LogLogic McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide Document Release: September 2011 Part Number: LL600046-00ELS900001 This manual supports LogLogic Sidewinder Release 1.2 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.
2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 http://www.loglogic.com
Contents Preface About This Guide.........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Sidewinder Log Collection Introduction to Sidewinder.................................................. 7 Prerequisites............................................................ 8 Configuring Sidewinder.................................................... 8 Enabling the LogLogic Appliance to Capture Data.............................. 11 Adding a Sidewinder Device............................................ 11 Verifying the Configuration................................................ 12 Chapter 2 How LogLogic Supports Sidewinder How LogLogic Captures Sidewinder Data..................................... 14 LogLogic Real-Time............................................... 15 LogLogic Search- Based....................................... 15 Chapter 3 Troubleshooting and FAQ Troubleshooting......................................................... 18 Frequently Asked Questions............................................... 19 Appendix A Reference LogLogic Support for Sidewinder s..................................... 21 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 3
4 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for McAfee Firewall Enterprise (Sidewinder) enables LogLogic Appliances to capture logs from machines running Sidewinder. Once the logs are captured and parsed, you can generate reports and create alerts on Sidewinder s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 5
Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
Chapter 1 Configuring LogLogic s Sidewinder Log Collection This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Sidewinder logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Sidewinder-related log data. Introduction to Sidewinder................................................... 7 Prerequisites............................................................. 8 Configuring Sidewinder..................................................... 8 Enabling the LogLogic Appliance to Capture Data............................... 11 Verifying the Configuration.................................................. 12 Introduction to Sidewinder Sidewinder (also known as Secure Firewall) is a hardware appliance that contains the following features: Application-layer firewall VPN functionality Web filtering Anti-spam/Anti-fraud functionality Anti-virus/Anti-spyware filtering engines The logs produced by Sidewinder include events from all of its application functions (i.e., firewall, VPN, Web filtering, etc.) as well as local auditing of the Sidewinder appliance itself (e.g., appliance configuration changes, logins, daemon errors, etc.). Sidewinder appliances can generate audit log messages via Syslog using a variety of log formats. The LogLogic Appliance supports Syslog Sidewinder firewall events using the Sidewinder Export Format (SEF). The LogLogic Appliance acts as the Syslog Server for Sidewinder, and Sidewinder sends SEF-formatted Syslog messages via UDP or TCP to the Appliance s Syslog Listener. The configuration procedures for Sidewinder and the LogLogic Appliance depend upon your environment. For more information, see How LogLogic Captures Sidewinder Data on page 14. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 7
Prerequisites Prior to configuring Sidewinder and the LogLogic Appliance, ensure that you meet the following prerequisites: Secure Computing Sidewinder appliances running version 6.1, 6.2.x, 7.0 Proper access permissions to make configuration changes LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Sidewinder support Administrative access on the LogLogic Appliance McAfee Firewall Enterprise (Sidewinder) appliances running version 7.0 Configuring Sidewinder You must enable and configure auditing and Syslog on Sidewinder prior to configuring the LogLogic Appliance. Note: This document does not describe all features and functionality within Sidewinder regarding configuration and Syslog. For more information on these areas, see McAfee Support Knowledge Base (http://mysupport.mcafee.com) and the McAfee Product Documentation. To configure Sidewinder version 6.1: 1. Make sure that the auditing and syslog daemons are stopped on the Sidewinder host machine. 2. On Sidewinder, navigate to the following location: /etc/sidewinder/ 3. Open the auditd.conf file in a text editor and add the following line to the end of the file: syslog(facility filters["filter"] format) where, facility Facility level associated with the Syslog message (e.g., local0-local7) filter Name of the sacap filter to use for all the events. If this parameter is set to NULL, then all audit events are reported to the log. Note: Depending on load and network traffic, a more restrictive filter than NULL might be needed. For more information on sacap filters, see the McAfee Product Documentation. format output format. Make sure this is set to SEF (Sidewinder Export Format used by Sidewinder G2 Security Reporter). For example, syslog(local0 filters["null"] SEF) 4. Open the syslogd.conf file in a text editor and modify the default burb entry (log_burb[0]) to the correct burb. 5. Navigate to the following location: /etc/ 8 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
6. Open the syslog.conf file in a text editor and add the following line to the file: facility.* @x.x.x.x where, facility Facility level you specified in same facility as mentioned above x.x.x.x IP address of the remote Syslog Server (i.e., LogLogic Appliance) For example, local0.* @10.2.1.149 7. Restart the auditing and syslog daemons by completing the following steps: a. Find the Syslog Process Identifier (PID) using the pss syslog command. b. Restart the syslogd and audit processes by using the following commands: kill syslogpid ind Slog /usr/sbin/syslogd -l cf server restart auditd To configure Sidewinder version 6.2.x: 1. Make sure that the auditing and syslog daemons are stopped on the Sidewinder host machine. 2. Navigate to the following location: /etc/sidewinder/ 3. Open the auditd.conf file in a text editor and add the following line to the end of the file: syslog(facility filters["filter"] format) where, facility Facility level associated with the Syslog message (e.g., local0-local7) filter Name of the sacap filter to use for all the events. If this parameter is set to NULL, then all audit events are reported to the log. Note: Depending on load and network traffic, a more restrictive filter than NULL might be needed. For more information on sacap filters, see the McAfee Product Documentation. format output format. Make sure this is set to SEF (Sidewinder Export Format used by Sidewinder G2 Security Reporter). For example, syslog(local0 filters["null"] SEF) 4. Navigate to the following location: /etc/ 5. Open the syslog.conf file in a text editor and add the following line to the file: facility.* @x.x.x.x where, facility Facility level you specified in same facility as mentioned above x.x.x.x IP address of the remote Syslog Server (i.e., LogLogic Appliance) For example, local0.* @10.2.1.149 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 9
6. Restart the auditing and syslog daemons by completing the following steps: a. Find the Syslog Process Identifier (PID) using the pss syslog command. b. Restart the syslogd and audit processes by using the following commands: kill -HUP syslogpid ind Slog /usr/sbin/syslogd -l cf server restart auditd To configure Sidewinder version 7.0: 1. Make sure that the auditing and syslog daemons are stopped on the Sidewinder host machine. 2. Navigate to the following location: /secureos/etc/ 3. Open the auditd.conf file in a text editor and add the following line to the end of the file: syslog(facility filters["filter"] format) where, facility Facility level associated with the Syslog message (e.g., local0-local7) filter Name of the sacap filter to use for all the events. If this parameter is set to NULL, then all audit events are reported to the log. Note: Depending on load and network traffic, a more restrictive filter than NULL might be needed. For more information on sacap filters, see the McAfee Product Documentation. format output format. Make sure this is set to SEF (Sidewinder Export Format used by Sidewinder G2 Security Reporter). For example, syslog(local0 filters["null"] SEF) 4. Navigate to the following location: /etc/ 5. Open the syslog.conf file in a text editor and add the following line to the file: facility.* @x.x.x.x where, facility Facility level you specified in same facility as mentioned above x.x.x.x IP address of the remote Syslog Server (i.e., LogLogic Appliance) For example, local0.* @10.2.1.149 6. Within the syslog.conf file by changing this line: *.notice;auth,...uucp.none /var/logmessages to this: *.notice;auth,...uucp,facility.none /var/logmessages Changing this line prevents redundant logging. 7. Restart the auditing and syslog daemons by using the following commands: cf daemond restart agent=syslog cf daemond restart agent=auditd 10 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
Enabling the LogLogic Appliance to Capture Data The following sections describe how to configure the LogLogic Appliance to capture Sidewinder Syslog messages. Caution: The LogLogic Appliance s device auto-identification feature is not supported for Sidewinder. You must manually add Sidewinder as a device on the Appliance. Adding a Sidewinder Device If you do not want to utilize the auto-identification feature, you can manually add a Sidewinder device to the LogLogic Appliance before you redirect the logs. To add Sidewinder as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Sidewinder device Description (optional) Description of the Sidewinder device Device Type Select Sidewinder from the drop-down menu Host IP IP address of the Sidewinder appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 11
Figure 1 Add Device Tab 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Sidewinder appliance, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration The section describes how to verify that the configuration changes made to Sidewinder and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. 3. Locate the IP address for each Sidewinder device. If the device name (Sidewinder) appears in the list of devices, then the configuration is correct (see Figure 2 on page 13). 12 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
Figure 2 Verification of the Sidewinder Configuration If the device does not appear in the Log Source Status tab, check the Sidewinder logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Sidewinder configuration and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Sidewinder by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time on page 15. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 18 for more information. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 13
Chapter 2 How LogLogic Supports Sidewinder This chapter describes LogLogic s support for Sidewinder. LogLogic enables you to capture Sidewinder log data to monitor events. How LogLogic Captures Sidewinder Data.................................. 14 LogLogic Real-Time............................................ 15 LogLogic Search- Based..................................... 15 How LogLogic Captures Sidewinder Data Sidewinder version 6.1, 6.2.x, and 7.0 (or later) support various streamed event formats through Syslog (e.g., Sidewinder Export Format (SEF), WebTrends Extended Logging Format (WELF), W3C Extended Logging Format (HTTP), etc.). Regardless of the Sidewinder version, the LogLogic Appliance only supports Sidewinder firewall events in SEF format. Sidewinder generates Syslog messages in SEF format, then messages are sent, via UDP or TCP, to the Syslog Listener on the LogLogic Appliance. Figure 3 Sidewinder with LogLogic Appliance as the Syslog Server Once the data is captured you can generate reports. In addition, you can create alerts to notify you of issues on your Sidewinder. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Table 1 on page 22 lists the Sidewinder Syslog messages that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Sidewinder logs, but includes only specific messages for report/alert generation. For more information, see Appendix A Reference on page 21 for sample log messages for each event and event to category mapping. 14 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
LogLogic Real-Time LogLogic provides pre-configured Real-Time for Sidewinder log data. The following Real-Time are available: User Authentication Displays identity and access related events during a specified time interval. User Created/Deleted Displays user being created or deleted by an administrator during a specified time interval. Last User Activity Displays user-specific details and used to track user activity during a specified time interval. To access LMI 5 Real-Time : 1. In the top navigation pane, click. 2. Click Access Control. The following Real-Time are available: User Authentication User Created/Deleted Last User Activity You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search- Based LogLogic provides pre-configured Search s for Sidewinder log data. Search s are used to filter report data and create alerts. To access Search s: 1. From the navigation menu, select Search. 2. Select Search s. The following Search s are available: Note: All Sidewinder Search s use Regular Expressions (RegEx) that can be used to create reports using RegEx Search features on the LogLogic Appliance. Sidewinder 6.2: ACL Modification v6.2 - Access Control List (ACL) Database Change s. Uses the following RegEx: type=t_acl_change Sidewinder 6.2: Protocol Error v6.2 - Traffic passing by violated the Protocol. Uses the following RegEx: type=t_protocol_error Sidewinder 6.2: Proxy Flooded v6.2 - Proxy Flooded Type. Using RegEx: type=t_snmp_coldtrap Sidewinder 6.2: SNMP Coldstart Trap v6.2 - SNMP Coldstart Trap s. Using RegEx: type=t_proxy_flooded Sidewinder 6.2: SYN Attack v6.2 - SYN Attack messages. Using RegEx: type=t_syn_attack McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 15
Sidewinder 6.2: TACACS/RADIUS Accounting v6.2 - TACACS/RADIUS Accounting s. Using RegEx: type=t_tacrad_acct Sidewinder 6.2: Type Enforcement v6.2 - Type Enforcement Errors generated by the Kernel like DDT Violation/DIT Violation/Domain Privilege Denied/Failed type Change. Using RegEx: type\=(t_ddtviolation t_ditviolation t_dmnprivdenied t_chtype) Sidewinder 6.2: User Database Modification v6.2 - User Database Modification by User or System. Using RegEx: type\=(t_udb_sysac t_udb_useract) Sidewinder 7.x: Application Defense Violation v7.x - Application Defense Violation. Using RegEx: type=t_auth_lockout Sidewinder 7.x: Authentication Lockout v7.x - Authentication Failure Lockout. Using RegEx: type=t_attack.*?(?=category=)category=appdef_violation Sidewinder 7.x: Buffer Overflow Attack v7.x - Buffer Overflow Attack. Using RegEx: type=t_attack.*?(?=category=)category=buffer_overflow Sidewinder 7.x: Connection Failed v7.x - Connection to the Server Failed. Using RegEx: event=(failed connection connect failed) Sidewinder 7.x: Denial of Service Attack v7.x - DOS Attack. Using RegEx: type=t_attack.*?(?=category=)category=dos Sidewinder 7.x: General Attack v7.x - General Attack. Using RegEx: type=t_attack.*?(?=category=)category=general Sidewinder 7.x: Invalid TCP packets v7.x - Invalid TCP packets. Using RegEx: (event\=(tcp old duplicate TCP data/ closed conn TCP RESET sequence error)) Sidewinder 7.x: License Expiration v7.x - License Feature Expiration. Using RegEx: type=t_license_expire Sidewinder 7.x: License Notice v7.x - User License close to the max. outbound host IP addresses. Using RegEx: event=license notice Sidewinder 7.x: Passport v7.x - Passport Change s. Using RegEx: type\=t_passport_chng.*?(?=event\=)event\=(?!passport expiration)[^\,]* Sidewinder 7.x: Passport Expiration v7.x - Passport Expired. Using RegEx: type=t_passport_chng.*?(?=event=)event=passport expiration Sidewinder 7.x: Policy Violation v7.x - Policy Violation s. Using RegEx: type=t_attack.*?(?=category=)category=policy_violation Sidewinder 7.x: Protocol Violation v7.x - Protocol Violation s. Using RegEx: type=t_attack.*?(?=category=)category=protocol_violation Sidewinder 7.x: Signature-based IPS Intrusion Attempt v7.x - Signature-based IPS Intrusion Attempt. Using RegEx: type=t_attack.*?(?=category=)category=signature_ips Sidewinder 7.x: Spam v7.x - Spam. Using RegEx: type=t_attack.*?(?=category=)category=spam Sidewinder 7.x: System Backup v7.x - System Backup Success/Failure s. Using RegEx: event\=(system backup success system backup failure) Sidewinder 7.x: Virus v7.x - Virus. Using RegEx: type=t_attack.*?(?=category=)category=virus Sidewinder: Blackhole v7.x and v6.2 - Blackhole Add/Delete/Update/Expire/Address error s. Using RegEx: type=t_blackhole 16 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
Sidewinder: Configuration Change v7.x and v6.2 - Administrative Configuration Change s. Using RegEx: type=t_cfg_change Sidewinder: Console Login Failure v7.x and v6.2 - Console Login Failure. Using RegEx: (type=t_attack.*?(?=event)event=auth deny.*?(?=reason)reason="authentication failed."\,information="console login authentication failed[a-za-z0-9 -_]*) (type=t_auth_attempt.*?(?=result)result=0\,info="[a-za-z0-9-_ ]*console[a-za-z0-9 -_]*) Sidewinder: Hardware/Software Failure v7.x and v6.2 - Hardware/Software/NIC/ Memory/ Disk Failure s. Using RegEx: type=(t_hardware_failure t_software_failure) Sidewinder: Health Monitoring v7.x and v6.2 - Health Monitoring of Load/CPU/ Memory/Interface/ General data s. Using RegEx: (type\=t_lcm\,pri\=(?!p_minor)[^\,]*) (type\=t_interface\,pri\=(?!p _minor)[^\,]*) (type\=t_geninfo\,pri\=(?!p_minor)[^\,]*) Sidewinder: License Exceeded v7.x and v6.2 - User License Exceeded the maximum number of outbound host IP addresses. Using RegEx: type=t_lic_exceeded Sidewinder: Log Overflow v7.x and v6.2 - Log overflow. Using RegEx: type=t_log_overflow Sidewinder: Proxy/Remote Server Authentication Failure v7.x and v6.2 - Authentication to Proxy/Remote Server Failed. Using RegEx: type=t_proxyauth Sidewinder: Software Client Login Failure v7.x and v6.2 - Software Client Login Failure. Using RegEx: (type=t_attack.*?(?=event)event=auth deny.*?(?=reason)reason="authentication failed."\,information="cobra login authentication failed) (type=t_auth_attempt.*?(?=result)result=0.*?(?=info)info=[a -za-z0-9 -_]*cobra[a-za-z0-9 -_]*) Sidewinder: UDP Drop v7.x and v6.2 - UDP Packet got Dropped. Using RegEx: type\=t_udp_drop Sidewinder: UPS v7.x and v6.2 - UPS Powerfail/Shutdown s. Using RegEx: type\=(t_ups_powerfail t_ups_shutdown) For more information on Search s, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 17
Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Sidewinder. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting....................................................... 18 Frequently Asked Questions............................................. 19 Troubleshooting Is your version of Sidewinder supported? For more information, see Prerequisites on page 8. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. If Sidewinder events are not appearing on the LogLogic Appliance... Sidewinder might not be configured correctly. Make sure that audit logging is configured using the SEF format, Syslog is configured, and that a Syslog Server (i.e., the LogLogic Appliance) has been defined. If you have not properly configured Syslog on Sidewinder to send logs to the LogLogic Appliance, then Sidewinder will write the logs to a file on the local system (i.e., /var/ log/messages). Make sure that Sidewinder is not sending log messages the local file. Configuration steps for Sidewinder vary depending on the version. For more information see, Configuring Sidewinder on page 8. If events are not displaying on the LogLogic Appliance even after configuring Sidewinder correctly... Sidewinder sends the logs, via UDP or TCP via Syslog, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on Sidewinder. For more information on supported protocols and ports, see the LogLogic Administration Guide. 18 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
Frequently Asked Questions How does the LogLogic Appliance collect logs from Sidewinder? Sidewinder forwards logs using the SEF event format through Syslog. SEF-formatted Syslog messages are sent via UDP or TCP to the LogLogic Appliance. The LogLogic Appliance acts as a Syslog Server for Sidewinder and recognizes messages using the Syslog Listener. For more information, see How LogLogic Captures Sidewinder Data on page 14. What access permissions are required? To configure auditing and Syslog on Sidewinder, the user needs to have the proper access permissions to edit configuration files and start/stop the auditing and syslog daemons. How do I configure Syslog on Sidewinder? Follow the procedures on Configuring Sidewinder on page 8. Also make sure that you verify your configuration changes on the LogLogic Appliance (Verifying the Configuration on page 12). McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 19
20 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
Appendix A Reference This appendix lists the LogLogic-supported Sidewinder events. The Sidewinder event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Sidewinder s The following list describes the contents of each of the columns in the table below. ID # Item Number Name Value of event field in 7.x Version or status field in 6.2 or 6.1 Version is displayed otherwise it is Not Applicable (N/A) Agile Defines if the Sidewinder event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time and Summary to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Sidewinder version number and comments if available. Comments are displayed if particular type in a version as more than one format supported. Category Audit or Operational Type Type of event such as t_iptraffic or t_attack Appears In LogLogic-provided reports that the event appears in Sample Log Message Sample Sidewinder log messages converted into text (.txt) format. The Collector captures invaluable log data to track actions such as modifications to files, account changes, machine access, and other actions that can represent fraudulent activity. The LogLogic appliance can be configured to provide administrators with real-time alerts whenever data integrity and confidentiality is compromised. In addition, LogLogic s Agile and search capabilities can be used to analyze the captured log data. McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 21
Table 1 Sidewinder s ID # Name Agile Title Category Type Appears In Sample Log Message 1 ACL allow Agile 7.x Audit t_aclallow Accepted 2 ACL deny Agile 7.x Audit t_attack Denied 3 auth deny Agile 7.x Audit t_attack User Last Activity /User Authentication 4 auth allow Agile 7.x Audit t_auth_attempt User Last Activity /User Authentication <131>Jan 15 14:51:23 auditd: date="mar 15 15:55:21 CDT",fac=f_ssh_server,area=a_general_area,type=t_ aclallow,pri=p_major,pid=11596,ruid=0,euid=0,pgid=1 1596,logid=0,cmd=sshd,domain=ssh1,edomain=ssh1,hostname=xxxx.x.com,event=ACL allow,srcip=10.10.10.10,srcport=33180,srcburb=exter nal,dstip=10.10.10.10,dstport=22,dstburb=external,pr otocol=6,service_name=sshd,user_name=x,auth_met hod=password,acl_id="secure Shell Server",cache_hit=0,reason="Traffic allowed by policy." <131>Jan 15 14:48:01 auditd: date="jan 15 22:48:01 UTC",fac=f_login_sidewinder,area=a_general_area,ty pe=t_attack,pri=p_major,pid=95290,ruid=0,euid=0,pgi d=95263,logid=0,cmd=login_sidewinder,domain=log n,edomain=logn,hostname=sidewinder1.loglabs.com,category=policy_violation,event=acl deny,attackip=127.0.0.1,attackburb=firewall,srcip=12 7.0.0.1,srcport=0,srcburb=Firewall,dstip=127.0.0.1,dst port=0,dstburb=firewall,protocol=6,service_name=log in,user_name=admin,auth_method=failed-password, acl_id="deny All",cache_hit=0,reason="Traffic denied by policy." <179>Jun 24 05:07:27 auditd: date="aug 11 12:51:09 PDT",fac=f_login,area=a_general_area,type=t_attack, pri=p_major,pid=2374,ruid=0,euid=0,pgid=2374,logid =0,cmd=login,domain=Logn,edomain=Logn,hostnam e=sidewinder1.loglabs.com,category=policy_violation, event=auth deny,user_name=admin,auth_method=password,rea son="authentication failed.",information="cobra login authentication failed for user `admin', method Password, from 10.60.0.7" <179>Jun 24 05:07:27 auditd: date="aug 11 08:25:23 PDT",fac=f_ssh_server,area=a_server,type=t_auth_a ttempt,pri=p_major,pid=1198,ruid=0,euid=0,pgid=119 8,logid=0,cmd=sshd,domain=ssh2,edomain=ssh2,hos tname=sidewinder1.loglabs.com,event=auth allow,user_name=spippari,auth_method=password,re ason="authentication succeeded.",information="authentication Accepted for user `spippari', method Password from 10.60.0.7 port 1037" 5 authentication failure lockout Agile 7.x Audit t_auth_lockout User Last Activity <179>Jun 6 18:32:37 auditd: date="aug 25 22:29:34 PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid =0,cmd=acld,domain=Acld,edomain=Acld,hostname= sidewinder1.loglabs.com,event=authentication failure lockout,user_name=spippari,reason="authentication failure limit exceeded." 22 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 6 authentication failure clear Agile 7.x Audit t_auth_lockout User Last Activity <179>Jun 6 18:32:37 auditd: date="aug 25 22:25:28 PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid =0,cmd=acld,domain=Acld,edomain=Acld,hostname= sidewinder1.loglabs.com,event=authentication failure clear,user_name=rathna,admin=rathna 7 config Modify Agile 7.x/ format 1 8 config Modify Agile 7.x/ format 2 9 config Modify Agile 7.x/ format 3 10 config Modify Agile 7.x/ format 4 Audit t_cfg_change User Last Activity Audit t_cfg_change User Last Activity,User Created/ Deleted Audit t_cfg_change User Last Activity,User Created/ Deleted Audit t_cfg_change User Last Activity,User Created/ Deleted <139>Sep 10 07:54:25 auditd: date="sep 10 21:52:12 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="admin user database",config_item=admins:testuser,information=" Changed Firewall administrator testuser: office='wipro Technologies'" <139>Sep 10 07:54:25 auditd: date="sep 10 14:54:25 UTC",fac=f_system,area=a_general_area,type=t_cfg _change,pri=p_major,pid=48475,ruid=0,euid=0,pgid= 48475,logid=102,cmd=AdminConsole,domain=CARW,edomain=CARW,hostname=sidewinder1.loglabs.co m,event=config modify,user_name=spippari,config_area="admin user database",config_item=admins:cwee,information="ad ded Firewall administrator cwee: crypt_password='_v...03/fz4a0ycyz/yu', directory='/ home/cwee', full_name='chris Wee', home_phone='510-576-4891', office='home', office_phone='510-781-9671', roles=[], shell='nologin'" <139>Sep 10 07:54:25 auditd: date="sep 10 21:48:11 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="user database",config_item=udb:testuser,information="add ed User testuser: crypt='_x...mucbglf3lh4uf7q', placeholder='not used', swede_crypt_last_mod_time=1221108484.4916401, swede_expire_last_mod_time=0.0" <139>Sep 10 07:54:25 auditd: date="sep 10 21:54:35 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="admin user database",config_item=admins:testuser,information=" Deleted Firewall administrator testuser" McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 23
ID # Name Agile Title Category Type Appears In Sample Log Message 11 config Modify Agile 7.x/ format 5 Audit t_cfg_change User Last Activity,User Created/ Deleted <139>Sep 10 07:54:25 auditd: date="sep 10 21:54:35 PDT",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=34240,ruid=0,euid=0,pgid=3 4240,logid=103,cmd=AdminConsole,domain=CARW, edomain=carw,hostname=sidewinder1.loglabs.com,event=config modify,user_name=rathna,config_area="user database",config_item=udb:testuser,information="del eted User testuser" 12 IP session open 13 IP session timeout 14 IP session close 15 proxy traffic begin Agile 7.x Audit t_ipftraffic Accepted Agile 7.x Audit t_ipftraffic Accepted Agile 7.x Audit t_ipftraffic Accepted Agile 7.x Audit t_nettraffic Accepted <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=ip session open,rule_name=scobra_out_filter,srcip=80.80.80.80, srcport=1662,dstip=70.70.70.70,dstport=9003,protoco l=6,netsessid=45eba8ff00060315 <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=ip session timeout,rule_name=scobra_out_filter,srcip=70.70.70. 70,srcport=1662,dstip=80.80.80.80,dstport=9003,byte s_written_to_client=1446281,bytes_written_to_server =122272,protocol=6,netsessid=45eba8ff00060315 <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=ip session close,rule_name=scobra_out_filter,srcip=10.10.10.10, srcport=1662,dstip=10.10.10.10,dstport=9003,bytes_ written_to_client=800,bytes_written_to_server=80,pro tocol=6,netsessid=45eba8ff00060315 <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:01 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic begin,service_name=http-all,netsessid=45f8e0e1000 ea505,srcip=60.60.60.60,srcport=57961,srcburb=inter nal,protocol=6,dstip=50.50.50.50,dstport=80,dstburb= external,acl_id=nt_http_out-nt_http_servicesproxy-aut h-internal,cache_hit=0,request_status=0,start_time=" Thu Mar 15 02:00:01 " 24 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 16 proxy traffic continue 17 proxy traffic end 18 proxy authentication failure 19 remote server authentication failure 20 server traffic begin Agile 7.x Audit t_nettraffic Accepted Agile 7.x Audit t_nettraffic Accepted Agile 7.x Audit t_proxyauth Denied Agile 7.x Audit t_proxyauth Denied Agile 7.x Audit t_servtraffic Accepted <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic continue,service_name=http-all,netsessid=45f8e0e10 00ea505,srcip=50.50.50.50,srcport=57961,srcburb=in ternal,protocol=6,dstip=40.40.40.40,dstport=80,dstbur b=external,bytes_written_to_client=476,bytes_written _to_server=99,acl_id=nt_http_out-nt_http_services-pr oxy-auth-internal,cache_hit=0,request_status=0,start_ time="thu Mar 15 02:00:01 " <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic end,service_name=http-all,netsessid=45f8e0e1000ea 505,srcip=40.40.40.40,srcport=57961,srcburb=interna l,protocol=6,dstip=30.30.30.30,dstport=80,dstburb=ex ternal,bytes_written_to_client=476,bytes_written_to_s erver=99,acl_id=nt_http_out-nt_http_services-proxy-a uth-internal,cache_hit=0,request_status=0,start_time= "Thu Mar 15 02:00:01 " <131>Jan 15 14:51:23 auditd: date="mar 16 16:33:55 CDT",fac=f_sendmail_daemon,area=a_server,type=t _proxyauth,pri=p_major,pid=2076,ruid=0,euid=0,pgid =2071,logid=0,cmd=sendmail,domain=mta1,edomain =mta1,hostname=carp.b.com,event=proxy authentication failure,srcip=10.10.10.10,srcport=3578,srcburb=exter nal,protocol=6,dstip=10.10.10.10,dstport=456,dstburb =dmz,interface=eth3,acl_id=acl_rul_1,reason="send mail determined that this session is not allowed." <131>Jan 15 14:51:23 auditd: date="mar 16 16:33:55 CDT",fac=f_sendmail_daemon,area=a_server,type=t _proxyauth,pri=p_major,pid=2076,ruid=0,euid=0,pgid =2071,logid=0,cmd=sendmail,domain=mta1,edomain =mta1,hostname=carp.b.com,event=remote server authentication failure,srcip=10.10.10.10,srcport=3578,srcburb=exter nal,protocol=6,dstip=10.10.10.10,dstport=456,dstburb =dmz,interface=eth3,acl_id=acl_rul_1,reason="send mail determined that this session is not allowed." <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:01 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_servtraffic,pri=p_major,pid=32152,ruid=0,euid=0,p gid=32152,logid=0,cmd=httpp,domain=htpp,edomain =htpp,hostname=xxxxxxx.xxxx.com,event=server traffic begin,service_name=http-all,netsessid=45f8e0e1000 ea505,srcip=30.30.30.30,srcport=57961,srcburb=inter nal,protocol=6,dstip=20.20.20.20,dstport=80,dstburb= external,acl_id=nt_http_out-nt_http_servicesproxy-aut h-internal,cache_hit=0,request_status=0,start_time=" Thu Mar 15 02:00:01 " McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 25
ID # Name Agile Title Category Type Appears In Sample Log Message 21 server traffic continue 22 server traffic end Agile 7.x Audit t_servtraffic Accepted Agile 7.x Audit t_servtraffic Accepted <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_servtraffic,pri=p_major,pid=32152,ruid=0,euid=0,p gid=32152,logid=0,cmd=httpp,domain=htpp,edomain =htpp,hostname=xxxxxxx.xxxx.com,event=server traffic continue,service_name=http-all,netsessid=45f8e0e10 00ea505,srcip=20.20.20.20,srcport=57961,srcburb=in ternal,protocol=6,dstip=10.10.10.10,dstport=80,dstbur b=external,bytes_written_to_client=476,bytes_written _to_server=99,acl_id=nt_http_out-nt_http_services-pr oxy-auth-internal,cache_hit=0,request_status=0,start_ time="thu Mar 15 02:00:01 " <131>Jan 15 14:51:23 auditd: date="mar 15 02:00:02 EDT",fac=f_http_proxy,area=a_libproxycommon,type =t_servtraffic,pri=p_major,pid=32152,ruid=0,euid=0,p gid=32152,logid=0,cmd=httpp,domain=htpp,edomain =htpp,hostname=xxxxxxx.xxxx.com,event=server traffic end,service_name=http-all,netsessid=45f8e0e1000ea 505,srcip=10.10.10.10,srcport=57961,srcburb=interna l,protocol=6,dstip=90.90.90.90,dstport=80,dstburb=ex ternal,bytes_written_to_client=476,bytes_written_to_s erver=99,acl_id=nt_http_out-nt_http_services-proxy-a uth-internal,cache_hit=0,request_status=0,start_time= "Thu Mar 15 02:00:01 " 23 N/A Agile 6.2. Audit t_aclallow Accepted 24 N/A Agile 6.2 Audit t_acldeny Denied 25 N/A Agile 6.2 Audit t_auth_attempt User Last Activity /User Authentication 26 ipf_open Agile 6.2 Audit t_ipftraffic Accepted <179>May 22 17:16:52 auditd: date="may 22 17:16:52 GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo w,pri=p_major,pid=1545,ruid=0,euid=0,pgid=1545,fid =0,logid=0,cmd=httpp,domain=htpp,edomain=htpp,sr cip=10.10.2.46,dstip=87.237.39.200,protocol=6,servic e_name=http,agent_type=proxy,user_name=(null),acl _id="internet Services" <131>Jan 15 14:51:23 auditd: date="may 14 17:02:56 2001 CDT",fac=f_nss,area=a_server,type=t_acldeny,pri=p_ major,pid=22800,ruid=0,euid=0,pgid=220,fid=0,logid= 0,cmd=nss,domain=nss2,edomain=nss2,srcip=192.1 68.240.244,dstip=192.168.180.12,protocol=6,service_ name=telnet,agent_type=server,user_name=null),acl _id=deny_all,acl_pos=7 <179>Jun 24 05:07:27 auditd: date="may 16 13:18:51 2001 CDT",fac=f_ftpproxy,area=a_server,type=t_auth_atte mpt,pri=p_major,pid=464,ruid=0,euid=0,pgid=464,logi d=0,cmd=pftp,domain=pftx,edomain=pftx,user_aut h_name=a,auth_method=password,result=1,info="aut hentication Accepted for user `a:password', method password" <131>Jan 15 14:51:23 auditd: date="oct 30 11:17:49 2006 CST",fac=f_kern_ipfilt,area=a_general_area,type=t_ip ftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,fid=0,l ogid=0,cmd=abc,domain=,edomain=,status=ipf_open, rule_name=some-rule,srcip=10.10.10.10,srcport= 1153,dstip=10.20.20.20,dstport=122,protocolname=tc p,netsessid=454633bd0008681a 26 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 27 ipf_close Agile 6.2 Audit t_ipftraffic Accepted 28 conn_open Agile 6.2 Audit t_nettraffic Accepted 29 conn_cont Agile 6.2 Audit t_nettraffic Accepted 30 conn_close Agile 6.2 Audit t_nettraffic Accepted 31 N/A Agile 6.2 Audit t_proxyauth Denied <131>Jan 15 14:51:23 auditd: date="mar 5 01:18:07 EST",fac=f_kernel_ipfilter,area=a_general_area,type= t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,fid =0,logid=0,cmd=kernel,domain=,edomain=,status=ipf _close,rule_name=scobra_out_filter,srcip=10.10.10.1 0,srcport=1662,dstip=10.10.10.10,dstport=9003,bytes _written_to_client=900,bytes_written_to_server=90,pr otocol=6,netsessid=45eba8ff00060315 <179>Jan 1 00:00:00 auditd: date="apr 19 12:25:42 2002 CDT",fac=f_telnetproxy,area=a_server,type=t_nettraff ic,pri=p_major,pid=3544,ruid=0,euid=0,pgid=3544,fid =2000001,logid=0,cmd=tnauthp,domain=Atnx,edomai n=atnx,srcip=192.168.181.30,srcport=49566,srcburb =2,dstip=192.168.180.87,dstport=23,dstburb=1,protoc ol=6,service_name=nt_tnauthp,status=conn_open,net sessid=3cc053160004222f <179>Jan 1 00:00:00 auditd: date="apr 19 12:25:42 2002 CDT",fac=f_telnetproxy,area=a_server,type=t_nettraff ic,pri=p_major,pid=3544,ruid= 0,euid=0,pgid=3544,fid=2000001,logid=0,cmd=tnauth p,domain=atnx,edomain=atnx,srcip=192.168.181.3,sr cport=49566,srcburb=2,dstip=192.168.180.87,dstport =23,dstburb=1,protocol=6,bytes_written_to_client=0,b ytes_written_to_server=0,service_name=nt_tnauthp,r eason=" continue ",status=conn_cont,auth_metho d=password,user_name=a,request_status=1,start_tim e="fri Apr 19 12:25:42 2002",netsessid=3cc053160004222f <179>Jan 1 00:00:00 auditd: date="apr 19 12:25:42 2002 CDT",fac=f_telnetproxy,area=a_server,type=t_nettraff ic,pri=p_major,pid=3544,ruid= 0,euid=0,pgid=3544,fid=2000001,logid=0,cmd=tnauth p,domain=atnx,edomain=atnx,srcip=192.168.181.3,sr cport=49566,srcburb=2,dstip=192.168.180.87,dstport =23,dstburb=1,protocol=6,bytes_written_to_client=0,b ytes_written_to_server=0,service_name=nt_tnauthp,r eason="proxy traffic end",status=conn_close,auth_method=password,user _name=a,request_status=1,start_time="fri Apr 19 12:25:42 2002",netsessid=3cc053160004222f <135>Jan 1 00:00:03 sidewinder1 auditd: date="jan 1 00:00:03 PST",fac=f_ssod,area=a_auditlib,type=t_proxyauth,pr i=p_major,pid=94704,ruid=161,euid=194,pgid=1137,fi d=0,logid=138,cmd=find,domain=ssh2,edomain=pas w,srcip=10.20.30.43,srcport=2010,dstip=99.20.30.40, dstport=3002,protocol=5,srchost=10.116.28.25,dstho st=desthost 32 N/A Agile 6.2/ format 1 (action is add or delete) Audit t_udb_useract User Last Activity,User Created/ Deleted <179>Jun 6 18:32:37 auditd: date="may 14 17:27:29 2001 CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_useract,pri=p_major,pid=22821,ruid=0,euid=0,pgi d=247,logid=0,cmd=pasw,domain=pasw,edomain=pa sw,udb_admin=root,udb_user=a,udb_class=common, udb_action=add McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 27
ID # Name Agile Title Category Type Appears In Sample Log Message 33 N/A Agile 6.2/ format 1 (action is modify) Audit t_udb_useract User Last Activity <179>Jun 6 18:32:37 auditd: date="may 14 17:27:29 2001 CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_useract,pri=p_major,pid=22821,ruid=0,euid=0,pgi d=247,logid=0,cmd=pasw,domain=pasw,edomain=pa sw,udb_admin=root,udb_user=a,udb_class=common, udb_action=modify 34 N/A Agile 6.1 Audit t_aclallow Accepted 35 N/A Agile 6.1 Audit t_acldeny Denied 36 N/A Agile 6.1 Audit t_auth_attempt User Last Activity /User Authentication 37 ipf_open Agile 6.1 Audit t_ipftraffic Accepted 38 ipf_close Agile 6.1 Audit t_ipftraffic Accepted <179>May 22 17:16:52 auditd: date="may 22 17:16:52 GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo w,pri=p_major,pid=1545,ruid=0,euid=0,pgid=1545,fid =0,logid=0,cmd=httpp,domain=htpp,edomain=htpp,ho stname=xxx,srcip=10.10.10.10,srcburb=internal,dstip =20.20.20.20,dstburb=external,protocol=6,service_na me=http,agent_type=proxy,user_name=(null),auth_m ethod=(null),acl_id="internet Services",cache_hit=1,acl_position=6 <179>Jun 24 05:15:57 auditd: date="jun 24 05:15:57 EDT",fac=f_smtp_proxy,area=a_server,type=t_aclden y,pri=p_major,pid=1350,ruid=0,euid=0,pgid=1350,fid= 0,logid=0,cmd=smtpp,domain=SMTp,edomain=SMTp,hostname=xxx,srcip=10.10.10.10,srcburb=internal,ds tip=10.100.100.10,dstburb=internal,protocol=6,service _name=smtp,agent_type=proxy,attackip=10.10.100.1 0,attackburb=internal,user_name=(null),auth_method =(null),acl_id="deny All",cache_hit=1,acl_position=23 <179>Jun 24 05:07:57 auditd: date="jun 24 05:07:57 EDT",fac=f_login,area=a_general_area,type=t_auth_ attempt,pri=p_major,pid=1880,ruid=0,euid=0,pgid=18 80,fid=0,logid=0,cmd=login,domain=Logn,edomain=L ogn,hostname=xxx,user_name=abc,auth_method=-p assword,result=1,information="cobra login authentication Accepted for user `abc, method -password, from 20.20.20.02" <179>Aug 13 14:49:19 auditd: date="aug 13 14:49:19 JST",fac=f_kern_ipfilt,area=a_general_area,type=t_ip ftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid= 0,cmd=kernel,domain=htpp,edomain=htpp,hostname =xxx,status=ipf_open,rule_name=web-proxy-out _high,srcip=10.10.10.10,srcport=600,dstip=30.30.30. 30,dstport=4000,protocolname=tcp,netsessid=48a275 df0006e3da <179>Aug 13 14:50:47 auditd: date="aug 13 14:50:47 JST",fac=f_kern_ipfilt,area=a_general_area,type=t_ip ftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid= 0,cmd=kernel,domain=htpp,edomain=htpp,hostname =xxx,status=ipf_close,rule_name=web-proxy-out _high,srcip=10.10.10.10,srcport=650,dstip=20.20.20. 20,dstport=6000,bytes_written_to_client=226,bytes_w ritten_to_server=652,protocolname=tcp,netsessid=48 a275dd000276e4 28 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 39 conn_open Agile 6.1 Audit t_nettraffic Accepted 40 conn_cont Agile 6.1 Audit t_nettraffic Accepted <179>Jan 1 00:00:00 auditd: date="jan 1 00:00:00 PST",fac=f_udp_proxy,area=a_liblicense,type=t_nettr affic,pri=p_major,pid=23589,ruid=159,euid=188,pgid= 1137,fid=0,logid=276,cmd=dnsp,domain=Htps,edoma in=htps,hostname=xxx,srcip=10.10.10.10,srcport=50 12,srcburb=external,dstip=20.20.20.20,dstport=6008, dstburb=external,protocol=6,service_name=httpp,stat us=conn_open,acl_id="internet Services",cache_hit=0,netsessid=465325860005fa72 <179>Aug 13 14:16:09 auditd: date="aug 13 14:16:09 JST",fac=f_wwwproxy,area=a_libproxycommon,type= t_nettraffic,pri=p_major,pid=1309,ruid=0,euid=0,pgid= 1309,logid=0,cmd=httpp,domain=htpp,edomain=htpp, hostname=xxx,srcip=10.10.10.10,srcport=1011,srcbur b=int,dstip=20.20.20.20,dstport=5660,dstburb=ext,pro tocol=6,bytes_written_to_client=722,bytes_written_to _server=1452,service_name=httpp,reason= continu e,status=conn_cont,acl_id=web-proxy-http_o ut,cache_hit=0,request_status=0,start_time="wed Aug 13 14:12:56 ",netsessid=48a26d5800030e99 41 conn_close Agile 6.1/ format 1 42 conn_close Agile 6.1/ format 2 Audit t_nettraffic Accepted Audit t_nettraffic Accepted <179>May 22 17:16:52 auditd: date="may 22 17:16:52 GMT",fac=f_wwwproxy,area=a_libproxycommon,type =t_nettraffic,pri=p_major,pid=1545,ruid=0,euid=0,pgid =1545,fid=0,logid=0,cmd=httpp,domain=htpp,edomai n=htpp,hostname=xxx,srcip=10.10.10.10,srcport=900,srcburb=internal,dstip=20.20.20.20,dstport=900,dstb urb=external,protocol=6,bytes_written_to_client=500, bytes_written_to_server=60,service_name=httpp,stat us=conn_close,acl_id="internet Services",cache_hit=1,request_status=0,start_time=" Tue May 22 17:16:53 ",netsessid=465325840009824d <179>Aug 13 14:28:31 auditd: date="aug 13 14:28:31 JST",fac=f_mail,area=a_server,type=t_nettraffic,pri=p _major,pid=20756,ruid=0,euid=0,pgid=20756,logid=0, cmd=sendmail,domain=mta2,edomain=mta2,hostnam e=xxx,srcip=10.10.10.90,srcport=344,srcburb=ext,dsti p=10.10.10.10,dstport=2500,dstburb=int,protocol=6,b ytes_written_to_client=0,bytes_written_to_server=201 2,service_name=sendmail(2),reason="Normal delivery of message m7d5sp6z020754",status=conn_close,acl_id=smtp_ all,cache_hit=0,queueid=m7d5sp6z020754,mail_sen der=xxx@xxx.com,recipient=xxx@xxx.mil,start_time= "Wed Aug 13 14:28:31 ",netsessid=48a270ff00019957 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 29
ID # Name Agile Title Category Type Appears In Sample Log Message 43 conn_close Agile 6.1/ format 3 Audit t_nettraffic Accepted <179>Aug 13 14:16:09 auditd: date="aug 13 14:16:09 JST",fac=f_mail,area=a_server,type=t_nettraffic,pri=p _major,pid=20436,ruid=0,euid=0,pgid=20436,logid=0, cmd=sendmail,domain=mta2,edomain=mta2,hostnam e=xxx,srcip=10.10.10.10,srcport=600,srcburb=ext,dsti p=10.10.10.10,dstport=9000,dstburb=int,protocol=6,b ytes_written_to_client=0,bytes_written_to_server=756 4,service_name=sendmail(2),reason="Normal delivery of message m7d5g4pe020434",status=conn_close,acl_id=smtp_ all,cache_hit=0,queueid=m7d5g4pe020434,mail_se nder=xxx@xx.xxx.mil,recipient=xxx@xxx.mil,subject= "FW: THANK YOU NOTE ON BEHALF OF COMMODORE KEARNS",start_time="Wed Aug 13 14:16:10 ",netsessid=48a26e190009ff25 44 conn_open Agile 6.1 Audit t_servtraffic Accepted 45 conn_close Agile 6.1 Audit t_servtraffic Accepted <179>Jul 28 09:06:25 auditd: date="jul 28 09:06:25 EDT",fac=f_wwwproxy,area=a_libproxycommon,type =t_servtraffic,pri=p_major,pid=1476,ruid=0,euid=0,pgi d=1476,fid=0,logid=0,cmd=httpp,domain=htpp,edoma in=htpp,hostname=xxx,srcip=10.10.10.10,srcport=100,srcburb=internal,dstip=20.20.20.20,dstport=80,dstbur b=external,protocol=6,service_name=httpp,status=co nn_open,acl_id="internet Services",cache_hit=1,netsessid=488dc451000bce06 <179>Jul 28 09:12:33 auditd: date="jul 28 09:12:33 EDT",fac=f_scobra_proxy,area=a_libproxycommon,ty pe=t_servtraffic,pri=p_major,pid=1491,ruid=0,euid=0, pgid=1491,fid=0,logid=0,cmd=scobrap,domain=gssl,edomain=gssl,hostname=xxx,srcip=10.10.10.10,sr cport=14,srcburb=internal,dstip=10.10.10.10,dstport= 9003,dstburb=Firewall,protocol=6,bytes_written_to_cli ent=7,bytes_written_to_server=30,service_name=sco brap,status=conn_close,acl_id="admin Console",cache_hit=0,request_status=0,start_time=" Mon Jul 28 09:12:28 ",netsessid=488dc5bb0008b5df 46 N/A Agile 6.1/ format 1 (action is add or delete) 47 N/A Agile 6.1/ format 2 (action is modify) Audit t_udb_useract User Last Activity,User Created/ Deleted Audit t_udb_useract User Last Activity <179>Jun 6 18:32:37 auditd: date="jun 6 18:32:37 CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_useract,pri=p_major,pid=18668,ruid=0,euid=0,pgi d=1326,logid=0,cmd=pasw,domain=pasw,edomain=p asw,hostname=xxx,udb_admin=root,udb_user=sean, udb_class=common,udb_action=add <179>Jun 6 18:32:37 auditd: date="jun 6 18:32:37 CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_useract,pri=p_major,pid=18668,ruid=0,euid=0,pgi d=1326,logid=0,cmd=pasw,domain=pasw,edomain=p asw,hostname=xxx,udb_admin=root,udb_user=sean, udb_class=common,udb_action=modify 30 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 48 N/A Search 49 N/A Search 50 N/A Search 51 N/A Search 52 N/A Search 53 N/A Search 54 N/A Search 6.2 Operational t_acl_change Sidewinder 6.2: ACL Modification 6.2 Operational t_proxy_flooded Sidewinder 6.2: Proxy Flooded 6.2 Operational t_snmp_coldtrap Sidewinder 6.2: SNMP Coldstart Trap 6.2 Operational t_syn_attack Sidewinder 6.2: SYN Attack 6.2 Operational t_tacrad_acct Sidewinder 6.2: TACACS/ RADIUS Accounting 6.2 Operational t_protocol_error Sidewinder 6.2: Protocol Error 6.2 Operational t_ddtviolation Sidewinder 6.2: Type Enforcement <179>Jun 6 18:32:37 auditd: date="may 11 10:17:01 2001 CDT",fac=f_cf,area=a_acladm,type=t_acl_change,pri =p_major,pid=1958,ruid=0,euid=0,pgid=1958,logid=1 00,cmd=COBRAD,domain=Admn,edomain=Admn,acl _admin=a,acl_op=add,acl_table=acl,acl_data="{'actio n': 'allow', 'ignore': 0, 'nat_addr':('host', 'localhost'), 'name': 'ping', 'agents':['proxy'], 'table': 'acl', 'services': [('service','ping')], 'last_changed_by': 'a on 05/09/01 10:17:31','alert': None, 'pos': 18, 'auth_needed': 0,'external_groups': None}" <179>Jun 6 18:32:37 auditd: date="oct 30 12:41:25 2002 CST",fac=f_nss,area=a_server,type=t_proxy_flooded, pri=p_major,pid=179,ruid=0,euid=0,pgid=179,logid=0, cmd='nss',domain=nss2,edomain=nss2,srcburb=2,src ip=192.168.181.3,srcport=51210,dstip=192.168.180.8 7,dstport=80,information="55 No buffer spaceavailable Could not connect to the http proxy, probablyflooded, temporarily suspended network fd 9 for 1second" <179>Jun 6 18:32:37 auditd: date="may 30 13:46:10 2001 CDT",fac=f_snmp,area=a_server,type=t_snmp_coldtr ap,pri=p_major,pid=476,ruid=0,euid=0,pgid=476,logid =0,cmd=snmpd,domain=Admn,edomain=Admn,info=" \"Coldstart trap!" <179>Jun 6 18:32:37 auditd: date="may 30 13:46:10 2001 CDT",fac=f_kernel,area=a_nil_area,type=t_syn_attac k,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cm d=,domain=,edomain=,srcip=10.1.1.1,src port=64,dstport=83,srcburb=2 <179>Jun 6 18:32:37 auditd: date="may 4 06:02:42 2000 CDT",fac=f_syslog_mail,area=a_general_area,type=t _tacrad_acct,pri=p_major,pid=1418,ruid=0,euid=0,pgi d=1418,logid=0,cmd=sendmail,domain=mta2,edomai n=mta2,info="xxx" <179>Jun 6 18:32:37 auditd: date="oct 30 12:41:25 2002 CST",fac=f_telnet_proxy,area=a_server,type=t_proto col_error,pri=p_major,pid=179,ruid=0,euid=0,pgid=17 9,fid=2000001,logid=0,cmd='tnauthp',domain=Atnx,ed omain=atnx,srcip=192.168.181.30,srcport=51210,src burb=2,dstip=192.168.180.87,dstport=23,dstburb=1,n etsessid=3cc053160004222f,proto_err_id=1,informati on= <179>Jun 6 18:32:37 auditd: date="may 4 06:13:18 2000 CDT",fac=f_kernel,area=a_tepm,type=t_ddtviolation,p ri=p_major,pid=2233,ruid=0,euid=0,pgid=18061,logid =0,cmd='named-xfer',domain=DNSu,edomain=DNSu, permwanted=64,permgranted=1,srcdom=dnsu,filedo m=dnsu,filetype=conf,file=mpls.db.bak,info="op:0x2 000041 perm wanted: 0x40<destroy> permgranted:0x1<read>" McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 31
ID # Name Agile Title Category Type Appears In Sample Log Message 55 N/A Search 56 N/A Search 57 N/A Search 58 N/A Search 59 N/A Search 6.2 Operational t_ditviolation Sidewinder 6.2: Type Enforcement 6.2 Operational t_dmnprivdenied Sidewinder 6.2: Type Enforcement 6.2 Operational t_chtype Sidewinder 6.2: Type Enforcement 6.2 Operational t_udb_sysac Sidewinder 6.2: User Database Modification 6.2 Operational t_udb_useract Sidewinder 6.2: User Database Modification <179>Jun 6 18:32:37 auditd: date="may 4 06:13:18 2000 CDT",fac=f_kernel,area=a_tepm,type=t_ditviolation,pr i=p_major,pid=2233,ruid=0,euid=0,pgid=18061,logid= 0,cmd='named-xfer',domain=DNSu,edomain=DNSu,p ermwanted=64,permgranted=1,srcdom=dnsu,filedo m=dnsu,filetype=conf,file=mpls.db.bak,info="op:0x2 000041 perm wanted: 0x40<destroy> permgranted:0x1<read>" <179>Jun 6 18:32:37 auditd: date="may 4 06:13:18 2000 CDT",fac=f_kernel,area=a_tepm,type=t_dmnprivdeni ed,pri=p_major,pid=2233,ruid=0,euid=0,pgid=18061,l ogid=0,cmd='named-xfer',domain=dnsu,edomain=d NSu,permwanted=64,permgranted=1,srcdom=DNSu,f iledom=dnsu,filetype=conf,file=mpls.db.bak,info="op :0x2000041 perm wanted: 0x40<destroy> permgranted:0x1<read>" <179>Jun 6 18:32:37 auditd: date="may 4 06:13:18 2000 CDT",fac=f_kernel,area=a_tepm,type=t_chtype,pri=p _major,pid=2233,ruid=0,euid=0,pgid=18061,logid=0,c md='named-xfer',domain=dnsu,edomain=dnsu,per mwanted=64,permgranted=1,srcdom=dnsu,filedom= DNSu,filetype=conf,file=mpls.db.bak,info="OP:0x200 0041 perm wanted: 0x40<destroy> permgranted:0x1<read>" <179>Jun 6 18:32:37 auditd: date="may 14 17:27:29 2001 CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_sysact,pri=p_major,pid=22821,ruid=0,euid=0,pgid =247,logid=0,cmd=pasw,domain=pasw,edomain=pas w,udb_admin=root,udb_user=a,udb_class=common,u db_action=modify <179>Jun 6 18:32:37 auditd: date="may 14 17:27:29 2001 CDT",fac=f_passwordwarder,area=a_libudb,type=t_u db_useract,pri=p_major,pid=22821,ruid=0,euid=0,pgi d=247,logid=0,cmd=pasw,domain=pasw,edomain=pa sw,udb_admin=root,udb_user=a,udb_class=common, udb_action=modify 60 N/A Search 7.x/ Catoger y is appdef_ violation Operational t_attack Sidewinder 7.x: Application Defense Violation No Sample log available 61 N/A Search 7.x/ Catoger y is buffer_o verflow Operational t_attack Sidewinder 7.x: Buffer Overflow Attack No Sample log available 62 N/A Search 7.x/ Catoger y is dos Operational t_attack Sidewinder 7.x: Denial of Service Attack No Sample log available 32 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 63 N/A Search 7.x/ Catoger y is general Operational t_attack Sidewinder 7.x: General Attack No Sample log available 64 N/A Search 7.x/ Catoger y is policy_vi olation Operational t_attack Sidewinder 7.x: Policy Violation No Sample log available 65 N/A Search 7.x/ Catoger y is protocol _violatio n Operational t_attack Sidewinder 7.x: Protocol Violation <179>Jun 6 18:32:37 auditd: date="mar 15 02:28:54 EDT",fac=f_kernel,area=a_nil_area,type=t_attack,pri= p_minor,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=ker nel,domain=htpp,edomain=htpp,hostname=xxxxxxx.x xxx.com,category=protocol_violation,event=tcp RESET; no data xfer,srcip=xx.xx.xxx.xxx,srcport=40283,dstip=xxx.xx.x xx.xx,dstport=25,protocol=6,srcburb=external,interfac e=em1,reason="the Sidewinder received a RESET after the remote system connected, but no data was transferred. This could indicate a stealth connection attack." 66 N/A Search 7.x/ Catoger y is signatur e_ips Operational t_attack Sidewinder 7.x: Signature-bas ed IPS Intrusion Attempt No Sample log available 67 N/A Search 7.x/ Catoger y is spam Operational t_attack Sidewinder 7.x: Spam <179>Jun 6 18:32:37 auditd: date="mar 16 16:33:55 CDT",fac=f_sendmail_daemon,area=a_server,type=t _attack,pri=p_major,pid=2076,ruid=0,euid=0,pgid=20 71,logid=0,cmd=sendmail,domain=mta1,edomain=mt a1,hostname=carp.b.com,category=spam,event=acce ss deny,srcip=xx.xx.xxx.xx,srcburb=external,attackip=xx. xx.xxx.xx,attackburb=external,queueid=l2glxtml0020 76,reason="Sendmail determined that this session is not allowed.",information="550 5.7.1 TrustedSource determined this IP address is untrusted. Reputation value: xxx.x.x.xx" 68 N/A Search 7.x/ Catoger y is virus Operational t_attack Sidewinder 7.x: Virus No Sample log available 69 N/A Search 7.x Operational t_auth_lockout Sidewinder 7.x: Authentication Lockout <179>Jun 6 18:32:37 auditd: date="mar 15 22:50:02 CDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=12227,ruid=0,euid=0,pgid=12227,log id=0,cmd=acld,domain=acld,edomain=acld,hostname =xxxx.x.com,event=authentication failure lockout,user_name=x,reason="authentication failure limit exceeded." McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 33
ID # Name Agile Title Category Type Appears In Sample Log Message 70 connect failed Search 7.x Operational t_info Sidewinder 7.x: Connection Failed <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_info,pri= p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,cm d=daemond,domain=dmnd,edomain=dmnd,hostnam e=sidewinder1.loglabs.com,event=connect failed,reason="connection to server failed." 71 failed connection Search 7.x Operational t_error Sidewinder 7.x: Connection Failed <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_error,pri =p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=dmnd,edomain=dmnd,hostna me=sidewinder1.loglabs.com,event=failed connection,reason="could not connect to server. The session was terminated." 72 TCP old duplicate Search 7.x Operational t_error Sidewinder 7.x: Invalid TCP packets <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_error,pri =p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=dmnd,edomain=dmnd,hostna me=sidewinder1.loglabs.com,event=tcp old duplicate,reason="the Sidewinder received packet that contains a timestamp from before this connection was established. It may be an old duplicate packet from a previous connection, or it may indicate a timestamp attack." 73 TCP data/ closed conn Search 7.x Operational t_error Sidewinder 7.x: Invalid TCP packets <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_error,pri =p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=dmnd,edomain=dmnd,hostna me=sidewinder1.loglabs.com,event=tcp data/ closed conn,reason="the Sidewinder received data for a connection that has been closed. This may indicate an attack." 74 TCP RESET sequence error Search 7.x Operational t_error Sidewinder 7.x: Invalid TCP packets <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_error,pri =p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=dmnd,edomain=dmnd,hostna me=sidewinder1.loglabs.com,event=tcp RESET sequence error,reason="the Sidewinder received a RESET packet with an invalid sequence number. This may be a reset for an earlier connection, or it may indicate an attack." 75 license expire Search 7.x Operational t_license_expire Sidewinder 7.x: License Expiration <179>Jun 6 18:32:37 auditd: date="mar 15 21:59:33 CDT",fac=f_license,area=a_server,type=t_lic_expire, pri=p_major,pid=12227,ruid=0,euid=0,pgid=12227,log id=0,cmd=acld,domain=acld,edomain=acld,hostname =xxxx.x.com,event=license expire,reason="", information="" 34 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 76 passport addition Search 7.x Operational t_passport_chng Sidewinder 7.x: Passport <179>Jun 6 18:32:37 auditd: date="mar 15 22:42:42 CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=passport addition,srcip=xx.xx.xxx.xx,user_name=x,external_gr oup=(null),auth_method=password,cache_time="thu Mar 1522:42:42 ",access_time="thu Mar 15 22:42:42 " 77 passport deletion Search 7.x Operational t_passport_chng Sidewinder 7.x: Passport <179>Jun 6 18:32:37 auditd: date="mar 15 22:42:42 CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=passport deletion,srcip=xx.xx.xxx.xx,user_name=x,external_gr oup=(null),auth_method=password,cache_time="thu Mar 1522:42:42 ",access_time="thu Mar 15 22:42:42 " 78 passport updated Search 7.x Operational t_passport_chng Sidewinder 7.x: Passport <179>Jun 6 18:32:37 auditd: date="mar 15 22:42:42 CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=passport updated,srcip=xx.xx.xxx.xx,user_name=x,external_gr oup=(null),auth_method=password,cache_time="thu Mar 1522:42:42 ",access_time="thu Mar 15 22:42:42 " 79 all passports revoked Search 7.x Operational t_passport_chng Sidewinder 7.x: Passport <179>Jun 6 18:32:37 auditd: date="mar 15 22:42:42 CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=all passports revoked,srcip=xx.xx.xxx.xx,user_name=x,external_gr oup=(null),auth_method=password,cache_time="thu Mar 1522:42:42 ",access_time="thu Mar 15 22:42:42 " 80 passport expiration Search 7.x Operational t_passport_chng Sidewinder 7.x: Passport Expiration <179>Jun 6 18:32:37 auditd: date="mar 15 22:42:49 CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=passport expiration,srcip=xx.xx.xxx.xx,access_time="thu Mar 1522:42:49 " 81 system backup success Search 7.x Operational t_info Sidewinder 7.x: System Backup <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_info,pri= p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,cm d=daemond,domain=dmnd,edomain=dmnd,hostnam e=sidewinder1.loglabs.com,event=system backup success,reason="system backup from Operational System (F%d) to Alternate System (F%d) succeeded." McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 35
ID # Name Agile Title Category Type Appears In Sample Log Message 82 system backup failure Search 7.x Operational t_error Sidewinder 7.x: System Backup <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_error,pri =p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=dmnd,edomain=dmnd,hostna me=sidewinder1.loglabs.com,event=system backup failure,reason="system backup from Operational System (F%d) to Alternate System (F%d) failed." 83 license notice Search 84 N/A Search 85 config modify Search 86 config restore Search 87 config apply Search 88 config file Search 7.x Operational t_important Sidewinder 7.x: License Notice 6.2 Operational t_cfg_change Sidewinder: Configuration Change 7.x Operational t_cfg_change Sidewinder: Configuration Change 7.x Operational t_cfg_change Sidewinder: Configuration Change 7.x Operational t_cfg_change Sidewinder: Configuration Change 7.x Operational t_cfg_change Sidewinder: Configuration Change <179>Jun 6 18:32:37 auditd: date="jul 9 23:51:00 UTC",fac=f_daemond,area=a_server,type=t_importan t,pri=p_major,pid=161,ruid=0,euid=0,pgid=161,logid= 0,cmd=daemond,domain=Dmnd,edomain=Dmnd,host name=sidewinder1.loglabs.com,event=license notice,reason="waiting to start '%s' because '%s' is %s." <179>Jun 6 18:32:37 auditd: date="nov 7 00:00:06 2002 CST",fac=f_system,area=a_general_area,type=t_cfg_ change,pri=p_major,pid=4517,ruid=0,euid=0,pgid=44 83,logid=0,cmd='cf',domain=CARW,edomain=CARW, user_name=root,information="updated lasttranslate time for server (Set translator.server indomain SCC_Reserved_translator to value [(1036648805L,'root')])" <179>Jun 6 18:32:37 auditd: date="mar 15 15:55:07 CDT",fac=f_system,area=a_general_area,type=t_cfg _change,pri=p_major,pid=11589,ruid=0,euid=0,pgid= 11589,logid=100,cmd=cf,domain=CARW,edomain=C ARW,hostname=xxxx.x.com,event=config modify,user_name=a,config_area=service,config_ite m=acld,information="changed ACLD: loglevel=3" <179>Jun 6 18:32:37 auditd: date="mar 15 15:55:07 CDT",fac=f_system,area=a_general_area,type=t_cfg _change,pri=p_major,pid=11589,ruid=0,euid=0,pgid= 11589,logid=100,cmd=cf,domain=CARW,edomain=C ARW,hostname=xxxx.x.com,event=config restore,user_name=a,config_area=service,config_ite m=acld,information="changed ACLD: loglevel=3" <179>Jun 6 18:32:37 auditd: date="mar 15 15:55:07 CDT",fac=f_system,area=a_general_area,type=t_cfg _change,pri=p_major,pid=11589,ruid=0,euid=0,pgid= 11589,logid=100,cmd=cf,domain=CARW,edomain=C ARW,hostname=xxxx.x.com,event=config apply,user_name=a,config_area=service,config_item =acld,information="changed ACLD: loglevel=3" <179>Jun 6 18:32:37 auditd: date="mar 15 15:55:07 CDT",fac=f_system,area=a_general_area,type=t_cfg _change,pri=p_major,pid=11589,ruid=0,euid=0,pgid= 11589,logid=100,cmd=cf,domain=CARW,edomain=C ARW,hostname=xxxx.x.com,event=config file,user_name=a,config_area=service,config_item=a cld,information="changed ACLD: loglevel=3" 36 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 89 config udb Search 90 N/A Search 7.x Operational t_cfg_change Sidewinder: Configuration Change 6.2 Operational t_proxyauth Sidewinder: Proxy/Remote Server Authentication Failure <179>Jun 6 18:32:37 auditd: date="mar 15 15:55:07 CDT",fac=f_system,area=a_general_area,type=t_cfg _change,pri=p_major,pid=11589,ruid=0,euid=0,pgid= 11589,logid=100,cmd=cf,domain=CARW,edomain=C ARW,hostname=xxxx.x.com,event=config udb,user_name=a,config_area=service,config_item=a cld,information="changed ACLD: loglevel=3" <179>Jun 6 18:32:37 auditd: date="may 30 13:46:10 2001 CDT",fac=f_acld,area=a_server,type=t_t_proxyauth,p ri=p_major,pid=14981,ruid=0,euid=0,pgid=14981,logi d=0,domain=acld,edomain=acld,major,srcip=192.168.104.135,dstip=192.168.106.126,protocolname=udp,s rcburb=2,srcport=49357,dstport=5001,info="" 91 remote server authentication failure Search 7.x Operational t_proxyauth Sidewinder: Proxy/Remote Server Authentication Failure <179>Jun 6 18:32:37 auditd: date="mar 15 02:28:54 EDT",fac=f_kernel,area=a_nil_area,type=t_proxyauth, pri=p_minor,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd =kernel,domain=htpp,edomain=htpp,hostname=xxxxx xx.xxxx.com,event=remote server authentication failure,srcip=xx.xx.xxx.xxx,srcport=40283,dstip=xxx.x x.xxx.xx,dstport=25,protocol=6,srcburb=external,interf ace=em1,reason="the Sidewinder received a RESET after the remote system connected, but no data was transferred. This could indicate a stealth connection attack." 92 proxy authentication failure Search 7.x Operational t_proxyauth Sidewinder: Proxy/Remote Server Authentication Failure <179>Jun 6 18:32:37 auditd: date="mar 15 02:28:54 EDT",fac=f_kernel,area=a_nil_area,type=t_proxyauth, pri=p_minor,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd =kernel,domain=htpp,edomain=htpp,hostname=xxxxx xx.xxxx.com,event=proxy authentication failure,srcip=xx.xx.xxx.xxx,srcport=40283,dstip=xxx.x x.xxx.xx,dstport=25,protocol=6,srcburb=external,interf ace=em1,reason="the Sidewinder received a RESET after the remote system connected, but no data was transferred. This could indicate a stealth connection attack." 93 N/A Search 94 blackhole add Search 6.2 Operational t_blackhole Sidewinder: Blackhole 7.x Operational t_blackhole Sidewinder: Blackhole <179>Jun 6 18:32:37 auditd: date="oct 30 11:50:59 2002 CST",fac-f_kernel,area=a_blkh,type=t_blackhole,pri= p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd='',d omain=,edomain=,status=blackhole_add,srcip=192.1 68.181.30,srcburb=2,seconds=10 <179>Jun 6 18:32:37 auditd: date="mar 15 22:24:19 CDT",fac=f_kernel,area=a_blkh,type=t_blackhole,pri= p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=ker nel,domain=,edomain=,hostname=xxxx.x.com,event= blackhole add,srcip=xx.xx.xxx.xx,srcburb=internal,seconds=240 0,reason="Thishost was added to the blackhole table." McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 37
ID # Name Agile Title Category Type Appears In Sample Log Message 95 blackhole update Search 7.x Operational t_blackhole Sidewinder: Blackhole <179>Jun 6 18:32:37 auditd: date="mar 15 22:24:19 CDT",fac=f_kernel,area=a_blkh,type=t_blackhole,pri= p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=ker nel,domain=,edomain=,hostname=xxxx.x.com,event= blackhole update,srcip=xx.xx.xxx.xx,srcburb=internal,seconds= 2400,reason="Thishost was added to the blackhole table." 96 blackhole delete Search 7.x Operational t_blackhole Sidewinder: Blackhole <179>Jun 6 18:32:37 auditd: date="mar 15 22:24:19 CDT",fac=f_kernel,area=a_blkh,type=t_blackhole,pri= p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=ker nel,domain=,edomain=,hostname=xxxx.x.com,event= blackhole delete,srcip=xx.xx.xxx.xx,srcburb=internal,seconds=2 400,reason="Thishost was added to the blackhole table." 97 blackhole expire Search 7.x Operational t_blackhole Sidewinder: Blackhole <179>Jun 6 18:32:37 auditd: date="mar 15 22:24:19 CDT",fac=f_kernel,area=a_blkh,type=t_blackhole,pri= p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=ker nel,domain=,edomain=,hostname=xxxx.x.com,event= blackhole expire,srcip=xx.xx.xxx.xx,srcburb=internal,seconds=2 400,reason="Thishost was added to the blackhole table." 98 N/A Search 99 auth deny Search 100 N/A Search 6.2 Operational t_auth_attempt Sidewinder: Console Login Failure 7.x Operational t_attack Sidewinder: Console Login Failure 6.2 Operational t_auth_attempt Sidewinder: Software Client Login Failure <179>Jun 6 18:32:37 auditd: date="may 16 13:18:51 2001 CDT",fac=f_ftpproxy,area=a_server,type=t_auth_atte mpt,pri=p_major,pid=464,ruid=0,euid=0,pgid=464,logi d=0,cmd=pftp,domain=pftx,edomain=pftx,user_aut h_name=a,auth_method=password,result=0,info="co nsole authentication failed for user `a:password', method password" <179>Jun 6 18:32:37 auditd: date="jan 15 23:37:17 UTC",fac=f_login,area=a_general_area,type=t_attack,pri=p_major,pid=95639,ruid=0,euid=0,pgid=95639,lo gid=0,cmd=login,domain=logn,edomain=logn,hostna me=sidewinder1.loglabs.com,category=policy_violatio n,event=auth deny,user_name=mburry,auth_method=default,reaso n="authentication failed.",information="console login authentication failed for user `mburry', method default, from console" <179>Jun 6 18:32:37 auditd: date="may 16 13:18:51 2001 CDT",fac=f_ftpproxy,area=a_server,type=t_auth_atte mpt,pri=p_major,pid=464,ruid=0,euid=0,pgid=464,logi d=0,cmd=pftp,domain=pftx,edomain=pftx,user_aut h_name=a,auth_method=password,result=0,info="co bra authentication failed for user `a:password', method password" 38 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 101 auth deny Search 7.x Operational t_attack Sidewinder: Software Client Login Failure <179>Jun 6 18:32:37 auditd: date="jan 15 22:51:35 UTC",fac=f_login,area=a_general_area,type=t_attack,pri=p_major,pid=95322,ruid=0,euid=0,pgid=95322,lo gid=0,cmd=login,domain=logn,edomain=logn,hostna me=sidewinder1.loglabs.com,category=policy_violatio n,event=auth deny,user_name=admin,auth_method=password,rea son="authentication failed.",information="cobra login authentication failed for user `admin', method Password, from 10.60.0.7" 102 N/A Search 6.2 Operational t_hardware_failu re Sidewinder: Hardware/ Software Failure <179>Jun 6 18:32:37 auditd: date="feb 6 06:53:13 2004 CST",fac=f_daemond,area=a_server,type=t_hardwar e_failure,pri=p_minor,pid=163,ruid=0,euid=0,pgid=16 2,logid=0,cmd=daemond,domain=Dmnd,edomain=D mnd,comp_class=software,comp_name=kmvfilter(2),i nformation="/usr/libexec /kmvfilter (1260) died; restarting" 103 N/A Search 7.x Operational t_hardware_failu re Sidewinder: Hardware/ Software Failure <179>Jun 6 18:32:37 auditd: date="mar 6 15:20:49 EST",fac=f_daemond,area=a_server,type=t_hardwar e_failure,pri=p_minor,pid=153,ruid=0,euid=0,pgid=15 3,logid=0,cmd=daemond,domain=Dmnd,edomain=D mnd,hostname=xxxxxxx.xxxx.com,comp_class=softw are,comp_name=http,information="http (69507)died unexpectedly. Restarting." 104 N/A Search 6.2 Operational t_software_failur e Sidewinder: Hardware/ Software Failure <179>Jun 6 18:32:37 auditd: date="feb 6 06:53:13 2004 CST",fac=f_daemond,area=a_server,type=t_software _failure,pri=p_minor,pid=163,ruid=0,euid=0,pgid=162, logid=0,cmd=daemond,domain=dmnd,edomain=dmn d,comp_class=software,comp_name=kmvfilter(2),info rmation="/usr/libexec /kmvfilter (1260) died; restarting" 105 N/A Search 7.x Operational t_software_failur e Sidewinder: Hardware/ Software Failure <179>Jun 6 18:32:37 auditd: date="mar 6 15:20:49 EST",fac=f_daemond,area=a_server,type=t_software _failure,pri=p_minor,pid=153,ruid=0,euid=0,pgid=153, logid=0,cmd=daemond,domain=dmnd,edomain=dmn d,hostname=xxxxxxx.xxxx.com,comp_class=software,comp_name=http,information="http (69507)died unexpectedly. Restarting." 106 N/A Search 107 N/A Search 6.2 Operational t_lcm Sidewinder: Health Monitoring 7.x Operational t_lcm Sidewinder: Health Monitoring <179>Jun 6 18:32:37 auditd: date="apr 10 16:07:01 2004 CDT",fac=f_system,area=a_hmon,type=t_lcm,pri=p_ major,pid=7199,ruid=0,euid=0,pgid=7198,logid=0,cm d=get_monitor_data,domain=admn,edomain=admn, mbuf_data=2,cpu_data=1,real_data=50,load_data=0, virt_data=19 <179>Jun 6 18:32:37 auditd: date="mar 3 22:52:45 EST",fac=f_system,area=a_hmon,type=t_lcm,pri=p_ major,pid=1174,ruid=0,euid=0,pgid=1174,logid=0,cm d=monitord,domain=hmon,edomain=hmon,hostna me=xxxxxxx.xxxx.com,mbuf_data=0,cpu_data=4,real _data=68,load_data=0,virt_data=96 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 39
ID # Name Agile Title Category Type Appears In Sample Log Message 108 N/A Search 109 N/A Search 110 N/A Search 111 N/A Search 112 N/A Search 113 N/A Search 6.2 Operational t_interface Sidewinder: Health Monitoring 7.x Operational t_interface Sidewinder: Health Monitoring 6.2 Operational t_geninfo Sidewinder: Health Monitoring 7.x Operational t_geninfo Sidewinder: Health Monitoring 6.2 Operational t_log_overflow Sidewinder: Log overflow 7.x Operational t_log_overflow Sidewinder: Log overflow <179>Jun 6 18:32:37 auditd: date="apr 10 16:07:01 2004 CDT",fac=f_system,area=a_hmon,type=t_interface,pri =p_major,pid=7199,ruid=0,euid=0,pgid=7198,logid=0, cmd=get_monitor_data,domain=admn,edomain=adm n,interface=exp2,ipkt=1179,opkt=891 <179>Jun 6 18:32:37 auditd: date="mar 3 20:51:45 EST",fac=f_system,area=a_hmon,type=t_interface,pri =p_major,pid=1174,ruid=0,euid=0,pgid=1174,logid=0, cmd=monitord,domain=hmon,edomain=hmon,host name=xxxxxxx.xxxx.com,interface=fxp0,ipkt=3332,op kt=1574,ibytes=1412885,obytes=16870 <179>Jun 6 18:32:37 auditd: date="apr 10 16:07:01 2004 CDT",fac=f_system,area=a_hmon,type=t_geninfo,pri= p_major,pid=7199,ruid=0,euid=0,pgid=7198,logid=0,c md=get_monitor_data,domain=admn,edomain=admn,information="+ audit monitor MON_INFO MAJOR SYS HMONINFO=Healt h Monitor datafollows: uptime_util: 4:36load_avg: 0.12mem_percent:24.0%cpu_percent: 1proxy_info: named 7proxy_info:telnetd 1proxy_info: syslogd 1proxy_info: scobrap1udp_count: 0tcp_count: 2tcp_data: ESTABLISHED2tcp_data: TIME_WAIT 0tcp_data: FIN_WAIT_1 0tcp_data:FIN_WAIT_2 0tcp_data: CLOSE_WAIT 0ipf_data: TCP Total0ipf_data: UDP Total 0ipf_total: 0" <179>Jun 6 18:32:37 auditd: date="mar 3 23:01:45 EST",fac=f_system,area=a_hmon,type=t_geninfo,pri= p_major,pid=1174,ruid=0,euid=0,pgid=1174,logid=0,c md=monitord,domain=hmon,edomain=hmon,hostn ame=xxxxxxx.xxxx.com,information="+ health monitor MON_INFO MAJOR SYS HMONINFO=Healt hmonitor data followsuptime_util: 5 days 5:07load_avg:5.21mem_percent: 63.17cpu_percent: 75tcp_count:139udp_count: 15tcp_data: ESTABLISHED 32tcp_data:TIME_WAIT 106tcp_data: FIN_WAIT_1 0tcp_data:FIN_WAIT_2 1tcp_data: CLOSE_WAIT 0ipf_data: TCPTotal 0ipf_data: UDP Total 0ipf_total:0" <179>Jun 6 18:32:37 auditd: date="may 30 13:46:11 2001 CDT",fac=f_admin,area=a_general_area,type=t_log_ overflow,pri=p_major,pid=11002,ruid=0,euid=0,pgid= 11002,logid=0,cmd=logcheck,domain=logc,edomain=l ogc,info="log file: audit.raw rolled to prevent log overflow" <179>Jun 6 18:32:37 auditd: date="mar 15 22:09:01 CDT",fac=f_system,area=a_general_area,type=t_log _overflow,pri=p_major,pid=12266,ruid=0,euid=0,pgid =12266,logid=100,cmd=logcheck,domain=logc,edom ain=logc,hostname=xxxx.x.com,information="audit partition: /var/log disk utilization exceeded 99 percent" 40 McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide
ID # Name Agile Title Category Type Appears In Sample Log Message 114 N/A Search 115 N/A Search 116 N/A Search 117 N/A Search 118 N/A Search 6.2 7.x Operational t_udp_drop Sidewinder: UDP Drop 6.2 7.x Operational t_ups_powerfail Sidewinder: UPS 6.2 7.x Operational t_ups_shutdown Sidewinder: UPS 6.2 Operational t_lic_exceeded Sidewinder: License Exceeded 7.x Operational t_lic_exceeded Sidewinder: License Exceeded <179>Jun 6 18:32:37 auditd: date="feb 5 01:11:37 2004 CST",fac=f_kern_udp,area=a_nill_a,type=t_udp_drop,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd =,domain=,edomain=,srcip=192.168.202.11,dstip=19 2.168.180.87,srcport=53,dstport:=53,srcburb=2,infor mation='leaving udp drop withthreshold 80, intr usage 70' <179>Jun 6 18:32:37 auditd: date="may 30 13:46:10 2001 CDT",fac=f_ups,area=a_server,type=t_ups_powerfail, pri=p_major,pid=1172,ruid=0,euid=0,pgid=1172,logid =0,cmd=upsd,domain=upsd,edomain=upsd,hostname =xxxx.x.com,info="on Battery due to power failure" <179>Jun 6 18:32:37 auditd: date="may 30 13:46:11 2001 CDT",fac=f_ups,area=a_server,type=t_ups_shutdown,pri=p_major,pid=1172,ruid=0,euid=0,pgid=1172,logid =0,cmd=upsd,domain=upsd,edomain=upsd,hostname =xxxx.x.com,info="system shutdown due to low battery" <179>Jun 6 18:32:37 auditd: date="may 30 13:46:10 2001 CDT",fac=f_acld,area=a_server,type=t_lic_exceeded, pri=p_major,pid=14981,ruid=0,euid=0,pgid=14981,log id=0,domain=acld,edomain=acld,reason="\"user license exceeded!" <179>Jun 6 18:32:37 auditd: date="mar 15 21:59:33 CDT",fac=f_license,area=a_server,type=t_lic_exceed ed,pri=p_major,pid=12227,ruid=0,euid=0,pgid=12227, logid=0,cmd=acld,domain=acld,edomain=acld,hostna me=xxxx.x.com,event=license exceeded,reason="your Sidewinder has exceeded the licensedmaximum number of outbound host IP addresses. Please reference yoursidewinder manual for information about license enforcement. Forinformation about the licensed number of outbound host IP addressesfor this system, refer to the Firewall License screen in thesidewinder Admin Console.",information="Currently protecting 25hosts out of a possible 25 licensed hosts." McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 41