2TP Server System Error ERROR 603 661 SIMPLE Adding to multicast policylist, interface : %s Multicast --- DEBUG 697 --- GE_ 24 SonicOS Log Event Reference Guide
Adding to Multicast policylist, VPN SPI : %s Multicast --- DEBUG 699 --- Administrator logged out Administrator logged out - inactivity timer expired Administrator login allowed Administrator login denied due to bad credentials Administrator login denied from %s; logins disabled from this interface Administrator name changed n Access UserActivity INFO 261 --- GE_ n Access UserActivity INFO 262 --- STD STD_STRIN n Access UserActivity INFO 29 --- G_SERVICE n Access Attack ALERT 30 560 n Access Attack ALERT 35 506 n Access Maintenance INFO 328 --- STD STD_STRIN G_SERVICE GE_ All DDNS associations have been deleted DDNS Maintenance INFO 783 --- SIMPLE All preference values have been set to factory default values Allowed LDAP server certificate with wrong event System Error WARN 574 650 SIMPLE host name RADIUS UserActivity WARN 752 --- Anti-Spam service is disabled by administrator. Anti-Spam --- INFO 1085 --- SIMPLE Anti-Spam service is enabled by administrator. Anti-Spam --- INFO 1084 --- SIMPLE Anti-Spam Startup Failure - %s Anti-Spam --- WARN 1088 --- SonicOS Log Event Reference Guide 25
Anti-Spam Teardown Failure - %s Anti-Spam --- WARN 1089 --- Anti-Spyware Detection Alert: %s Anti-Spyware Prevention Alert: %s Anti-Spyware Service Expired Anti-Virus agent out-ofdate on host Anti-Virus Licenses Exceeded Application Filter Detection Alert: %s Application Filters Block Alert: %s Application Alert: %s Intrusion Detection Attack ALERT 795 6438 Intrusion Detection Attack ALERT 794 6437 STD_AS_ME STD_AS_ME Security Services Maintenance WARN 796 8631 SIMPLE Security Services Maintenance INFO 124 --- STD Security Services Maintenance INFO 408 --- STD Intrusion Detection Attack ALERT 650 --- Intrusion Detection Attack ALERT 649 --- ApplicationFir ewall UserActivity ALERT 793 13201 ARP request packet received --- INFO 717 --- GE_ GE_ STD_Applicat ion _ME Ethernet Ethernet ARP request packet sent --- INFO 715 --- ARP response packet received --- INFO 716 --- ARP response packet sent --- INFO 718 --- ARP timeout Debug DEBUG 45 --- STD ARP unused/ spare --- DEBUG 816 --- UNUSED ARS unused/ spare Unused --- DEBUG 843 --- UNUSED ARS unused/ spare Unused --- DEBUG 844 --- UNUSED ARS unused/ spare Unused --- DEBUG 845 --- UNUSED Ethernet Ethernet 26 SonicOS Log Event Reference Guide
ARS unused/ spare Unused --- DEBUG 846 --- UNUSED Assigned IP address %s DHCP Server --- INFO 1110 --- Association Flood from WLAN station WLAN IDS WLAN IDS ALERT 548 903 n timeout during Remotely Triggered Dial-out session SIMPLE_NO TE_ n Access UserActivity INFO 821 --- SIMPLE AV unused/ spare Unused 0 DEBUG 126 --- UNUSED Back Orifice attack dropped Backup active Backup firewall being preempted by Primary Backup firewall has transitioned to Active Backup firewall has transitioned to Idle Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt Backup going Active in preempt mode after reboot Backup missed heartbeats from Primary Intrusion Detection Attack ALERT 73 512 STD High Availability System Error INFO 825 --- SIMPLE High Availability System Error ERROR 152 619 SIMPLE High Availability Maintenance ALERT 145 --- SIMPLE High Availability Maintenance ALERT 147 --- SIMPLE High Availability --- INFO 1059 --- SIMPLE High Availability System Error ERROR 170 622 SIMPLE High Availability System Error ERROR 149 616 SIMPLE SonicOS Log Event Reference Guide 27
Backup received error signal from Primary High Availability System Error ERROR 151 618 SIMPLE Backup received heartbeat from wrong source High Availability Maintenance INFO 161 --- UNUSED Backup received reboot signal from Primary High Availability System Error ERROR 672 666 SIMPLE Backup shut down because license is expired High Availability System Error ERROR 824 --- SIMPLE Backup WAN link down, Primary going Active High Availability System Error ERROR 219 633 UNUSED Backup will be shut down in %s minutes High Availability System Error ERROR 823 --- Bad CRL format VPN PKI UserActivity ALERT 277 --- SIMPLE Bind to LDAP server failed RADIUS System Error ERROR 1009 --- SIMPLE_NO TE_ Blocked Quick Mode for Client using Default KeyId VPN Client System Error ERROR 505 660 STD BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table Bootp Maintenance INFO 619 --- BOOTP reply relayed to local device Bootp Maintenance INFO 620 --- BOOTP Request received from remote device Bootp Debug DEBUG 621 --- UNUSED 28 SonicOS Log Event Reference Guide
BOOTP server response relayed to remote device Bootp Debug DEBUG 618 --- Broadcast packet dropped Access Debug DEBUG 46 --- PROTOCOL Cannot connect to the CRL server VPN PKI UserActivity ALERT 274 --- SIMPLE Cannot Validate Issuer Path VPN PKI UserActivity ALERT 878 --- SIMPLE_NO TE_ Category: None 0 DEBUG 485 --- UNUSED Certificate on Revoked list(crl) VPN PKI UserActivity ALERT 279 --- CFL autodownload disabled, time problem detected SIMPLE_NO TE_ Security Services Maintenance INFO 268 --- SIMPLE Chat %s PPP dialup UserActivity INFO 1022 --- GE_ Chat completed PPP dialup UserActivity INFO 1020 --- GE_ Chat failed: %s PPP dialup UserActivity INFO 1023 --- GE_ Chat started PPP dialup UserActivity INFO 1019 --- GE_ Chat started by '%s' PPP dialup UserActivity INFO 1032 --- GE_ Chat wrote '%s' PPP dialup UserActivity INFO 1021 --- GE_ CLI administrator logged out n Access UserActivity INFO 520 --- SIMPLE CLI administrator login allowed CLI administrator login denied due to bad credentials n Access UserActivity INFO 199 --- n Access UserActivity WARN 200 --- Code: None --- DEBUG 54 --- UNUSED SonicOS Log Event Reference Guide 29
Computed hash does not match hash received from peer; preshared key mismatch VPN IKE UserActivity WARN 410 --- Configuration mode administratio n session ended Configuration mode administratio n session started n Access UserActivity INFO 995 --- n Access UserActivity INFO 994 --- Traffi Connection c Traffic INFO 537 --- Traffi c Connection INFO 98 --- STD_TRAFFI C_REPORT STD_TRAFFI C_REPORT Connection Closed Connection Opened Connection timed out VPN PKI UserActivity ALERT 273 --- SIMPLE Content filter subscription expired. Security Services System Error ERROR 197 631 UNUSED Cookie removed Access BlockedCode NOTICE 21 --- STD_STRIN G_SERVICE CRL has expired VPN PKI UserActivity ALERT 874 --- SIMPLE_NO TE_ CRL loaded from VPN PKI UserActivity INFO 270 --- SIMPLE_NO TE_ CRL missing - Issuer requires CRL checking. VPN PKI UserActivity ALERT 876 --- SIMPLE_NO TE_ CRL validation failure for Root Certificate VPN PKI UserActivity ALERT 877 --- SIMPLE_NO TE_ Crypto DES test failed Crypto Test Maintenance ERROR 360 --- SIMPLE Crypto DH test failed Crypto Test Maintenance ERROR 361 --- SIMPLE Crypto hardware 3DES test failed Crypto Test Maintenance ERROR 367 --- SIMPLE 30 SonicOS Log Event Reference Guide
Crypto Hardware 3DES with SHA test failed Crypto Test Maintenance ERROR 369 --- SIMPLE Crypto Hardware AES test failed Crypto Test Maintenance ERROR 610 --- STD Crypto hardware DES test failed Crypto Test Maintenance ERROR 366 --- SIMPLE Crypto hardware DES with SHA test failed Crypto Test Maintenance ERROR 368 --- SIMPLE Crypto Hmac-MD5 fest failed Crypto Test Maintenance ERROR 362 --- SIMPLE Crypto Hmac-Sha1 test failed Crypto Test Maintenance ERROR 363 --- SIMPLE Crypto MD5 test failed Crypto Test Maintenance ERROR 370 --- SIMPLE Crypto RSA test failed Crypto Test Maintenance ERROR 364 --- SIMPLE Crypto SHA1 based DRNG KAT test failed Crypto Test --- ERROR 1060 --- SIMPLE Crypto Sha1 test failed Crypto Test Maintenance ERROR 365 --- SIMPLE CSR Generation: %s VPN PKI --- INFO 1109 --- DDNS association %s disabled DDNS Maintenance INFO 781 --- DDNS association %s enabled DDNS Maintenance INFO 780 --- DDNS association %s added DDNS Maintenance INFO 779 --- DDNS association %s deactivated DDNS Maintenance INFO 784 --- DDNS association %s deleted DDNS Maintenance INFO 785 --- SonicOS Log Event Reference Guide 31
DDNS Association %s put on line DDNS Maintenance INFO 782 --- DDNS association %s taken Offline locally DDNS Maintenance INFO 778 --- DDNS Failure: Provider %s DDNS System Error ERROR 774 --- DDNS Failure: Provider %s DDNS System Error ERROR 775 --- DDNS Failure: Provider %s DDNS System Error ERROR 773 --- DDNS Update success for domain %s DDNS Maintenance INFO 776 --- DDNS Warning: Provider %s DDNS System Error WARN 777 --- Deleting from Multicast policy list, interface : %s Multicast --- DEBUG 698 --- Deleting from Multicast policy list, VPN SPI : %s Multicast --- DEBUG 700 --- Deleting IPsec SA VPN IKE UserActivity INFO 92 --- Deleting IPsec SA for destination VPN IKE UserActivity INFO 91 --- UNUSED Destination IP address connection status: %s GE_ GE_ GE_ SPI event --- INFO 735 --- Destination: None --- DEBUG 57 --- UNUSED DHCP client enabled but not ready DHCP Client Maintenance INFO 504 --- SIMPLE DHCP Client did not get DHCP ACK. DHCP Client Maintenance INFO 109 --- STD GE_ 32 SonicOS Log Event Reference Guide
DHCP Client failed to verify and lease has expired. Go to INIT state. DHCP Client Maintenance INFO 119 --- STD DHCP Client failed to verify and lease is still valid. Go to BOUND state. DHCP Client Maintenance INFO 120 --- UNUSED DHCP Client got a new IP address lease. DHCP Client Maintenance INFO 121 --- DHCP Client got ACK from server. DHCP Client Maintenance INFO 111 --- DHCP Client got NACK. DHCP Client Maintenance INFO 110 --- STD DHCP Client is declining address offered by the server. DHCP Client Maintenance INFO 112 --- DHCP Client sending REQUEST and going to REBIND state. DHCP Client Maintenance INFO 113 --- DHCP Client sending REQUEST and going to RENEW state. DHCP Client Maintenance INFO 114 --- DHCP DECLINE received from remote device DHCP Relay Debug INFO 475 --- UNUSED DHCP DISCOVER received from local device DHCP Relay Debug INFO 479 --- UNUSED DHCP DISCOVER received from remote device DHCP Relay Debug INFO 474 --- SonicOS Log Event Reference Guide 33
DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP DHCP Relay Maintenance WARN 228 --- DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP DHCP Relay Maintenance WARN 484 --- DHCP lease file in the flash is corrupted; read failed event System Error WARN 833 --- SIMPLE DHCP lease relayed to local device DHCP Relay Maintenance INFO 223 --- DHCP lease relayed to remote device DHCP Relay Debug INFO 225 --- DHCP lease to LAN device conflicts with remote device, deleting remote IP entry DHCP Relay Maintenance INFO 226 --- DHCP leases written to flash event Maintenance INFO 835 --- SIMPLE DHCP NACK received from server DHCP Relay Debug INFO 477 --- DHCP OFFER received from server DHCP Relay Debug INFO 476 --- 34 SonicOS Log Event Reference Guide
DHCP Ranges altered automatically due to change in network settings for interface %s DHCP RELEASE received from remote event --- INFO 832 --- device DHCP Relay Debug INFO 224 --- DHCP RELEASE relayed to Central Gateway DHCP Relay Maintenance INFO 222 --- DHCP REQUEST received from local device DHCP Relay Debug INFO 480 --- UNUSED DHCP REQUEST received from remote device DHCP Relay Debug INFO 473 --- DHCP Server not available. Did not get any DHCP OFFER. DHCP Client Maintenance INFO 106 --- STD DHCP Server sanity check failed %s event --- CRITICAL 1072 --- DHCP Server sanity check passed %s DHCP Server: IP conflict detected DHCP Server: Received DHCP decline from client event --- CRITICAL 1071 --- event --- ALERT 1040 --- event --- ALERT 1041 --- SonicOS Log Event Reference Guide 35
DHCP Server: Received DHCP message from untrusted relay agent event --- NOTICE 1090 --- Diagnostic Auto-restart canceled event --- INFO 1046 --- SIMPLE Diagnostic Auto-restart scheduled for %s minutes from now event --- INFO 1045 --- Diagnostic Code A Hardware System Error ERROR 93 611 Diagnostic Code B Hardware System Error ERROR 94 612 Diagnostic Code C Hardware System Error ERROR 95 613 Diagnostic Code D Hardware System Error ERROR 64 610 CODE Diagnostic Code E VPN IPsec System Error ERROR 61 609 CODE Diagnostic Code F Hardware System Error ERROR 164 621 Diagnostic Code G Hardware System Error ERROR 599 655 Diagnostic Code H Hardware System Error ERROR 600 656 Diagnostic Code I Hardware System Error ERROR 601 657 Diagnostic Code J Hardware System Error ERROR 1025 5423 Dial-up: Session initiated by data packet PPP dialup --- INFO 1039 --- Dial-up: Traffic generated by '%s' PPP dialup --- INFO 1038 --- SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ STD_SERVI CE GE_ Disconnectin g L2TP Tunnel due to traffic timeout L2TP Client Maintenance INFO 215 --- SIMPLE Disconnectin g PPPoE due to traffic timeout PPPoE Maintenance INFO 168 --- SIMPLE 36 SonicOS Log Event Reference Guide
Disconnectin g PPTP Tunnel due to traffic timeout PPTP Maintenance INFO 389 --- SIMPLE Discovered HA %s Discovered HA Backup DNS packet allowed DNS rebind attack blocked Drop WLAN traffic from non- SonicPoint devices Duplicate packet dropped High Availability --- INFO 1044 --- High Availability Maintenance INFO 156 --- SIMPLE STD_POLIC Access Debug INFO 602 --- Y Intrusion Detection --- ALERT 1099 6466 Intrusion Detection Attack ERROR 662 6434 STD Access Debug DEBUG 51 --- UNUSED Dynamic IPsec client connected VPN IPsec UserActivity INFO 62 --- EIGRP packet dropped E-Mail fragment dropped Access Debug NOTICE 714 --- Intrusion Detection Attack ERROR 437 550 STD Entering FIPS ERROR state Crypto Test Maintenance ERROR 359 --- UNUSED Entering FIPS Error State. Crypto Test System Error ERROR 497 659 UNUSED Error initializing Hardware acceleration for VPN Error Rebooting HA Peer Hardware Maintenance ERROR 374 --- SIMPLE High Availability System Error ERROR 669 663 SIMPLE SonicOS Log Event Reference Guide 37
Error setting the IP address of the backup, please manually set to backup LAN IP High Availability System Error ERROR 191 629 SIMPLE Error synchronizing HA peer firewall (%s) High Availability System Error ERROR 158 662 Error updating HA peer High configuration Availability System Error ERROR 192 630 UNUSED ERROR: DHCP over VPN policy is not defined. Cannot start IKE. DHCP Relay Maintenance INFO 478 --- UNUSED Exceeded Max multicast address limit Multicast --- WARN 703 --- STD External Web Server Host Resolution Failed %s n Access --- ERROR 1069 --- Failed payload validation VPN IKE UserActivity WARN 405 --- Failed payload verification after decryption; possible preshared key mismatch VPN IKE UserActivity WARN 404 --- Failed to find certificate VPN PKI UserActivity ALERT 875 --- Failed to get CRL from VPN PKI UserActivity ALERT 271 --- Failed to Process CRL from VPN PKI UserActivity ALERT 276 --- Failed to resolve name Maintenance INFO 84 --- SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_NO TE_ 38 SonicOS Log Event Reference Guide
Failed to send file to remote backup server, Error: %s event Maintenance INFO 1066 --- Failed to send Preference file to remote backup server, Error: %s event Maintenance INFO 1062 --- Failed to send TSR file to remote backup server, Error: %s event Maintenance INFO 1064 --- Failed to synchronize license information with Licensing Server. Please see HTTP:// help.mysonic WALL.com/ licsyncfail.ht Security ml (code: %s) Services Maintenance WARN 766 8628 Failed to synchronize Relay IP Table DHCP Relay System Error WARN 234 632 STD Failed to write DHCP leases to flash event System Error WARN 834 --- SIMPLE Failure to add data channel Unused Debug DEBUG 49 --- STD Failure to reach Interface %s probe Fan Failure FIN Flood Blacklist on IF %s continues High Availability System Error ERROR 675 6234 Hardware System Environment ALERT 576 102 SIMPLE Intrusion Detection Debug WARN 902 --- SonicOS Log Event Reference Guide 39
FIN-Flooding machine %s blacklisted Intrusion Detection Debug ALERT 901 --- Forbidden E- Mail attachment Intrusion deleted Detection Attack ERROR 248 534 Forbidden E- Mail attachment Intrusion disabled Detection Attack ALERT 165 527 Found Rogue Access Point WLAN IDS WLAN IDS ALERT 546 901 Found Rogue Access Point WLAN IDS WLAN IDS ALERT 556 10804 Fragmented packet TCP UDP dropped ICMP NOTICE 28 --- Fraudulent Microsoft certificate found; access denied Intrusion Detection Attack ERROR 193 532 STD FTP client user logged in failed FTP --- DEBUG 1115 --- FTP client user logged in successfully FTP --- DEBUG 1114 --- FTP client user logged out FTP --- DEBUG 1116 --- FTP client user name was sent FTP --- DEBUG 1113 --- FTP server accepted the connection FTP --- DEBUG 1112 --- FTP: Data connection from non default port dropped FTP: PASV response bounce attack dropped. Access Attack ALERT 538 557 STD Intrusion Detection Attack ALERT 528 556 STD_DESTI NATION STD_DESTI NATION SIMPLE_NO TE_ SIMPLE_NO TE_ PROTOCOL 40 SonicOS Log Event Reference Guide
FTP: PASV response spoof attack dropped Intrusion Detection Attack ERROR 446 551 STD FTP: PORT bounce attack dropped. Intrusion Detection Attack ALERT 527 555 Gateway Anti-Virus Security Alert: %s Services Attack ALERT 809 8632 Gateway Anti-Virus Service Security expired Services Maintenance WARN 810 8633 SIMPLE Global VPN Client connection is not allowed. Appliance is not registered. VPN Client System Error INFO 529 643 STD Global VPN Client License Exceeded: Connection denied. VPN Client System Error INFO 494 658 STD Global VPN Client version cannot enforce personal firewall. Minimum Version required is 2.1 VPN Client UserActivity INFO 604 --- Got DHCP OFFER. Selecting. DHCP Client Maintenance INFO 107 --- GSC policy out-of-date on host Guest account '%s' created Guest account '%s' deleted Security Services Maintenance INFO 762 --- STD n Access UserActivity INFO 558 --- n Access UserActivity INFO 559 --- GE_ GE_ GE_ SonicOS Log Event Reference Guide 41
Guest account '%s' disabled n Access UserActivity INFO 560 --- Guest account '%s' pruned n Access UserActivity INFO 562 --- Guest account '%s' re-enabled n Access UserActivity INFO 561 --- Guest account '%s' re-generated n Access UserActivity INFO 563 --- Guest Account Timeout n Access UserActivity INFO 551 --- Guest Idle Timeout n Access UserActivity INFO 564 --- Guest login denied. Guest '%s' is already logged in. Please try again later. n Access UserActivity INFO 557 --- Guest Services drop traffic to deny network Access --- INFO 724 --- Guest Services pass traffic to access allow network Access --- INFO 725 --- Guest Session Timeout n Access UserActivity INFO 550 --- GUI administratio n session ended n Access UserActivity INFO 998 --- H.323/H.225 Connect VOIP VOIP DEBUG 634 --- H.323/H.225 Setup VOIP VOIP DEBUG 633 --- H.323/H.245 Address VOIP VOIP DEBUG 635 --- H.323/H.245 End Session VOIP VOIP DEBUG 636 --- H.323/RAS Admission Confirm VOIP VOIP DEBUG 625 --- GE_ GE_ GE_ GE_ GE_ 42 SonicOS Log Event Reference Guide
H.323/RAS Admission Reject VOIP VOIP DEBUG 624 --- H.323/RAS Admission Request VOIP VOIP DEBUG 626 --- H.323/RAS Bandwidth Reject VOIP VOIP DEBUG 627 --- H.323/RAS Disengage Confirm VOIP VOIP DEBUG 628 --- H.323/RAS Disengage Reject VOIP VOIP DEBUG 641 --- H.323/RAS Gatekeeper Reject VOIP VOIP DEBUG 629 --- H.323/RAS Location Confirm VOIP VOIP DEBUG 630 --- H.323/RAS Location Reject VOIP VOIP DEBUG 631 --- H.323/RAS Registration Reject VOIP VOIP DEBUG 632 --- H.323/RAS Unknown Message Response VOIP VOIP DEBUG 640 --- H.323/RAS Unregistratio n Reject VOIP VOIP DEBUG 642 --- HA packet processing error HA Peer Rebooted HA Peer Synchronized Hardware Failover settings were not upgraded. High Availability Maintenance INFO 162 --- SIMPLE High Availability Maintenance INFO 668 --- SIMPLE High Availability Maintenance INFO 157 --- SIMPLE event Maintenance INFO 743 --- SIMPLE Header verification failed VPN IKE UserActivity WARN 587 --- STD SonicOS Log Event Reference Guide 43
Heartbeat received from incompatible source HTTP management port has changed event Maintenance INFO 340 --- HTTP method detected; examining stream for host header Access TCP DEBUG 882 --- HTTPS management port has changed event Maintenance INFO 341 --- ICMP checksum error; packet dropped ICMP packet allowed ICMP packet dropped due to policy Access ICMP NOTICE 38 --- ICMP packet dropped no match Access ICMP NOTICE 523 --- ICMP packet from LAN allowed Access Debug INFO 598 --- ICMP packet from LAN LanICMP dropped Access LanTCP NOTICE 175 --- If not already enabled, enabling NTP is recommende d IGMP packet dropped, wrong checksum received on interface %s Multicast --- NOTICE 683 --- High Availability Maintenance INFO 163 --- UNUSED SIMPLE_NO TE_ STD_POLIC Y SIMPLE_NO TE_ Access UDP NOTICE 886 --- STD STD_POLIC Access Debug INFO 597 --- Y STD_POLIC Y STD_ICMP_ SERVICE STD_ICMP_ SERVICE STD_ICMP_ SERVICE Hardware System Error WARN 540 645 SIMPLE GE_ 44 SonicOS Log Event Reference Guide
IGMP Leave group message Received on interface %s Multicast --- INFO 682 --- IGMP packet dropped, decoding error Multicast --- NOTICE 686 --- STD IGMP Packet Not handled. Packet type : %s Multicast --- NOTICE 687 --- IGMP querier Router detected on interface %s Multicast --- DEBUG 701 --- IGMP querier Router detected on VPN tunnel, SPI %S Multicast --- DEBUG 702 --- IGMP state table entry time out,deleting interface : %s for multicast address : %s Multicast --- DEBUG 692 --- IGMP state table entry time out,deleting VPN SPI :%s for Multicast address : %s Multicast --- DEBUG 693 --- IGMP V2 client joined multicast Group : %s Multicast --- INFO 676 --- IGMP V2 Membership report received from interface %s Multicast --- DEBUG 679 --- IGMP V3 client joined multicast Group : %s Multicast --- INFO 677 --- GE_ GE_ GE_ GE_ GE_ GE_ GE_ GE_ GE_ SonicOS Log Event Reference Guide 45
IGMP V3 Membership report received from interface %s Multicast --- DEBUG 678 --- IGMP V3 packet dropped, unsupported Record type : %s Multicast --- NOTICE 688 --- IGMP V3 record type : %s not Handled Multicast --- DEBUG 689 --- IKE Initiator drop: VPN tunnel end point does not match configured VPN Policy Bound to scope VPN IKE UserActivity INFO 544 --- STD IKE Initiator: Accepting IPsec proposal (Phase 2) VPN IKE UserActivity INFO 372 --- IKE Initiator: Accepting peer lifetime. (Phase 1) VPN IKE UserActivity INFO 445 --- IKE Initiator: Aggressive Mode complete (Phase 1). VPN IKE UserActivity INFO 354 --- IKE Initiator: IKE proposal does not match (Phase 1) VPN IKE UserActivity WARN 937 --- IKE Initiator: Main Mode complete (Phase 1) VPN IKE UserActivity INFO 353 --- IKE Initiator: Proposed IKE ID mismatch VPN IKE UserActivity WARN 933 --- GE_ GE_ GE_ 46 SonicOS Log Event Reference Guide
IKE Initiator: Remote party timeout - Retransmittin g IKE request. VPN IKE UserActivity INFO 930 --- IKE Initiator: Start Aggressive Mode negotiation (Phase 1) VPN IKE UserActivity INFO 358 --- IKE Initiator: Start Main Mode negotiation (Phase 1) VPN IKE UserActivity INFO 351 --- IKE Initiator: Start Quick Mode (Phase 2). VPN IKE UserActivity INFO 346 --- IKE Initiator: Using secondary gateway to negotiate VPN IKE UserActivity INFO 543 --- IKE negotiation aborted due to timeout VPN IKE UserActivity INFO 403 --- IKE negotiation complete. Adding IPsec SA. (Phase 2) VPN IKE UserActivity INFO 89 --- IKE Responder drop: VPN tunnel end point does not match configured VPN Policy Bound to scope VPN IKE UserActivity INFO 545 --- STD SonicOS Log Event Reference Guide 47
IKE Responder: %s policy does not allow static IP for Virtual Adapter. VPN Client System Error ERROR 660 --- IKE Responder: Accepting IPsec proposal (Phase 2) VPN IKE UserActivity INFO 87 --- IKE Responder: Aggressive Mode complete (Phase 1) VPN IKE UserActivity INFO 373 --- IKE Responder: AH authenticatio n algorithm does not match VPN IKE UserActivity WARN 920 --- IKE Responder: AH authenticatio n key length does not match VPN IKE UserActivity WARN 923 --- IKE Responder: AH authenticatio n key rounds does not match VPN IKE UserActivity WARN 926 --- IKE Responder: AH Perfect Forward Secrecy mismatch VPN IKE UserActivity WARN 258 544 IKE Responder: Algorithms and/or keys do not match VPN IKE UserActivity WARN 260 546 GE_ 48 SonicOS Log Event Reference Guide
IKE Responder: Client Policy has no VPN Access s assigned. Check Configuration. VPN IKE System Error ERROR 965 --- IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route VPN IKE Attack ERROR 516 553 IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route VPN IKE UserActivity WARN 253 539 IKE Responder: ESP authenticatio n algorithm does not match VPN IKE UserActivity WARN 922 --- IKE Responder: ESP authenticatio n key length does not match VPN IKE UserActivity WARN 925 --- IKE Responder: ESP authenticatio n key rounds does not match VPN IKE UserActivity WARN 928 --- SonicOS Log Event Reference Guide 49
IKE Responder: ESP encryption algorithm does not match VPN IKE UserActivity WARN 921 --- IKE Responder: ESP encryption key length does not match VPN IKE UserActivity WARN 924 --- IKE Responder: ESP encryption key rounds does not match VPN IKE UserActivity WARN 927 --- IKE Responder: ESP Perfect Forward Secrecy mismatch VPN IKE UserActivity WARN 259 545 IKE Responder: IKE Phase 1 exchange does not match VPN IKE UserActivity ERROR 1036 --- IKE Responder: IKE proposal does not match (Phase 1) VPN IKE UserActivity WARN 402 --- IKE Responder: IP Address already exists in the DHCP relay table. Client traffic not allowed. VPN Client System Error ERROR 659 --- 50 SonicOS Log Event Reference Guide
IKE Responder: IP Compression algorithm does not match VPN IKE UserActivity WARN 929 --- IKE Responder: IPsec proposal does not match (Phase 2) VPN IKE UserActivity WARN 88 523 IKE Responder: IPsec protocol mismatch VPN IKE UserActivity WARN 932 --- IKE Responder: Main Mode complete (Phase 1) VPN IKE UserActivity INFO 357 --- IKE Responder: Mode %d - not transport mode. Xauth is required but not supported by peer. VPN IKE Debug WARN 342 --- IKE Responder: Mode %d - not tunnel mode VPN IKE UserActivity WARN 249 535 IKE Responder: No match for proposed remote network address VPN IKE UserActivity WARN 252 538 GE_NUMBE R GE_NUMBE R SonicOS Log Event Reference Guide 51
IKE Responder: No matching Phase 1 ID found for proposed remote network VPN IKE UserActivity WARN 250 536 IKE Responder: Peer's destination network does not match VPN policy's <b>local </b> VPN IKE UserActivity WARN 935 --- IKE Responder: Peer's local network does not match VPN policy's <b>destinati on </ b> VPN IKE UserActivity WARN 934 --- IKE Responder: Phase 1 n Method does not match VPN IKE UserActivity WARN 913 --- IKE Responder: Phase 1 DH Group does not match VPN IKE UserActivity WARN 919 --- IKE Responder: Phase 1 encryption algorithm does not match VPN IKE UserActivity WARN 914 --- 52 SonicOS Log Event Reference Guide
IKE Responder: Phase 1 encryption algorithm keylength does not match VPN IKE UserActivity WARN 915 --- IKE Responder: Phase 1 hash algorithm does not match VPN IKE UserActivity WARN 916 --- IKE Responder: Phase 1 XAUTH required but policy has no user name VPN IKE UserActivity WARN 917 --- IKE Responder: Phase 1 XAUTH required but policy has no user password VPN IKE UserActivity WARN 918 --- IKE Responder: Proposed IKE ID mismatch VPN IKE System Error WARN 658 --- IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway VPN IKE UserActivity WARN 418 549 IKE Responder: Proposed remote network is 0.0.0.0 but not DHCP relay nor default route VPN IKE UserActivity WARN 251 537 SonicOS Log Event Reference Guide 53
IKE Responder: Received Aggressive Mode request (Phase 1) VPN IKE UserActivity INFO 356 --- IKE Responder: Received Main Mode request (Phase 1) VPN IKE UserActivity INFO 355 --- IKE Responder: Received Quick Mode Request (Phase 2) VPN IKE UserActivity INFO 352 --- IKE Responder: Remote party timeout - Retransmittin g IKE request. VPN IKE UserActivity INFO 931 --- IKE Responder: Route table overrides VPN policy VPN IKE UserActivity WARN 936 --- IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall VPN IKE UserActivity WARN 255 541 IKE Responder: Tunnel terminates on DMZ but proposed local network is on LAN VPN IKE UserActivity WARN 256 542 54 SonicOS Log Event Reference Guide
IKE Responder: Tunnel terminates on LAN but proposed local network is on DMZ VPN IKE UserActivity WARN 257 543 IKE Responder: Tunnel terminates outside firewall but proposed local network is not NAT public address VPN IKE UserActivity WARN 254 540 IKE Responder: Tunnel terminates outside firewall but proposed remote network is not NAT public address VPN IKE UserActivity WARN 345 548 IKE SA lifetime expired. VPN IKE UserActivity INFO 350 --- IKEv2 Accept IKE SA Proposal VPN IKE UserActivity INFO 943 --- IKEv2 Accept IPsec SA Proposal VPN IKE UserActivity INFO 944 --- IKEv2 n successful VPN IKE UserActivity INFO 942 --- IKEv2 Decrypt packet failed VPN IKE UserActivity WARN 960 --- IKEv2 Function sendto() failed to transmit packet. VPN IKE UserActivity ERROR 979 --- SonicOS Log Event Reference Guide 55
IKEv2 IKE attribute not found VPN IKE UserActivity WARN 970 --- IKEv2 IKE proposal does not match VPN IKE UserActivity WARN 981 --- IKEv2 Initiator: Negotiations failed. Extra payloads present. VPN IKE UserActivity WARN 954 --- IKEv2 Initiator: Negotiations failed. Invalid input state. VPN IKE UserActivity WARN 956 --- IKEv2 Initiator: Negotiations failed. Invalid output state. VPN IKE UserActivity WARN 957 --- IKEv2 Initiator: Negotiations failed. Missing required payloads. VPN IKE UserActivity WARN 955 --- IKEv2 Initiator: Proposed IKE ID mismatch VPN IKE UserActivity WARN 980 --- IKEv2 Initiator: Received CREATE_CH ILD_SA response VPN IKE UserActivity INFO 975 --- IKEv2 Initiator: Received IKE_AUTH response VPN IKE UserActivity INFO 974 --- IKEv2 Initiator: Received IKE_SA_INT response VPN IKE UserActivity INFO 973 --- 56 SonicOS Log Event Reference Guide
IKEv2 Initiator: Remote party timeout - Retransmittin g IKEv2 request. VPN IKE UserActivity INFO 972 --- IKEv2 Initiator: Send CREATE_CH ILD_SA request VPN IKE UserActivity INFO 945 --- IKEv2 Initiator: Send IKE_AUTH request VPN IKE UserActivity INFO 940 --- IKEv2 Initiator: Send IKE_SA_INIT request VPN IKE UserActivity INFO 938 --- IKEv2 Invalid SPI size VPN IKE UserActivity WARN 966 --- IKEv2 Invalid state VPN IKE UserActivity WARN 964 --- IKEv2 IPsec attribute not found VPN IKE UserActivity WARN 969 --- IKEv2 IPsec proposal does not match VPN IKE UserActivity WARN 968 --- IKEv2 NAT device detected between negotiating peers VPN IKE UserActivity INFO 985 --- IKEv2 negotiation complete VPN IKE UserActivity INFO 978 --- IKEv2 No NAT device detected between negotiating peers VPN IKE UserActivity INFO 984 --- IKEv2 Out of memory VPN IKE UserActivity WARN 961 --- SonicOS Log Event Reference Guide 57
IKEv2 Payload processing error VPN IKE UserActivity WARN 953 --- IKEv2 Payload validation failed. VPN IKE UserActivity WARN 958 --- IKEv2 Peer is not responding. Negotiation aborted. VPN IKE UserActivity WARN 971 --- IKEv2 Process Message queue failed VPN IKE UserActivity WARN 963 --- IKEv2 Received delete IKE SA request VPN IKE UserActivity INFO 948 --- IKEv2 Received delete IKE SA response VPN IKE UserActivity INFO 1015 --- IKEv2 Received delete IPsec SA request VPN IKE UserActivity INFO 950 --- IKEv2 Received delete IPsec SA response VPN IKE UserActivity INFO 1016 --- IKEv2 Received notify error payload VPN IKE UserActivity WARN 983 --- IKEv2 Received notify status payload VPN IKE UserActivity INFO 982 --- IKEv2 Responder: Peer's destination network does not match VPN policy's <b>local </b> VPN IKE UserActivity INFO 951 --- 58 SonicOS Log Event Reference Guide
IKEv2 Responder: Peer's local network does not match VPN policy's <b>destinati on </ b> VPN IKE UserActivity INFO 952 --- IKEv2 Responder: Policy for remote IKE ID not found VPN IKE UserActivity ERROR 962 --- IKEv2 Responder: Received CREATE_CH ILD_SA request VPN IKE UserActivity INFO 946 --- IKEv2 Responder: Received IKE_AUTH request VPN IKE UserActivity INFO 941 --- IKEv2 Responder: Received IKE_SA_INIT request VPN IKE UserActivity INFO 939 --- IKEv2 Responder: Send CREATE_CH ILD_SA response VPN IKE UserActivity INFO 1012 --- IKEv2 Responder: Send IKE_AUTH response VPN IKE UserActivity INFO 977 --- IKEv2 Responder: Send IKE_SA_INIT response VPN IKE UserActivity INFO 976 --- IKEv2 Send delete IKE SA request VPN IKE UserActivity INFO 947 --- IKEv2 Send delete IKE SA response VPN IKE UserActivity INFO 1013 --- SonicOS Log Event Reference Guide 59
IKEv2 Send delete IPsec SA request VPN IKE UserActivity INFO 949 --- IKEv2 Send delete IPsec SA response VPN IKE UserActivity INFO 1014 --- IKEv2 Unable to find IKE SA VPN IKE UserActivity WARN 959 --- IKEv2 VPN Policy not found VPN IKE UserActivity WARN 967 --- Illegal IPsec SPI VPN IPsec UserActivity INFO 65 --- Imported HA hardware ID did not match this firewall Imported VPN SA is invalid - disabled High Availability Maintenance INFO 155 --- UNUSED event Maintenance WARN 348 --- Inbound connection from GRIDlisted SMTP server dropped Anti-Spam --- NOTICE 1092 --- STD Inbound connection from RBLlisted SMTP server dropped RBL --- NOTICE 798 --- STD Incoming call received for Remotely Triggered Dial-out session Incompatible IPsec Security n Access UserActivity INFO 817 --- SIMPLE Association VPN IPsec UserActivity INFO 69 --- Incorrect authenticatio n received for Remotely Triggered Dial-out n Access UserActivity INFO 819 --- SIMPLE 60 SonicOS Log Event Reference Guide
Ini Killer attack dropped Interface %s Link Is Down Intrusion Detection Attack ALERT 80 519 STD event System Error ERROR 566 647 Interface %s Link Is Up event System Error WARN 565 646 Interface IP Assignment : Binding and initializing %s event Maintenance INFO 568 --- Interface IP Assignment changed: Shutting down %s event Maintenance INFO 567 --- Interface statistics report GMS --- INFO 805 --- Internet Access restricted to authorized users. Dropped packet received in the clear. Wireless Invalid DNS Server will not be accepted by the dynamic client Invalid Product Code Upgrade request received: %s SIMPLE_INT ERFACE_ST ATS TCP UDP ICMP WARN 532 --- UNUSED event --- INFO 1070 --- event --- ERROR 704 --- Invalid VLAN packet dropped --- ALERT 836 --- IP address conflict detected from ethernet address %s Maintenance WARN 847 --- GE_ GE_ SonicOS Log Event Reference Guide 61
IP Header checksum error; packet dropped Access TCP UDP NOTICE 883 --- STD IP spoof detected on packet to Central Gateway, packet dropped DHCP Relay Attack ERROR 229 533 IP spoof dropped Intrusion Detection Attack ALERT 23 502 IP type %s packet LanUDP dropped Access LanTCP NOTICE 590 --- IPcomp connection interrupt IPcomp Debug DEBUG 651 --- STD IPcomp packet dropped IPcomp TCP UDP ICMP NOTICE 652 --- IPcomp packet dropped; waiting for pending IPcomp connection IPcomp Debug DEBUG 653 --- STD IPS Detection Alert: %s Intrusion Detection Attack ALERT 608 569 IPS Detection Intrusion Alert: %s Detection Attack ALERT 789 6435 IPS Prevention Intrusion Alert: %s Detection Attack ALERT 609 570 IPS Prevention Intrusion Alert: %s Detection Attack ALERT 790 6436 IPsec (AH) packet TCP UDP dropped VPN IPsec ICMP NOTICE 534 --- IPsec (AH) packet dropped; waiting for pending IPsec connection VPN IPsec Debug DEBUG 536 --- STD Ethernet Ethernet GE_ STD_IDP_M ESSAGE_ST R GE_ STD_IDP_M ESSAGE_ST R GE_ 62 SonicOS Log Event Reference Guide
IPsec (ESP) packet dropped TCP UDP ICMP NOTICE 533 --- VPN IPsec IPsec (ESP) packet dropped; waiting for pending IPsec connection VPN IPsec Debug DEBUG 535 --- STD IPsec n Failed VPN IPsec Attack ERROR 67 508 IPsec connection interrupt Access Debug DEBUG 43 --- STD IPsec Decryption Failed VPN IPsec Attack ERROR 68 509 IPsec packet dropped IPsec packet dropped; waiting for pending IPsec connection Access TCP UDP ICMP NOTICE 40 --- STD Access Debug DEBUG 42 --- STD IPsec packet from an illegal host VPN IPsec Maintenance INFO 247 --- IPsec packet from or to an illegal host VPN IPsec Attack ERROR 70 510 IPsec Replay Detected VPN IPsec Attack ALERT 180 531 IPsec SA lifetime expired. VPN IPsec UserActivity INFO 349 --- UNUSED IPsecTunnel status changed ISDN Driver Firmware successfully updated VPN VPNTunnelSt atus INFO 427 801 SIMPLE event Maintenance INFO 493 --- SIMPLE Issuer match failed VPN PKI UserActivity ALERT 278 --- SIMPLE_NO TE_ Java access denied Access BlockedCode NOTICE 19 --- BLOCKED L2TP Connect Initiated by the User L2TP Client Maintenance INFO 216 --- UNUSED SonicOS Log Event Reference Guide 63
L2TP Disconnect Initiated by the User L2TP Client Maintenance INFO 214 --- UNUSED L2TP enabled but not ready Unused Maintenance INFO 500 --- SIMPLE L2TP LCP Down L2TP Client Maintenance INFO 209 --- UNUSED L2TP LCP Up L2TP Client Maintenance INFO 213 --- UNUSED L2TP Max Retransmissi on Exceeded L2TP Client Maintenance INFO 203 --- SIMPLE L2TP PPP n Failed L2TP Client Maintenance INFO 212 --- SIMPLE L2TP PPP Down L2TP Client Maintenance INFO 211 --- SIMPLE L2TP PPP link down L2TP Client Maintenance INFO 217 --- SIMPLE L2TP PPP Negotiation Started L2TP Client Maintenance INFO 208 --- SIMPLE L2TP PPP Session Up L2TP Client Maintenance INFO 210 --- SIMPLE L2TP Server : Access from L2TP VPN Client Privilege not enabled for RADIUS Users. L2TP Server Maintenance INFO 343 --- UNUSED L2TP Server : Deleting the L2TP active Session L2TP Server Maintenance INFO 337 --- L2TP Server : Deleting the Tunnel L2TP Server Maintenance INFO 336 --- STD L2TP Server : L2TP PPP Session Established. L2TP Server Maintenance INFO 310 --- UNUSED L2TP Server : L2TP Session Established. L2TP Server Maintenance INFO 309 --- L2TP Server : L2TP Tunnel Established. L2TP Server Maintenance INFO 308 --- 64 SonicOS Log Event Reference Guide
L2TP Server : Retransmissi on Timeout, Deleting the Tunnel L2TP Server Maintenance INFO 338 --- L2TP Server : User Name authenticatio n Failure locally. L2TP Server Maintenance INFO 344 --- L2TP Server: Keep alive Failure. Closing Tunnel L2TP Server Maintenance INFO 320 --- UNUSED L2TP Server: L2TP Remote terminated the PPP session L2TP Server Maintenance INFO 317 --- UNUSED L2TP Server: L2TP Session Disconnect from the Remote. L2TP Server Maintenance INFO 316 --- UNUSED L2TP Server: L2TP Tunnel Disconnect from the Remote. L2TP Server Maintenance INFO 315 --- UNUSED L2TP Server: Local n Failure L2TP Server Maintenance INFO 312 --- L2TP Server: Local n Success. L2TP Server Maintenance INFO 318 --- L2TP Server: No IP address available in the Local IP Pool L2TP Server Maintenance INFO 314 --- UNUSED L2TP Server: RADIUS/ LDAP n Success L2TP Server Maintenance INFO 319 --- SonicOS Log Event Reference Guide 65
L2TP Server: RADIUS/ LDAP reports n Failure L2TP Server Maintenance INFO 311 --- L2TP Server: RADIUS/ LDAP server not assigned IP address L2TP Server Maintenance INFO 313 --- L2TP Server: Call Disconnect from Remote. L2TP Server Maintenance INFO 334 --- L2TP Server: Tunnel Disconnect from Remote. L2TP Server Maintenance INFO 335 --- L2TP Session Disconnect from Remote L2TP Client Maintenance INFO 207 --- SIMPLE L2TP Session Established L2TP Client Maintenance INFO 206 --- SIMPLE L2TP Session Negotiation Started L2TP Client Maintenance INFO 202 --- SIMPLE L2TP Tunnel Disconnect from Remote L2TP Client Maintenance INFO 205 --- SIMPLE L2TP Tunnel Established L2TP Client Maintenance INFO 204 --- SIMPLE L2TP Tunnel Negotiation %s L2TP Client --- INFO 1074 --- GE_ L2TP Tunnel Negotiation Started L2TP Client Maintenance INFO 201 --- SIMPLE LAN Subnet configuration s were not upgraded. Land attack event Maintenance INFO 741 --- SIMPLE Intrusion Detection Attack ALERT 27 505 STD dropped LDAP server does not allow CHAP RADIUS UserActivity WARN 758 --- STD_STRIN G_SERVICE 66 SonicOS Log Event Reference Guide
LDAP using nonadministrativ e account - VPN client user will not be able to change passwords RADIUS System Error WARN 1011 --- License exceeded: Connection dropped because too many IP addresses are in use on your LAN License of HA pair doesn't match: %s event System Error ERROR 58 608 STD SIMPLE_NO TE_ High Availability System Error ERROR 670 664 local range: None --- DEBUG 85 --- UNUSED Locked-out user logins allowed - lockout period expired Locked-out user logins allowed by administrator n Access UserActivity INFO 438 --- n Access UserActivity INFO 439 --- Log (part None --- DEBUG 0 --- UNUSED Log Cleared logging Maintenance INFO 5 --- SIMPLE Log Debug event Debug ERROR 142 --- SIMPLE_ST R Log file from SonicWALL None --- DEBUG 2 --- UNUSED Log full; deactivating SonicWALL Log successfully sent via email Login screen timed out logging System Error ERROR 7 601 UNUSED logging Maintenance INFO 6 --- SIMPLE STD_STRIN n Access UserActivity INFO 34 --- G_SERVICE SonicOS Log Event Reference Guide 67
MAC address collides with Static ARP Entry with Bound MAC address; packet dropped --- NOTICE 814 --- Machine %s removed from FIN flood blacklist Machine %s removed from RST flood blacklist Machine %s removed from SYN flood blacklist Malformed or unhandled IP packet dropped Maximum events per second threshold exceeded Maximum number of Bandwidth Managed rules exceeded upon upgrade to this version. Some Bandwith settings ignored. Intrusion Detection Debug ALERT 903 --- Intrusion Detection Debug ALERT 900 --- Intrusion Detection Debug ALERT 865 --- Access Debug ALERT 522 554 Ethernet PROTOCOL logging System Error CRITICAL 654 --- SIMPLE event Maintenance NOTICE 541 --- UNUSED Maximum sequential failed dial attempts (10) to a single dial-up number: %s PPP dialup Attack ERROR 591 566 GE_ 68 SonicOS Log Event Reference Guide
Maximum syslog data per second threshold exceeded logging System Error CRITICAL 655 --- SIMPLE Message blocked by Real-Time Email Scanner Anti-Spam --- INFO 1108 --- STD MTU: None --- DEBUG 189 --- UNUSED Multicast application %s not supported Multicast --- INFO 696 --- Multicast packet dropped, Invalid src IP received on interface : %s Multicast --- ALERT 685 --- Multicast packet dropped, wrong MAC address received on interface : %s Multicast --- ALERT 684 --- Multicast TCP packet dropped Multicast --- NOTICE 691 --- STD Multicast UDP packet dropped, no state entry Multicast --- NOTICE 690 --- STD Multicast UDP packet dropped, RTCP stateful failed Multicast --- WARN 695 --- STD Multicast UDP packet dropped, RTP stateful failed Multicast --- WARN 694 --- STD Multiple DHCP Servers are detected on network event --- WARN 1068 --- GE_ GE_ GE_ SonicOS Log Event Reference Guide 69
NAT could not remap incoming packet Unused System Error ERROR 44 606 UNUSED NAT device may not support IPsec AH passthrough VPN IPsec Maintenance INFO 266 --- SIMPLE NAT Discovery : No NAT/ NAPT device detected between IPsec Security gateways VPN IKE UserActivity INFO 241 --- NAT Discovery : Local IPsec Security Gateway behind a NAT/NAPT Device VPN IKE UserActivity INFO 240 --- NAT Discovery : Peer IPsec Security Gateway behind a NAT/NAPT Device VPN IKE UserActivity INFO 239 --- NAT Discovery : Peer IPsec Security Gateway doesn't support VPN NAT Traversal VPN IKE UserActivity INFO 242 --- NAT translated packet exceeds size limit, packet dropped Debug DEBUG 339 --- STD 70 SonicOS Log Event Reference Guide
Net Spy attack dropped Intrusion Detection Attack ALERT 74 513 STD NetBIOS settings were not upgraded. Use >IP Helper to configure NetBIOS support event Maintenance INFO 740 --- SIMPLE NetBus attack dropped Intrusion Detection Attack ALERT 72 511 STD for interface %s overlaps with another interface. event Maintenance INFO 569 --- Modem Mode Disabled: reenabling NAT PPP dialup Maintenance INFO 531 --- SIMPLE Modem Mode Enabled: turning off NAT PPP dialup Maintenance INFO 530 --- SIMPLE Monitor Policy %s Added Monitor Policy %s Deleted Monitor Policy %s Modified Monitor: Host %s is offline Monitor: Host %s is online Monitor: Host %s status is UNKNOWN Monit or --- INFO 1104 --- Monit or --- INFO 1105 --- Monit or --- INFO 1106 --- Monit or --- ALERT 706 14005 Monit or --- ALERT 707 14006 Monit or --- ALERT 1103 14004 SonicOS Log Event Reference Guide 71
Monitor: Policy %s status is DOWN Monit or --- ALERT 1101 14002 Monitor: Policy %s status is UNKNOWN Monit or --- ALERT 1102 14003 Monitor: Policy %s status is UP Monit or --- ALERT 1100 14001 New firmware available. event Maintenance INFO 198 --- UNUSED New URL List loaded Security Services Maintenance INFO 8 --- SIMPLE Newsgroup access allowed Access BlockedSites NOTICE 17 704 BLOCKED Newsgroup access denied Access BlockedSites NOTICE 15 702 BLOCKED No Certificate for VPN PKI UserActivity ALERT 280 --- SIMPLE_NO TE_ No HOST tag found in HTTP request Access Debug DEBUG 52 --- UNUSED No ICMP redirect sent Unused Debug DEBUG 47 --- UNUSED No new URL List available Security Services Maintenance INFO 9 --- SIMPLE No response from ISP Disconnectin g PPPoE. PPPoE Maintenance INFO 169 --- SIMPLE No response from PPTP server to call requests PPTP Maintenance INFO 431 --- SIMPLE No response from PPTP server to control connection requests PPTP Maintenance INFO 430 --- SIMPLE 72 SonicOS Log Event Reference Guide
No response from server to Echo Requests, disconnecting PPTP Tunnel PPTP Maintenance INFO 429 --- SIMPLE No valid DNS server specified for GRID lookups Anti-Spam --- ERROR 1094 --- SIMPLE No valid DNS server specified for RBL lookups RBL --- ERROR 800 --- SIMPLE Non-config mode GUI administratio n session started Not all configuration s may have been completely n Access UserActivity INFO 997 --- event Maintenance INFO 612 --- SIMPLE upgraded Not enough memory to hold the CRL VPN PKI UserActivity WARN 272 --- SIMPLE Obtained Relay IP Table from Remote Gateway DHCP Relay Maintenance INFO 233 --- STD OCSP Failed to Resolve Domain Name. VPN PKI UserActivity ERROR 853 --- OCSP Internal error handling received response. VPN PKI UserActivity ERROR 854 --- OCSP received response error. VPN PKI UserActivity ERROR 851 --- OCSP received response. VPN PKI UserActivity INFO 850 --- SonicOS Log Event Reference Guide 73
OCSP Resolved Domain Name. VPN PKI UserActivity INFO 852 --- OCSP send request message failed. VPN PKI UserActivity ERROR 849 --- OCSP sending request. VPN PKI UserActivity INFO 848 --- OCSP unused/spare Unused --- DEBUG 855 --- UNUSED Outbound connection to GRID-listed SMTP server dropped Anti-Spam --- NOTICE 1091 --- STD Outbound connection to RBL-listed SMTP server dropped RBL --- NOTICE 797 --- STD Out-of-order command packet dropped Access Debug DEBUG 48 --- STD Overriding Product Code Upgrade to: %s event --- ERROR 705 --- Packet destination not in VPN Access list VPN IPsec Attack ERROR 648 572 Packet Dropped - IP TTL expired Debug WARN 910 --- Packet dropped by guest check Packet dropped by WLAN SSL- VPN enforcement check Packet dropped by WLAN VPN traversal check Access Wireless Wireless TCP UDP ICMP WARN 488 --- STD TCP UDP ICMP WARN 732 --- TCP UDP ICMP WARN 495 --- GE_ 74 SonicOS Log Event Reference Guide
Packet dropped. No firewall rule associated with VPN policy. VPN System Error ALERT 739 --- Packet dropped; connection limit for this destination IP address has been reached Packet dropped; connection limit for this source IP address has been reached event System Error ALERT 647 5239 event System Error ALERT 646 5238 Payload processing failed VPN IKE Debug ERROR 616 --- PC Card inserted. Rebooting. PC Card removed. Rebooting. PC Card: No device detected Peer firewall rebooting (%s) Physical environment normal Hardware --- ALERT 1054 5419 Hardware --- ALERT 1053 5418 Hardware --- ALERT 1056 --- High Availability --- INFO 1057 --- Hardware --- INFO 1042 5424 SIMPLE Ping of death dropped Intrusion Detection Attack ALERT 22 501 STD PKI Error: VPN PKI Maintenance ERROR 417 --- UNUSED PKI Failure VPN PKI Maintenance ERROR 447 --- UNUSED PKI Failure: CA certificates store exceeded. Cannot verify this Local Certificate VPN PKI Maintenance ERROR 453 --- SIMPLE SonicOS Log Event Reference Guide 75
PKI Failure: Cannot allocate memory VPN PKI Maintenance ERROR 449 --- SIMPLE PKI Failure: Certificate's ID does not match this SonicWALL VPN PKI Maintenance ERROR 455 --- SIMPLE PKI Failure: Duplicate local certificate VPN PKI Maintenance ERROR 458 --- SIMPLE PKI Failure: Duplicate local certificate name VPN PKI Maintenance ERROR 457 --- SIMPLE PKI Failure: Import failed VPN PKI Maintenance ERROR 451 --- SIMPLE PKI Failure: Improper file format. Please select PKCS#12 (*.p12) file VPN PKI Maintenance ERROR 454 --- SIMPLE PKI Failure: Incorrect admin password VPN PKI Maintenance ERROR 452 --- SIMPLE PKI Failure: Internal error VPN PKI Maintenance ERROR 460 --- SIMPLE PKI Failure: Loaded but could not verify certificate VPN PKI Maintenance ERROR 469 --- SIMPLE PKI Failure: Loaded the certificate but could not verify it's chain VPN PKI Maintenance ERROR 470 --- SIMPLE PKI Failure: No CA certificates yet loaded VPN PKI Maintenance ERROR 459 --- SIMPLE PKI Failure: Output buffer too small VPN PKI Maintenance ERROR 448 --- SIMPLE 76 SonicOS Log Event Reference Guide
PKI Failure: public-private key mismatch VPN PKI Maintenance ERROR 456 --- SIMPLE PKI Failure: Reached the limit for local certificates, cant load any more VPN PKI Maintenance ERROR 450 --- SIMPLE PKI Failure: Temporary memory shortage, try again VPN PKI Maintenance ERROR 461 --- SIMPLE PKI Failure: The certificate chain has no root VPN PKI Maintenance ERROR 464 --- SIMPLE PKI Failure: The certificate chain is circular VPN PKI Maintenance ERROR 462 --- SIMPLE PKI Failure: The certificate chain is incomplete VPN PKI Maintenance ERROR 463 --- SIMPLE PKI Failure: The certificate or a certificate in the chain has a bad signature VPN PKI Maintenance ERROR 468 --- SIMPLE PKI Failure: The certificate or a certificate in the chain has a validity period in the future VPN PKI Maintenance ERROR 466 --- SIMPLE PKI Failure: The certificate or a certificate in the chain has expired VPN PKI Maintenance ERROR 465 --- SIMPLE SonicOS Log Event Reference Guide 77
PKI Failure: The certificate or a certificate in the chain is corrupt VPN PKI Maintenance ERROR 467 --- SIMPLE Please connect interface %s to another network to function properly Please manually check all system configuration s for correctness of Upgrade Port configured to receive IPsec protocol ONLY; drop packet received in the clear Possible DNS rebind attack detected Possible FIN Flood on IF %s Possible FIN Flood on IF %s continues Possible FIN Flood on IF %s has ceased Possible port scan detected Possible RST Flood on IF %s Possible RST Flood on IF %s continues event Maintenance INFO 570 --- event Maintenance INFO 613 --- SIMPLE Access TCP UDP ICMP WARN 347 --- Intrusion Detection --- ALERT 1098 6465 Intrusion Detection Debug ALERT 905 --- Intrusion Detection Debug WARN 909 --- Intrusion Detection Debug ALERT 907 --- Intrusion Detection Attack ALERT 82 521 Intrusion Detection Debug ALERT 904 --- Intrusion Detection Debug WARN 908 --- 78 SonicOS Log Event Reference Guide
Possible RST Flood on IF %s has ceased Intrusion Detection Debug ALERT 906 --- Possible SYN flood attack Intrusion detected Detection Attack WARN 25 503 STD Possible SYN flood detected on WAN IF %s - switching to connectionproxy Intrusion mode Detection Debug ALERT 859 --- Possible SYN Flood on IF Intrusion %s Detection Debug ALERT 860 --- Possible SYN Flood on IF Intrusion %s continues Detection Debug WARN 866 --- Possible SYN Flood on IF %s has Intrusion ceased Detection Debug ALERT 867 --- Power supply without redundancy Hardware --- ERROR 1043 5425 SIMPLE PPP Dial-Up: Connect request canceled PPP dialup UserActivity INFO 306 --- SIMPLE PPP Dial-Up: Connected at %s bps - starting PPP PPP dialup UserActivity INFO 286 --- PPP Dial-Up: Connection disconnected as scheduled. PPP dialup --- INFO 666 --- STD PPP Dial-Up: Dial initiated by %s PPP dialup Maintenance INFO 324 --- GE_ PPP Dial-Up: Dialed number did not answer PPP dialup UserActivity INFO 285 --- SIMPLE PPP Dial-Up: Dialed number is busy PPP dialup UserActivity INFO 284 --- SIMPLE SonicOS Log Event Reference Guide 79
PPP Dial-Up: Dialing not allowed by schedule. %s PPP dialup --- INFO 665 --- GE_ PPP Dial-Up: Dialing: %s PPP dialup UserActivity INFO 281 --- PPP Dial-Up: Failed to get IP address PPP dialup UserActivity INFO 298 --- UNUSED PPP Dial-Up: Idle time limit exceeded - disconnecting PPP dialup UserActivity INFO 297 --- SIMPLE PPP Dial-Up: Initialization : %s PPP dialup UserActivity INFO 303 --- PPP Dial-Up: Invalid DNS IP address returned from Dial-Up ISP; overriding using dial-up profile settings PPP dialup Maintenance INFO 811 --- SIMPLE PPP Dial-Up: Link carrier lost PPP dialup UserActivity INFO 288 --- SIMPLE PPP Dial-Up: Manual intervention needed. Check Primary Profile or Profile details PPP dialup UserActivity INFO 321 --- SIMPLE PPP Dial-Up: Maximum connection time exceeded - disconnecting PPP dialup UserActivity INFO 327 --- SIMPLE PPP Dial-Up: No dialtone detected - check phoneline connection PPP dialup UserActivity INFO 282 --- SIMPLE 80 SonicOS Log Event Reference Guide
PPP Dial-Up: No link carrier detected - check phone number PPP dialup UserActivity INFO 283 --- SIMPLE PPP Dial-Up: No peer IP address from Dial-Up ISP, local and remote IPs will be the same PPP dialup Maintenance INFO 481 --- SIMPLE PPP Dial-Up: PPP link down PPP dialup UserActivity INFO 301 --- SIMPLE PPP Dial-Up: PPP link established PPP dialup UserActivity INFO 300 --- SIMPLE PPP Dial-Up: PPP negotiation failed - disconnecting PPP dialup UserActivity INFO 296 --- UNUSED PPP Dial-Up: Previous session was connected for %s PPP dialup UserActivity INFO 542 --- PPP Dial-Up: Received new IP address PPP dialup UserActivity INFO 299 --- STD PPP Dial-Up: Shutting down link PPP dialup UserActivity INFO 302 --- SIMPLE PPP Dial-Up: Starting PPP PPP dialup --- INFO 1037 --- PPP Dial-Up: Startup without Ethernet cable, will try to dial on outbound traffic PPP dialup UserActivity INFO 323 --- UNUSED PPP Dial-Up: The profile in use disabled VPN networking. PPP dialup Maintenance INFO 330 --- SIMPLE SonicOS Log Event Reference Guide 81
PPP Dial-Up: Trying to failover but Alternate Profile is manual Wan Failover UserActivity INFO 434 --- SIMPLE PPP Dial-Up: Trying to failover but Primary Profile is manual PPP dialup UserActivity INFO 322 --- SIMPLE PPP Dial-Up: Unknown dialing failure PPP dialup UserActivity INFO 287 --- SIMPLE PPP Dial-Up: User requested connect PPP dialup UserActivity INFO 305 --- SIMPLE PPP Dial-Up: User requested disconnect PPP dialup UserActivity INFO 304 --- SIMPLE PPP Dial-Up: VPN networking restored. PPP dialup Maintenance INFO 331 --- SIMPLE PPP message: %s PPP System Environment INFO 1018 --- PPP: n successful PPP UserActivity INFO 289 --- SIMPLE PPP: CHAP authenticatio n failed - check username / password PPP UserActivity INFO 291 --- SIMPLE PPP: MS- CHAP authenticatio n failed - check username / password PPP UserActivity INFO 292 --- SIMPLE PPP: PAP n failed - check username / password PPP UserActivity INFO 290 --- SIMPLE GE_ 82 SonicOS Log Event Reference Guide
PPP: Starting CHAP authenticatio n PPP UserActivity INFO 294 --- SIMPLE PPP: Starting MS-CHAP authenticatio n PPP UserActivity INFO 293 --- SIMPLE PPP: Starting PAP authenticatio n PPP UserActivity INFO 295 --- SIMPLE PPPoE terminated PPPoE Maintenance INFO 130 --- SIMPLE PPPoE CHAP n Failed PPPoE Maintenance INFO 136 --- UNUSED PPPoE Client: Previous session was connected for %s PPPoE Maintenance INFO 738 --- PPPoE discovery process complete PPPoE Maintenance INFO 133 --- SIMPLE PPPoE enabled but not ready PPPoE Maintenance INFO 499 --- SIMPLE PPPoE LCP Link Down PPPoE Maintenance INFO 129 --- SIMPLE PPPoE LCP Link Up PPPoE Maintenance INFO 128 --- SIMPLE PPPoE Connected PPPoE Maintenance INFO 131 --- SIMPLE PPPoE Disconnected PPPoE Maintenance INFO 132 --- SIMPLE PPPoE PAP n Failed PPPoE Maintenance INFO 137 --- UNUSED PPPoE PAP n Failed. Please verify PPPoE username and password PPPoE Maintenance INFO 167 --- UNUSED SonicOS Log Event Reference Guide 83
PPPoE PAP n success. PPPoE Maintenance INFO 166 --- UNUSED PPPoE password changed by Administrator n Access UserActivity INFO 515 --- UNUSED PPPoE starting CHAP n PPPoE Maintenance INFO 134 --- SIMPLE PPPoE starting PAP n PPPoE Maintenance INFO 135 --- UNUSED PPPoE user name changed by Administrator n Access UserActivity INFO 514 --- UNUSED PPTP enabled but not ready PPTP Maintenance INFO 501 --- SIMPLE PPTP CHAP n Failed. Please verify PPTP username and password PPTP Maintenance INFO 394 --- UNUSED PPTP Connect Initiated by the User PPTP Maintenance INFO 390 --- PPTP Control Connection Established PPTP Maintenance INFO 378 --- SIMPLE PPTP Control Connection Negotiation Started PPTP Maintenance INFO 375 --- SIMPLE PPTP decode failure PPTP Debug DEBUG 596 --- STD PPTP Disconnect Initiated by the User PPTP Maintenance INFO 388 --- PPTP LCP Down PPTP Maintenance INFO 383 --- UNUSED 84 SonicOS Log Event Reference Guide
PPTP LCP Up PPTP Maintenance INFO 387 --- UNUSED PPTP Max Retransmissi on Exceeded PPTP Maintenance INFO 377 --- UNUSED PPTP packet dropped Access TCP UDP ICMP NOTICE 39 --- UNUSED PPTP PAP n Failed PPTP Maintenance INFO 395 --- UNUSED PPTP PAP n Failed. Please verify PPTP username and password PPTP Maintenance INFO 397 --- UNUSED PPTP PAP n success. PPTP Maintenance INFO 396 --- SIMPLE PPTP PPP n Failed PPTP Maintenance INFO 386 --- UNUSED PPTP PPP Down PPTP Maintenance INFO 385 --- SIMPLE PPTP PPP link down PPTP Maintenance INFO 391 --- UNUSED PPTP PPP Link down PPTP Maintenance INFO 399 --- SIMPLE PPTP PPP Link Finished PPTP Maintenance INFO 400 --- SIMPLE PPTP PPP Link Up PPTP Maintenance INFO 398 --- SIMPLE PPTP PPP Negotiation Started PPTP Maintenance INFO 382 --- SIMPLE PPTP PPP Session Up PPTP Maintenance INFO 384 --- SIMPLE PPTP Server is not responding, check if the server is UP and running. PPTP Maintenance INFO 444 --- SIMPLE PPTP server rejected control connection PPTP Maintenance INFO 432 --- SIMPLE PPTP server rejected the call request PPTP Maintenance INFO 433 --- SIMPLE SonicOS Log Event Reference Guide 85
PPTP Session Disconnect from Remote PPTP Maintenance INFO 381 --- SIMPLE PPTP Session Established PPTP Maintenance INFO 380 --- SIMPLE PPTP Session Negotiation Started PPTP Maintenance INFO 376 --- SIMPLE PPTP starting CHAP n PPTP Maintenance INFO 392 --- SIMPLE PPTP starting PAP n PPTP Maintenance INFO 393 --- SIMPLE PPTP Tunnel Disconnect from Remote PPTP Maintenance INFO 379 --- SIMPLE Primary firewall has transitioned to Active Primary firewall has transitioned to Idle Primary firewall preempting Backup Primary firewall rebooting itself as it transitioned from Active to Idle while Preempt Primary missed heartbeats from Backup Primary received error signal from Backup High Availability Maintenance ALERT 144 --- SIMPLE High Availability System Error ALERT 146 614 SIMPLE High Availability System Error ERROR 153 620 SIMPLE High Availability --- INFO 1058 --- SIMPLE High Availability System Error ERROR 148 615 SIMPLE High Availability System Error ERROR 150 617 SIMPLE 86 SonicOS Log Event Reference Guide
Primary received heartbeat from wrong source High Availability Maintenance INFO 160 --- UNUSED Primary received reboot signal from Backup High Availability System Error ERROR 671 665 SIMPLE Primary WAN link down, Backup going Active High Availability System Error ERROR 220 634 UNUSED Primary WAN link down, Primary going Idle High Availability Maintenance INFO 218 --- UNUSED Primary WAN link up, preempting Backup High Availability Maintenance INFO 221 --- UNUSED Priority attack dropped Intrusion Detection Attack ALERT 79 518 STD Probable port scan detected Intrusion Detection Attack ALERT 83 522 Probable TCP FIN scan detected Intrusion Detection Attack ALERT 177 528 Probable TCP NULL scan detected Intrusion Detection Attack ALERT 179 530 Probable TCP XMAS scan detected Intrusion Detection Attack ALERT 178 529 Probing failure on %s Wan Failover System Error ALERT 326 637 GE_ Probing succeeded on %s Wan Failover System Error ALERT 436 638 GE_ Problem loading the URL List; Appliance not registered. Security Services System Error ERROR 183 623 SIMPLE SonicOS Log Event Reference Guide 87
Problem loading the URL List; check Filter settings Security Services System Error ERROR 10 602 Problem loading the URL List; check your Security DNS server Services System Error ERROR 11 603 SIMPLE Problem loading the URL List; Flash write Security failure. Services System Error ERROR 187 627 SIMPLE Problem loading the URL List; Retrying Security later. Services System Error ERROR 186 626 STD Problem loading the URL List; SubscRIPtion Security expired. Services System Error ERROR 184 624 STD Problem loading the URL List; Try loading it Security again. Services System Error ERROR 185 625 SIMPLE Problem occurred during user group membership retrieval n Access UserActivity WARN 1033 --- Problem sending log email; check log settings logging System Error WARN 12 604 SIMPLE Processed Email received from Email Security Service Anti-Spam --- INFO 1096 --- STD Protocol: None --- DEBUG 525 --- UNUSED Read-only mode GUI administratio n session started n Access UserActivity INFO 996 --- CODE 88 SonicOS Log Event Reference Guide
Real time clock battery failure Time values may be incorrect Hardware System Error WARN 539 644 SIMPLE RealAudio decode failure Unused Debug DEBUG 50 --- UNUSED Received a path MTU icmp message from router/ gateway UserActivity INFO 182 --- Received a path MTU icmp message from router/ gateway UserActivity INFO 188 --- Received Application Alert: Your SonicWALL Application subscription Security has expired. Services Maintenance WARN 1034 8635 SIMPLE Received AV Alert: %s Received AV Alert: Your SonicWALL Anti- Virus subscription has expired. %s Received AV Alert: Your SonicWALL Anti- Virus subscription will expire in 7 days. %s Security Services Maintenance WARN 125 524 Security Services Maintenance WARN 159 526 Security Services Maintenance WARN 482 552 SPI MTU SonicOS Log Event Reference Guide 89
Received CFS Alert: Your SonicWALL Content Filtering subscription has expired. Security Services Maintenance WARN 490 563 SIMPLE Received CFS Alert: Your SonicWALL Content Filtering subscription will expire in 7 days. Security Services Maintenance WARN 489 562 SIMPLE Received DHCP offer packet has errors DHCP Client Maintenance INFO 588 --- Received E- Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription has expired. Received E- Mail Filter Alert: Your SonicWALL E-Mail Filtering subscription will expire in 7 days. Security Services Maintenance WARN 492 565 SIMPLE Security Services Maintenance WARN 491 564 SIMPLE Received fragmented packet or fragmentation needed Debug DEBUG 63 --- STD Received IKE SA delete request VPN IKE UserActivity INFO 413 --- 90 SonicOS Log Event Reference Guide
Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscription has expired. Received IPsec SA delete Security Services Maintenance WARN 614 571 SIMPLE request VPN IKE UserActivity INFO 412 --- Received ISAKMP packet destined to port %s VPN IKE Debug UDP INFO 607 --- Received LCP Echo Reply PPPoE Maintenance INFO 723 --- SIMPLE Received LCP Echo Request PPPoE Maintenance INFO 721 --- SIMPLE Received notify. NO_PROPO SAL_CHOSE N VPN IKE UserActivity WARN 401 --- Received notify: INVALID_CO OKIES VPN IKE UserActivity INFO 414 --- Received notify: INVALID_ID_ INFO VPN IPsec UserActivity WARN 483 --- Received notify: INVALID_PA YLOAD VPN IKE UserActivity ERROR 661 --- Received notify: INVALID_SPI VPN IKE UserActivity INFO 416 --- Received notify: ISAKMP_AU TH_FAILED VPN IKE UserActivity WARN 409 --- Received notify: PAYLOAD_M ALFORMED VPN IKE UserActivity WARN 411 --- GE_ SonicOS Log Event Reference Guide 91
Received notify: RESPONDE R_LIFETIME VPN IKE UserActivity INFO 415 --- Received packet retransmissio n. Drop duplicate packet VPN IKE UserActivity WARN 406 --- Received PPPoE Active Discovery Offer PPPoE Maintenance INFO 593 --- SIMPLE Received PPPoE Active Discovery Session_conf irmation PPPoE Maintenance INFO 594 --- SIMPLE Received response packet for DHCP request has errors DHCP Client Maintenance INFO 589 --- Received unencrypted packet in crypto active state VPN IKE UserActivity WARN 605 --- Regulatory requirements prohibit %s from being re-dialed for 30 minutes PPP dialup Attack ERROR 592 567 GE_ Released IP address %s DHCP Server --- INFO 1111 --- remote range: None --- DEBUG 86 --- UNUSED 92 SonicOS Log Event Reference Guide
Remotely Triggered Dial-out session ended. Valid WAN bound data found. Normal dialup sequence will commence n Access UserActivity INFO 822 --- SIMPLE Remotely Triggered Dial-out session started. Requesting authenticatio n n Access UserActivity INFO 818 --- SIMPLE Removed host entry from dynamic address object Dynamic Address Objects Maintenance INFO 912 --- Request for Relay IP Table from Central Gateway DHCP Relay Maintenance INFO 230 --- STD Requesting CRL from VPN PKI UserActivity INFO 269 --- Requesting Relay IP Table from Remote Gateway DHCP Relay Maintenance INFO 231 --- STD Restarting SonicWALL; dumping log to email Retransmittin g DHCP SIMPLE_NO TE_ event Maintenance INFO 13 --- UNUSED DISCOVER. DHCP Client Maintenance INFO 99 --- Retransmittin g DHCP REQUEST (Rebinding). DHCP Client Maintenance INFO 102 --- Retransmittin g DHCP REQUEST (Rebooting). DHCP Client Maintenance INFO 103 --- SonicOS Log Event Reference Guide 93
Retransmittin g DHCP REQUEST (Renewing). DHCP Client Maintenance INFO 101 --- Retransmittin g DHCP REQUEST (Requesting). DHCP Client Maintenance INFO 100 --- Retransmittin g DHCP REQUEST (Verifying). DHCP Client Maintenance INFO 104 --- RIP Broadcasts for LAN %s are being broadcast over dialupconnection RIP Maintenance INFO 571 --- UNUSED RIP disabled on DMZ interface RIP Maintenance INFO 423 --- UNUSED RIP disabled on interface %s RIP Maintenance INFO 419 --- RIP disabled on WAN interface RIP Maintenance INFO 552 --- UNUSED RIPper attack dropped Intrusion Detection Attack ALERT 76 515 STD RIPv1 enabled on DMZ interface RIP Maintenance INFO 424 --- UNUSED RIPv1 enabled on interface %s RIP Maintenance INFO 420 --- RIPv1 enabled on WAN interface RIP Maintenance INFO 553 --- UNUSED RIPv2 compatibility (broadcast) mode enabled on DMZ interface RIP Maintenance INFO 426 --- UNUSED 94 SonicOS Log Event Reference Guide
RIPv2 compatibility (broadcast) mode enabled on interface %s RIP Maintenance INFO 422 --- RIPv2 compatibility (broadcast) mode enabled on WAN interface RIP Maintenance INFO 555 --- UNUSED RIPv2 enabled on DMZ interface RIP Maintenance INFO 425 --- UNUSED RIPv2 enabled on interface %s RIP Maintenance INFO 421 --- RIPv2 enabled on WAN interface RIP Maintenance INFO 554 --- UNUSED Router IGMP General query received on interface %s Multicast --- DEBUG 680 --- Router IGMP Membership query received on interface %s Multicast --- DEBUG 681 --- RST Flood Blacklist on IF %s Intrusion continues Detection Debug WARN 899 --- RST- Flooding machine %s Intrusion blacklisted Detection Debug ALERT 898 --- GE_ GE_ Rule None --- DEBUG 59 --- UNUSED SA is disabled. Check VPN SA settings VPN IKE UserActivity INFO 407 --- UNUSED SCEP Client: %s VPN PKI --- NOTICE 1097 --- SonicOS Log Event Reference Guide 95
Sending DHCP DISCOVER. DHCP Client Maintenance INFO 105 --- Sending DHCP RELEASE. DHCP Client Maintenance INFO 122 --- Sending DHCP REQUEST (Rebinding). DHCP Client Maintenance INFO 116 --- Sending DHCP REQUEST (Rebooting). DHCP Client Maintenance INFO 117 --- Sending DHCP REQUEST (Renewing). DHCP Client Maintenance INFO 115 --- Sending DHCP REQUEST (Verifying). DHCP Client Maintenance INFO 118 --- Sending DHCP REQUEST. DHCP Client Maintenance INFO 108 --- Sending LCP Echo Reply PPPoE Maintenance INFO 722 --- SIMPLE Sending LCP Echo Request PPPoE Maintenance INFO 720 --- SIMPLE Sending PPPoE Active Discovery Request PPPoE Maintenance INFO 595 --- SIMPLE Senna Spy attack dropped Intrusion Detection Attack ALERT 78 517 STD Sent Relay IP Table to Central Gateway DHCP Relay Maintenance INFO 232 --- STD Settings Import: %s event --- INFO 1049 --- SIP Register expiration exceeds configured Signaling inactivity time out VOIP VOIP WARN 645 --- 96 SonicOS Log Event Reference Guide
SIP Request VOIP VOIP DEBUG 643 --- SIP Response VOIP VOIP DEBUG 644 --- SMTP authenticatio n problem:%s logging System Error WARN 737 --- GE_ SMTP connection limit is reached. Connection is dropped. Anti-Spam --- WARN 1087 --- SIMPLE SMTP POP- Before-SMTP authenticatio n failed SMTP server found on RBL logging System Error WARN 656 --- SIMPLE blacklist RBL --- NOTICE 799 --- SMTP server found on Reject List Anti-Spam --- NOTICE 1093 --- Smurf Amplification attack dropped Intrusion Detection Attack ALERT 81 520 STD SonicPoint Provision SonicPoint SonicPoint INFO 727 --- SIMPLE_NO TE_ SonicPoint statistics report GMS --- INFO 806 --- SIMPLE_SO NICPOINT_S TATS SonicPoint Status SonicPoint SonicPoint INFO 667 --- SIMPLE_NO TE_ SonicPointN Provision SonicPointN --- INFO 1078 --- SIMPLE_NO TE_ SonicPointN Status SonicPointN --- INFO 1077 --- SIMPLE_NO TE_ SonicWALL activated event Maintenance ALERT 4 --- SIMPLE SonicWALL initializing event Maintenance INFO 521 --- SIMPLE SonicWALL SSO agent is down CIA UserActivity ALERT 1075 --- SonicWALL SSO agent is up CIA UserActivity ALERT 1076 --- SonicWALL SSO agent returned domain name too long CIA UserActivity WARN 993 --- SonicOS Log Event Reference Guide 97
SonicWALL SSO agent returned error CIA UserActivity WARN 1073 --- SonicWALL SSO agent returned user name too long CIA UserActivity WARN 992 --- Source IP address connection status: %s event --- INFO 734 --- Source routed IP packet dropped Intrusion Detection Debug WARN 428 --- STD GE_ Source: None --- DEBUG 56 --- UNUSED Spank attack multicast packet dropped Intrusion Detection Attack ALERT 606 568 STD SPI: None --- DEBUG 71 --- UNUSED SSL Control: Certificate chain not complete SSL Control: Certificate with invalid date SSL Control: Certificate with MD5 Digest Signature Algorithm SSL Control: Failed to decode Server Hello SSL Control: HTTPS via SSL2 SSL Control: Self-signed certificate SSL Control: Untrusted CA SSL Control: Weak cipher being used Access BlockedSites INFO 1006 --- Access BlockedSites INFO 1002 --- Access BlockedSites INFO 1081 --- Access BlockedSites INFO 1007 --- Access BlockedSites INFO 1001 --- Access BlockedSites INFO 1003 --- Access BlockedSites INFO 1005 --- Access BlockedSites INFO 1004 --- 98 SonicOS Log Event Reference Guide
SSL Control: Website found in blacklist Access BlockedSites INFO 999 --- SSL Control: Website found in whitelist Access BlockedSites INFO 1000 --- SSL VPN zone remote user login allowed n Access --- INFO 1080 --- STD_STRIN G_SERVICE SSL-VPN enforcement Wireless Maintenance INFO 733 --- SIMPLE_NO TE_ Starting IKE negotiation VPN IKE UserActivity INFO 90 --- Starting PPPoE discovery PPPoE Maintenance INFO 127 --- SIMPLE EMERGENC SIMPLE_GM Y 96 --- S_STATUS Status GMS Maintenance Striker attack dropped Sub Seven attack dropped Success to reach Interface %s probe Successful authenticatio n received for Remotely Triggered Dial-out Successfully sent %s file to remote backup server Successfully sent Preference file to remote backup server Successfully sent TSR file to remote backup server Intrusion Detection Attack ALERT 77 516 STD Intrusion Detection Attack ALERT 75 514 STD High Availability System Error INFO 674 --- n Access UserActivity INFO 820 --- SIMPLE event Maintenance INFO 1065 --- event Maintenance INFO 1061 --- SIMPLE event Maintenance INFO 1063 --- SIMPLE SonicOS Log Event Reference Guide 99
SYN Flood Blacklist on IF %s continues Intrusion Detection Debug WARN 868 --- SYN Flood blacklisting disabled by user Intrusion Detection Debug WARN 863 --- STD SYN Flood blacklisting enabled by user Intrusion Detection Debug WARN 862 --- STD SYN flood ceased or flooding machines blacklisted - connection proxy disabled Intrusion Detection Debug ALERT 861 --- STD SYN Flood Mode changed by user to: Always proxy WAN connections Intrusion Detection Debug WARN 858 --- STD SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack Intrusion Detection Debug WARN 857 --- STD SYN Flood Mode changed by user to: Watch and report possible SYN floods Intrusion Detection Debug WARN 856 --- STD SYN unused/ spare Unused --- DEBUG 870 --- UNUSED SYN unused/ spare Unused --- DEBUG 871 --- UNUSED Synchronizin g preferences to HA Peer High Availability Maintenance INFO 673 --- SIMPLE 100 SonicOS Log Event Reference Guide
SYN- Flooding machine %s blacklisted Intrusion Detection Debug ALERT 864 --- Syslog Server cannot be reached Maintenance INFO 657 --- STD System clock manually updated System shutdown by administrator. Power cycle required. TCP checksum error; packet dropped logging --- NOTICE 881 --- SIMPLE_NO TE_ event --- ALERT 1067 5242 SIMPLE Access TCP NOTICE 884 --- STD TCP connection abort received; TCP connection dropped Debug DEBUG 713 --- TCP connection dropped TCP connection from LAN denied Access TCP NOTICE 36 --- Access LanTCP NOTICE 173 --- TCP connection reject received; TCP connection dropped Debug DEBUG 712 --- TCP FIN packet dropped Debug DEBUG 181 --- STD TCP handshake violation detected; TCP connection dropped Access --- NOTICE 760 --- STD_POLIC Y STD_SERVI CE SonicOS Log Event Reference Guide 101
TCP packet received on a closing connection; TCP packet dropped Debug DEBUG 891 --- TCP packet received on non-existent/ closed connection; TCP packet dropped Debug DEBUG 888 --- TCP packet received with invalid ACK number; TCP packet dropped Debug DEBUG 709 --- TCP packet received with invalid header length; TCP packet dropped Debug DEBUG 887 --- TCP packet received with invalid MSS option length; TCP packet dropped Debug DEBUG 894 --- TCP packet received with invalid option length; TCP packet dropped Debug DEBUG 895 --- TCP packet received with invalid SACK option length; TCP packet dropped Debug DEBUG 893 --- TCP packet received with invalid SEQ number; TCP packet dropped Debug DEBUG 708 --- 102 SonicOS Log Event Reference Guide
TCP packet received with invalid source port; TCP packet dropped Debug DEBUG 896 --- TCP packet received with invalid SYN Flood cookie; TCP packet dropped Debug INFO 897 --- TCP packet received with invalid Window Scale option length; TCP packet dropped Debug DEBUG 1030 --- TCP packet received with invalid Window Scale option value; TCP packet dropped Debug DEBUG 1031 --- TCP packet received with nonpermitted option; TCP packet dropped Debug DEBUG 1029 --- TCP packet received with SYN flag on an existing connection; TCP packet dropped Debug INFO 892 --- TCP packet received without mandatory ACK flag; TCP packet dropped Debug DEBUG 890 --- SonicOS Log Event Reference Guide 103
TCP packet received without mandatory SYN flag; TCP packet dropped Debug DEBUG 889 --- TCP stateful inspection: Bad header; TCP packet dropped Debug DEBUG 711 --- UNUSED TCP stateful inspection: Invalid flag; TCP packet dropped Debug INFO 710 --- UNUSED TCP SYN received TCP Syn/Fin packet dropped TCP Xmas Tree dropped The cache is full; %u open connections; some will be dropped The current WAN interface is not ready to route packets. The loaded content URL List has expired. Intrusion Detection Debug DEBUG 869 --- STD Access Attack ALERT 580 558 Intrusion Detection Attack ALERT 267 547 STD event System Error ERROR 53 607 GE_NUMBE R event System Error ERROR 325 635 UNUSED Security Services System Error ERROR 190 628 SIMPLE The network connection in use is %s Wan Failover System Error WARN 307 639 The preferences file is too large to be saved in available flash memory Thermal Red GE_ event System Error WARN 573 649 SIMPLE System Hardware Environment ALERT 578 104 SIMPLE 104 SonicOS Log Event Reference Guide
Thermal Red Timer Exceeded Hardware System Environment ALERT 579 105 SIMPLE Thermal Yellow Hardware System Environment ALERT 577 103 SIMPLE Time of day settings for firewall policies were not upgraded. event Maintenance INFO 742 --- SIMPLE Too many gratuitous ARPs detected --- WARN 815 --- SIMPLE Type: None --- DEBUG 55 --- UNUSED UDP checksum error; packet dropped Access UDP NOTICE 885 --- STD UDP packet dropped Access UDP NOTICE 37 --- STD_POLIC Y UDP packet from LAN dropped Access LanUDP LanTCP NOTICE 174 --- STD_SERVI CE Unable to download IPS/GAV/ Anti-Spyware Signature database. must first be restarted to free memory used by downloaded firmware. Unused --- WARN 873 --- SIMPLE Unable to resolve dynamic address object Unable to send message to Dynamic Address Objects Maintenance INFO 880 --- dial-up task PPP dialup System Error ERROR 1024 --- Unknown IPsec SPI VPN IPsec Attack ERROR 66 507 UNUSED Unknown protocol dropped Access Debug NOTICE 41 --- SonicOS Log Event Reference Guide 105
Unknown reason VPN PKI UserActivity ERROR 275 --- SIMPLE Unprocessed email received from MTA on Inbound SMTP port Anti-Spam --- INFO 1095 --- STD unused/spare Unused --- DEBUG 736 --- UNUSED unused/spare Unused --- DEBUG 764 --- UNUSED unused/spare Unused --- DEBUG 765 --- UNUSED unused/spare Unused --- DEBUG 767 --- UNUSED unused/spare Unused --- DEBUG 768 --- UNUSED unused/spare Unused --- DEBUG 770 --- UNUSED unused/spare Unused --- DEBUG 771 --- UNUSED unused/spare Unused --- DEBUG 772 --- UNUSED unused/spare Unused --- DEBUG 786 --- UNUSED unused/spare Unused --- DEBUG 787 --- UNUSED unused/spare Unused --- DEBUG 788 --- UNUSED unused/spare Unused --- DEBUG 791 --- UNUSED unused/spare Unused --- DEBUG 792 --- UNUSED unused/spare Unused --- DEBUG 801 --- UNUSED unused/spare Unused --- DEBUG 802 --- UNUSED unused/spare Unused --- DEBUG 803 --- UNUSED unused/spare Unused --- DEBUG 804 --- UNUSED unused/spare Unused --- DEBUG 807 --- UNUSED unused/spare Unused --- DEBUG 808 --- UNUSED User logged out User logged out - inactivity timer expired User logged out - logout reported by SSO agent User logged out - max session time exceeded User logged out - user disconnect detected (heartbeat timer expired) n Access UserActivity INFO 263 --- n Access UserActivity INFO 265 --- n Access UserActivity INFO 1008 --- n Access UserActivity INFO 264 --- n Access UserActivity INFO 24 --- User login denied - insufficient access on LDAP server RADIUS UserActivity WARN 750 --- STD_STRIN G_SERVICE STD_STRIN G_SERVICE 106 SonicOS Log Event Reference Guide
User login denied - invalid credentials on LDAP server RADIUS UserActivity WARN 749 --- User login denied - LDAP authenticatio n failure RADIUS UserActivity INFO 745 --- User login denied - LDAP communicati on problem RADIUS UserActivity WARN 748 --- User login denied - LDAP directory mismatch RADIUS UserActivity WARN 757 --- User login denied - LDAP schema mismatch RADIUS UserActivity WARN 751 --- User login denied - LDAP server certificate not valid RADIUS UserActivity WARN 755 --- User login denied - LDAP server down or misconfigure d RADIUS UserActivity WARN 747 --- User login denied - LDAP server name resolution failed RADIUS UserActivity WARN 753 --- User login denied - LDAP server timeout RADIUS UserActivity WARN 746 --- User login denied - not allowed by policy rule n Access UserActivity INFO 986 --- STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE SonicOS Log Event Reference Guide 107
User login denied - not found locally n Access UserActivity INFO 987 --- User login denied - password doesn't meet constraints n Access --- INFO 1048 --- User login denied - password expired n Access UserActivity INFO 1035 --- User login denied - RADIUS authenticatio n failure RADIUS UserActivity INFO 243 --- User login denied - RADIUS communicati on problem RADIUS UserActivity WARN 744 --- User login denied - RADIUS configuration error RADIUS UserActivity WARN 245 --- User login denied - RADIUS server name resolution failed RADIUS UserActivity WARN 754 --- User login denied - RADIUS server timeout RADIUS UserActivity WARN 244 --- User login denied - SonicWALL SSO agent communicati on problem n Access UserActivity WARN 990 --- User login denied - SonicWALL SSO agent configuration error n Access UserActivity WARN 989 --- STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE 108 SonicOS Log Event Reference Guide
User login denied - SonicWALL SSO agent name resolution failed n Access UserActivity WARN 991 --- User login denied - SonicWALL SSO agent timeout n Access UserActivity WARN 988 --- User login denied - TLS or local certificate problem RADIUS UserActivity WARN 756 --- User login denied - user already logged in n Access UserActivity INFO 759 --- User login denied - User has no privileges for guest service User login denied - User has no privileges for login from that location User login denied due to bad credentials User login denied due to bad credentials User login disabled from %s User login failed - Guest service limit reached n Access UserActivity INFO 486 --- n Access UserActivity INFO 246 --- n Access UserActivity INFO 32 --- n Access UserActivity INFO 33 --- n Access Attack ERROR 583 559 n Access UserActivity INFO 549 --- STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE STD_STRIN G_SERVICE GE_ SonicOS Log Event Reference Guide 109
User login failure rate exceeded - logins from user IP address denied User login from an internal zone n Access Attack ERROR 329 561 n Access UserActivity INFO 31 --- STD_STRIN G_SERVICE allowed Using LDAP without TLS - highly insecure RADIUS System Error ALERT 1010 --- SIMPLE Virtual Access Point is disabled SonicPoint 80211bMgmt INFO 731 --- Virtual Access Point is enabled SonicPoint 80211bMgmt INFO 730 --- SIMPLE_NO TE_ SIMPLE_NO TE_ VLAN unused/spare Unused --- DEBUG 837 --- UNUSED VLAN unused/spare Unused --- DEBUG 838 --- UNUSED VLAN unused/spare Unused --- DEBUG 839 --- UNUSED VOIP %s Endpoint added VOIP VOIP DEBUG 637 --- VOIP %s Endpoint not added - configured 'public' endpoint limit reached VOIP VOIP WARN 639 --- VOIP %s Endpoint removed VOIP VOIP DEBUG 638 --- VOIP Call Connected VOIP VOIP INFO 622 --- VOIP Call Disconnected VOIP VOIP INFO 623 --- Voltages Out System of Tolerance Hardware Environment ERROR 575 101 SIMPLE VPN Cleanup: Dynamic network settings change VPN UserActivity INFO 471 --- STD 110 SonicOS Log Event Reference Guide
VPN Client Policy Provisioning VPN Client UserActivity INFO 371 --- VPN disabled by administrator n Access Maintenance INFO 506 --- SIMPLE VPN disabled for active dial up Unused Maintenance INFO 503 --- SIMPLE VPN enabled by administrator n Access Maintenance INFO 507 --- SIMPLE VPN Log Debug VPN IKE Debug INFO 172 --- GE_ VPN Policy Added VPN --- INFO 1050 --- VPN policy count received exceeds the limit; %s VPN System Error ERROR 719 --- VPN Policy Deleted VPN --- INFO 1051 --- VPN Policy Modified VPN --- INFO 1052 --- VPN TCP FIN VPN VPNStat INFO 195 --- UNUSED VPN TCP PSH VPN VPNStat INFO 196 --- UNUSED VPN TCP SYN VPN VPNStat INFO 194 --- UNUSED VPN zone administrator login allowed VPN zone remote user login allowed WAN Interface not setup Wan IP Changed WAN node exceeded: Connection dropped because too many IP addresses are in use on your LAN WAN not ready n Access UserActivity INFO 235 --- n Access UserActivity INFO 237 --- STD_STRIN G_SERVICE STD_STRIN G_SERVICE event Maintenance INFO 498 --- SIMPLE event System Error WARN 138 636 STD event System Error ERROR 812 --- STD event Maintenance INFO 502 --- SIMPLE SonicOS Log Event Reference Guide 111
WAN zone administrator login allowed WAN zone remote user n Access UserActivity INFO 236 --- n Access UserActivity INFO 238 --- STD_STRIN G_SERVICE STD_STRIN G_SERVICE login allowed WARN: Central Gateway does not have a Relay IP Address. DHCP message dropped. DHCP Relay Maintenance INFO 472 --- UNUSED WARN: DHCP lease relayed from Central Gateway conflicts with IP in Static Devices list DHCP Relay Maintenance INFO 227 --- Web access request dropped Web management request allowed Web site access allowed Web site access denied WiFiSec Enforcement disabled by administrator WiFiSec Enforcement enabled by administrator Wireless MAC Filter List disabled by administrator Access TCP NOTICE 524 --- Access UserActivity NOTICE 526 --- Access BlockedSites NOTICE 16 703 Access BlockedSites ERROR 14 701 STD_POLIC Y STD_SERVI CE BLOCKED BLOCKED n Access Maintenance INFO 510 --- UNUSED n Access Maintenance INFO 511 --- UNUSED n Access Maintenance INFO 513 --- SIMPLE 112 SonicOS Log Event Reference Guide
Wireless MAC Filter List enabled by administrator WLAN client n Access Maintenance INFO 512 --- SIMPLE null probing WLAN IDS WLAN IDS WARN 615 904 WLAN disabled by administrator n Access Maintenance INFO 508 --- SIMPLE WLAN disabled by schedule WLAN enabled by administrator WLAN enabled by schedule n Access Maintenance INFO 728 --- SIMPLE n Access Maintenance INFO 509 --- SIMPLE n Access Maintenance INFO 729 --- SIMPLE WLAN firmware image has been updated Wireless Maintenance INFO 487 --- WLAN max concurrent users reached already Access --- INFO 726 --- SIMPLE_ST R WLAN not in AP mode, DHCP server will not provide lease to clients on WLAN Wireless Maintenance INFO 617 --- SIMPLE WLAN radio frequency threat detected WLAN Reboot WLAN RFManagem ent --- WARN 879 --- Hardware System Error ERROR 517 642 recovery Wireless Maintenance INFO 519 --- WLAN sequence number out of order WLAN IDS WLAN IDS WARN 547 902 WLB Failback initiated by %s Wan Failover System Error ALERT 435 652 SIMPLE_NO TE_ SIMPLE_NO TE_ SIMPLE_ST R SIMPLE_NO TE_ GE_ SonicOS Log Event Reference Guide 113
WLB Failover in progress Wan Failover System Error ALERT 584 651 STD WLB Resource failed Wan Failover System Error ALERT 586 654 STD WLB Resource is now available Wan Failover System Error ALERT 585 653 STD WLB SPIllover started, configured threshold exceeded Wan Failover Maintenance WARN 581 --- SIMPLE WLB SPIllover stopped Wan Failover Maintenance WARN 582 --- SIMPLE WPA MIC Failure Wireless 80211bMgmt WARN 663 --- WPA RADIUS Server Timeout Wireless 80211bMgmt INFO 664 --- XAUTH Failed with VPN client, n failure VPN Client UserActivity ERROR 140 --- XAUTH Failed with VPN client, Cannot Contact RADIUS Server VPN Client UserActivity INFO 141 --- XAUTH Succeeded with VPN client VPN Client UserActivity INFO 139 --- SIMPLE_NO TE_ SIMPLE_NO TE_ Your SonicWALL Anti-Spam Service subscription has expired. Anti-Spam --- WARN 1086 --- SIMPLE 114 SonicOS Log Event Reference Guide
Index of Syslog Tag Field Description a Index of Syslog Tag Field Description This section provides an alphabetical listing of Syslog tags and the associated field description. Tag Field Description <ddd> Syslog message prefix The beginning of each syslog message has a string of the form <ddd> where ddd is a decimal number indicating facility and priority of the message. (See [1] Section 4.1.1) arg URL Used to render a URL: arg represents the URL path name part. bcastrx Interface statistics report Displays the broadcast packets received bcasttx Interface statistics report Displays the broadcast packets transmitted bytesrx Interface statistics report Displays the bytes received bytestx Interface statistics report Displays the bytes transmitted c Message category (legacy only) Indicates the legacy category number (Note: We are not currently sending new category information.) change Configuration change webpage Displays the basename of the firewall web page that performed the last configuration change code Blocking code Indicates the CFS block code category code ICMP type and code Indicates the ICMP code conns status report Indicates the number of connections in use cpuutil status report Displays the CPU utilization (not in use) dst Destination Destination IP address, and optionally, port, network interface, and resolved name. dstname Destination URL Displays the URL of web site hit and other legacy destination strings dstname URL Used to render a URL: dstname represents the URL host part dyn status report Displays the HA and dialup connection state (rendered as h.d where h is n (not enabled), b (backup), or p (primary) and d is 1 (enabled) or 0 (disabled)) SonicOS Log Event Reference Guide 115
Index of Syslog Tag Field Description fw WAN IP Indicates the WAN IP Address fwlan status report Indicates the LAN zone IP address goodrxbytes SonicPoint statistics report Indicates the well formed bytes recevied goodtxbytes SonicPoint statistics report Indicates the well formed bytes transmitted i status report Displays the GMS message interval in seconds id=firewall Webtrends prefix Syntactic sugar for WebTrends (and GMS by habit) if Interface statistics report Displays the interface on which statistics are reported ipscat IPS message Displays the IPS category ipspri IPS message Displays the IPS priority lic status report Indicates the number of licenses for firewalls with limited modes m Message ID Provides the message ID number mac MAC address Provides the MAC address msg Static message Displays the event message (from spreadsheet) msg Dynamically-defined message Displays a dynamically defined message string msg Static message with dynamic string Displays a message using the predefined message string containing a %s and a dynamic string argument. msg Static message with dynamic number Displays a message using the predefined string string containing a %s and a dynamic numeric argument. msg IPS message Displays a message using the predefined message string containing a %s and a dynamic string argument. msg Anti-Spyware message Displays the event message (from spreadsheet) n Message count Indicates the number of times event occurs op HTTP OP code Displays the HTTP operation (GET, POST, etc.) of web site hit pri Message priority Displays the event priority level (0=emergency..7=debug) proto IP protocol Indicates the IP protocol and detail information proto Protocol and service Displays the protocol information (rendered as proto/service ) 116 SonicOS Log Event Reference Guide
Index of Syslog Tag Field Description proto Protocol and service Displays the protocol information (rendered as proto/service ) pt status report Displays the HTTP/HTTPS management port (rendered as hhh.sss ) radio SonicPoint statistics report Displays the SonicPoint radio on which event occurred ramutil status report Displays the RAM utilization (not in use) rcvd Bytes received Indicates the number of bytes received within connection result HTTP Result code Displays the HTTP result code (200, 403, etc.) of web site hit rule Rule ID Displays the Access Rule number causing packet drop sent Bytes sent Displays the number of bytes sent within connection sid IPS message Provides the IPS signature ID sid Anti-Spyware message Provides the AntiSpyware signature ID sn serial number Indicates the device serial number spycat Anti-Spyware message Displays the antispyware category spypri Anti-Spyware message Displays the AntiSpyware priority src Source Indicates the source IP address, and optionally, port, network interface, and resolved name. station SonicPoint statistics report Displays the client (station) on which event occurred time Time Reports the time of event type ICMP type and code Indicates the ICMP type ucastrx Interface statistics report Displays the unicast packets received ucasttx Interface statistics report Displays the unicast packets transmitted unsynched status report Reports the time since last local change in seconds usesstandbysa status report Displays whether standby SA is in use ( 1 or 0 ) for GMS management usr (or user) User Displays the user name ( user is the tag used by WebTrends) vpnpolicy VPN policy name Displays the VPN policy name of event SonicOS Log Event Reference Guide 117
Index of Syslog Tag Field Description 118 SonicOS Log Event Reference Guide
Index of Syslog Tag Field Description SonicOS Log Event Reference Guide 119
Index of Syslog Tag Field Description 120 SonicOS Log Event Reference Guide
SonicWALL, Inc. 1143 Borregas Avenue T +1 408.745.9600 www.sonicwall.com Sunnyvale CA 94089-1306 F +1 408.745.9300 P/N: 232-001771-00 Rev A, 07/09 2009 descriptions subject to change without notice. 07/07 SW 145 PROTECTION AT THE SPEED OF BUSINESS