en-US
search-icon

SonicOS 5.9 Admin Guide

Log

Monitoring Logs

Log > Log Monitor

* 
NOTE: For increased convenience and accessibility, the Log Monitor page can be accessed either from Dashboard > Log Monitor or Log > Log Monitor. The two pages provide identical functionality. For information on using Log Monitor, see Dashboard > Log Monitor.

 

Configuring Log Settings

Log > Settings

This chapter provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWall security appliance for troubleshooting and diagnostics.

The Log > Settings page displays logging data in a series of columns and allows you to configure the logging entries and to reset event counts. You can filter the entries to limit the data display to only those events of interest. You can import and save logging templates.

Topics:

Table Columns

Topics:

Category Column

The Category column of the Log Settings table has three levels: category, group, and event. The first level of the tree structure is category. The second level is group. The third level is event. Clicking the small black triangle expands or collapses the category or group contents.

In the following graphic, System is at the first level–category. SNMP is at the second level–group. SNMP Packet Drop, and the items below it on the same level, are at the third level–event.

Color Column

The Color column shows the color with which the event, group, or category is highlighted in the Log Monitor table.

ID Column

The ID column shows the ID number of the event. The ID for a particular message is listed in the SonicOS Log Event Reference Guide.

Priority Column

* 
CAUTION: Changing the Event Priority may have serious consequences as the Event Priority for all categories will be changed. Modifying the Event Priority will affect the Syslog output for the tag “pri=” as well as how the event will be treated when performing filtering by priority level. Setting the Event Priority to a level that is lower than the Logging Level will cause those events to be filtered out. Also, as GMS ignores received Syslogs that have a level of Debug, heartbeat messages and reporting messages must have a minimum Event Priority of Inform.

The Priority column shows the severity or priority of a category, group, or event:

Emergency
Alert
Critical
Error
Warning
Notice
Inform
Debug

For events, a menu is provided that lists the selectable priorities. For categories and groups, the priorities are listed in the dialog when you click the Configure button at the end of the row.

GUI Column

The GUI column shows check boxes that indicate whether this event is displayed in the Log Monitor. For events, you can show or hide the event by selecting or deselecting the check box in the column. For categories and groups, you must use the configure dialog.

Alert Column

The Alert column shows check boxes that indicate whether an Alert message will be sent for this event, group, or category.

Syslog Column

The Syslog column shows check boxes that indicate whether the event, group, or category will be sent to a Syslog server.

Email Column

The Email column shows check boxes that indicate whether the log will be emailed to the configured address. For events, these check boxes are configurable in the column. For categories and groups, Email is configured in the Edit Log Group or Edit Log Category dialogs that appear when you click the Configure button at the end of the row.

Event Count Column

The Event Count column shows the count of events by:

Event level — the value shows the number of times that this event has occurred.
Group level — the value shows the total events that occurred within the group.
Category level — the value shows the total events that occurred within the category.

By hovering your mouse over an event count, a pop-up dialog displays showing the count of events dropped for these reasons:

Overflow
GUI Filter
Alert Filter
Syslog Filter
E-mail Filter
Priority
Syslog Event Rate
Syslog Data Rate

Configure and Reset Event Count Icons

The Configure and Reset Event Count icons appear at the end of each row.

Configure Icon

The Configure icon launches the Edit Log Event, Edit Log Group, or Edit Log Category dialog. You can configure all of the attributes for an event, group, or category.

Reset Event Count Icon

The Reset Event Count icon resets the event counter for an event, a group, or a category, and the event counters of higher levels are recalculated. To reset all counters, use the Reset Event Count button above the Log Settings table, as described in Reset Event Count Button.

Log Severity/Priority

This section provides information on configuring the level of priority of log messages that are captured, and the corresponding alert messages that are sent through email for notification.

* 
NOTE: Alert emails are sent when the Send Log to E-mail Address option and the Send Alerts to E-mail Address option are configured on the Log > Automation page.
Topics:

Setting the Logging Level

The Logging Level allows you to filter events by priority. Events with equal or greater priority are passed. Events with a lower priority are dropped. This enables you to filter out lower level priorities to prevent them being logged in the system.

On the Log > Settings page, you can set the baseline logging level to be displayed on the Log Monitor page:

Emergency
Alert
Critical
Error
Warning
Notice
Inform
Debug
To set the logging level:
1
Go to the Log > Settings page.
2
From the Logging Level menu, select the logging level you want.

All events with a higher priority than the selected entry are also logged. For example, if you select Error as the logging level, all messages tagged as Error, as well as all messages with a higher priority such as Critical, Alert, and Emergency, are also displayed. The default value is Debug.

* 
TIP: To display all events, select Debug as the logging level.

Setting the Alert Level

The Alert Level allows you to filter email alerts by alert level. Events with an equal or greater alert level are sent to the specified email address. Events with a lower alert level are ignored. This enables you to filter out lower-level email alerts to reduce the actual emails transmitted.

On the Log > Settings page, you can set the baseline alert level to be displayed on the Log Monitor page:

Emergency
Alert
Critical
Error
Warning
To set the alert level:
1
Go to the Log > Settings page.
2
From the Alert Level menu, select the logging level you want.

All events with a higher alert level than the selected entry are also logged. For example, if you select Error as the logging level, all messages tagged as Error, as well as all messages with a higher alert level, such as Critical, Alert, and Emergency, are also displayed. The default value is Warning.

* 
TIP: To display all alert events, select Warning as the alert level.

Configuring Event Attributes Globally

Clicking the tool button next to the Logging Level drop-down menu launches the Edit Attributes of All Categories window. This window enables you to set the attributes for all events in all categories and groups at once.

The following global attributes can be modified:

Event Priority
Inclusion of events in Log Monitor, Email, and Syslog
Redundancy filter settings
Email settings
Font color when displayed in Log Monitor
To edit the Category Attributes Globally:
1
Go to the Log > Settings page.

Click the tool icon.

The Edit Attributes of All Categories pop-up dialog appears.

2
From the Event Priority drop-down menu, select the priority that you want.
* 
CAUTION: Changing the Event Priority may have serious consequences as the Event Priority for all categories will be changed. Modifying the Event Priority will affect the Syslog output for the tag “pri=” as well as how the event will be treated when performing filtering by priority level. Setting the Event Priority to a level that is lower than the Logging Level will cause those events to be filtered out. Also, as GMS ignores received Syslogs that have a level of Debug, heartbeat messages and reporting messages must have a minimum Event Priority of Inform.
* 
NOTE: The following Redundancy Filter Interval fields enable you to enter time intervals (in seconds) to avoid duplication of a log message within an interval. The range for these intervals is 0 to 86400 seconds. For Syslog messages, the default interval is set to 90 seconds. For alert messages, the default interval is set to 900 seconds.
* 
NOTE: The different options are independent of each other, and you can enable any combination of them and set different frequencies of generation for them. For example, you may want an event message emailed to you but not shown in the Dashboard > Log Monitor page.

When GMS is enabled, however, care must be taken when modifying event attributes so events used to generate reports are not incorrectly filtered out. User-initiated modifications (implicit changes) of category- and group-level events that may affect factory-defined events, such as those required by GMS, are ignored. Modifications to specific events (explicit changes), however, may override this built-in protection of GMS-required events.

3
If you want to display the log events in the Log Monitor, select the Enable button for the Display Events in Log Monitor option.
* 
NOTE: The Enable buttons are green when all are enabled, white when all are disabled, and semi-solid when they are mixed (some enabled, some disabled). As this configuration is for all categories, you have to explicitly set the option to “all enabled” by clicking the icon until it is solid green or to set the option to “all disabled” by clicking the icon until it is white. To configure a single event to be different from the rest of its group or category, you must go into the individual event setting configuration. If you do this, the icon will be semi-solid.

When the fields say, Multiple Values, different values have been specified for one or more category, group, or event. To view the individual settings, refer to Configuring Event Attributes Selectively. To change the setting from Multiple Values into one value for all categories, groups, or events while in the Edit Attributes of All Categories window, verify that the option was enabled so the field can be accessed for entering the new value. If the option is disabled, the field is dimmed and inaccessible.

4
In the Display Events in Log Monitor Redundancy Filter Interval field, enter the number of seconds that should elapse before allowing the same event to be logged and displayed by the Log Monitor again when that event occurs one after the other. The range is 0 to 86400.

For example, if you set this value to 60 seconds, then when the event Connection Closed first happens at 1:15 p.m., the next Connection Closed event will not be logged until 60 seconds after the first one. Any Connection Closed event occurring within the 60 second interval will be dropped.

5
If you want to send events as email alerts, select the Enable button for the Send Events as Email Alerts option.
6
In the Send Events as Email Alerts Redundancy Filter Interval field, enter the number of seconds that should elapse before allowing the same email event to be sent when that email alert occurs one after the other. The range is 0 to 86400.

For example, if you set this value to 60 seconds, then when an email alert first happens at 1:15 p.m., the next email alert will not be logged until 60 seconds after the first one. Any email alert occurring within the 60 second interval will be dropped.

7
If you want to report events via Syslog, select the Enable button for the Report Events via Syslog option.
8
In the Report Events via Syslog Redundancy Filter Interval field, enter the number of seconds that should elapse before allowing the same Syslog messages to be sent when that event occurs one after the other. The range is 0 to 86400.

For example, if you set this value to 60 seconds, then when a Syslog message first happens at 1:15 p.m., the next Syslog message will not be sent until 60 seconds after the first one. Any Syslog message occurring within the 60 second interval will be dropped.

9
If you want to send the global event log via email, select the Enable button for the Include Events in Log Digest option.
* 
NOTE: If this option is enabled, it is important to verify the email address configured in the Send Log Digest to Email Address field is correct.
10
If you enabled Include Events in Log Digest, do one of the following for Send Log Digest to Email Address:
If you want to use the same email address that is entered in the Log > Automation page to even when you change other values in this dialog, select the Leave Unchanged option. This option is enabled by default.
To change the email address, uncheck the Leave Unchanged option and enter a new address in the now-active field.
* 
TIP: An email alert is one email sent for each event occurrence, as soon as that event has occurred. A Log Digest, on the other hand, is a chronological collation of events sent as a single email in digest format. Because it is a summation of events, the event information time period will be a mix of older and newer events.
11
If you want to receive alerts via email based on the global settings in this dialog, do one of the following for Send Alerts to E-mail Address:
If you want to use the same email address that is entered in the Log > Automation page even when you change other values in this dialog, select the Leave Unchanged option. This option is enabled by default.
To change the email address, uncheck the Leave Unchanged option and enter a new address in the now-active field.
12
If you want to use a specific color for the global events log, uncheck the Leave Unchanged option. The color selection matrix appears.

13
Select the color you want.
14
Click Apply.

Configuring Event Attributes Selectively

On the Log > Settings page, the columns show the main event attributes that can be configured on different levels: category, group, or each event.

* 
NOTE: The following Edit Log pop-up windows may look slightly similar, but the effect of each varies in scope. The Edit Log Category window modifies settings for all groups that belong to the same category and, consequently, all events in that category. The Edit Log Group window modifies setting for all events that belong to that group. The Edit Log Event window modifies settings for one specific event.
* 
NOTE: The Enable buttons are green when all are enabled, white when all are disabled, and semi-solid when they are mixed (some enabled, some disabled). As this configuration is for all categories, you have to explicitly set the option to “all enabled” by clicking the icon until it is solid green or to set the option to “all disabled” by clicking the icon until it is white. To configure a single event to be different from the rest of its group or category, you must go into the individual event setting configuration. If you do this, the icon will be semi-solid. You can enable or disable a column.

In the rows for categories and groups, the enable indicators are grey ( enabled, disabled, and mixed) and cannot be changed except through the Edit Log Group or Edit Log Category dialogs. The rows for events contain checkboxes for enabling or disabling the event instead of indicators.

Edit Log Category

You set the Event Attributes by category level by selecting a specific category and clicking the Configure button to launch the Edit Log Category pop-up window. Any changes done here apply to all groups and all events within the selected category. For information about the options, see Configuring Event Attributes Globally.

Edit Log Group

Setting the Event Attributes by group level, allows the modification of settings on a smaller scale within a selected category. This can be accomplished by selecting a specific group within the category and clicking the Configure button to launch the Edit Log Group window. Any changes done here apply to all events that belong to the selected group only. For information about the options, see Configuring Event Attributes Globally.

Edit Log Event

The most granular level, the event level, allows the Event Attributes columns to be directly modified by expanding the selected category into groups, then expanding the selected group into individual events within that group. Detailed settings for an individual event can also be configured by clicking the Configure button to launch the Edit Log Event dialog. For information about the options, see Configuring Event Attributes Globally.

Top Row Buttons

In the Log > Settings table, the top row has these buttons:

Save Logging Template Button

The Save Logging Template button displays the Save to Custom Template pop-up window so you can export the current configured Log Settings to the Custom template. The window also lets you enter a description for the Custom template.

Only the Custom template can be modified and saved, and there is only one custom template. Each time the custom template is saved, the old custom template is overwritten.

Import Logging Template Button

The Import Logging Template button displays the Import from Log Category Template pop-up window, which allows you to select and import one of these templates:

* 
NOTE: The Default, Minimal, and Analyzer/Viewpoint/GMS templates are defined at the factory.
Default Template

The Default template restores all log event settings to the SonicWall default values. for each of these log fields:

Event Priority Level
GUI
Alert
Syslog
Email Filter
Filter Interval
E-mail Address
Alert E-mail Address
Display Color
Minimal Template

The Minimal template keeps the generated logs at a minimum level, while still providing sufficient information about the most important events on the firewall. The minimal template modifies the capture filters to allow only high-priority events to be logged. Most non-critical events are filtered out. The capture filters are modified for these fields: GUI, Alert, Syslog, and Email.

* 
NOTE: Only the capture filters are modified; the redundancy filter intervals are left as is.
Analyzer/Viewpoint/GMS Template

The Analyzer/Viewpoint/GMS template is factory configured to ensure that the firewall works well with Reporting Software server settings (Analyzer, Viewpoint, and/or GMS server). All related events are configured to meet the server requirements.

All configurations are limited to the Report Events via Syslog option and its associated Redundancy Filter Interval. Events critical to the reporting function of Analyzer, Viewpoint, and GMS will have these fields set to the recommended factory-default values:

Report Events via Syslog
Redundancy Filter Interval for Syslog

Reset Event Count Button

The Reset Event Count button sets all the event counters to zero (0). To reset the event counter for an event, a group, or a category, use the Reset Event Count button for that event, group, or category, as described in Reset Event Count Icon.

Cancel Button

The Cancel button cancels whatever changes you made and leaves the settings unchanged.

Apply Button

The Apply button applies the currently imported log settings to the Log Monitor.

Viewing the Log

After you have configured logging for your appliance, you can display the Dashboard > Log Monitor quickly by clicking the View Log icon in the top row.

Filtering Logs

You can apply, create, and delete custom filters to customize the information you wish to log and view on the Log > Monitor page. You can create simple or complex filters, depending on the criteria you specify. By doing so, you can focus on points of interest without distraction from other applications, users, or other traffic data.

You can create filters in these ways:

Clicking on the View Logging button on the Log > Settings page to display the Dashboard > Log Monitor page and following the procedures described in Filtering the Log Monitor Table.
Using the Filter View button on the Log > Settings page to create a filter at the category, group, or event level.

Using the Filter View Button

Topics:
Adding a Filter
* 
NOTE: The filter is valid only while the Log > Settings page is displayed. Displaying another page or logging out deletes the filter.
To add a filter to the settings:
1
Click the Plus button next to the Filter View button. The Category Filter Statement dialog displays.

2
Enter the filter. For example, priority=warning;id=1221,1222,1149. You can enter multiple keys separated by a semicolon (;) and for each key, multiple values separated by a comma. A key can be a name (from the Category column), priority (from the Priority column), or ID (from the ID column). Keys are case insensitive.
* 
NOTE: Only one filter is valid at a time. If you add another filter, it replaces the existing one.
3
Click Apply. The Log Settings table is modified to reflect the filter and a new button, [Category Filter], appears next to the Filter View button.

Viewing a Filter

To view the current filter, click the triangle or [Category Filter] on the [Category Filter] button. A small, pop-up dialog displays the filter under the button.

* 
NOTE: To close the pop-up window, click the triangle or [Category Filter] on the [Category Filter] button. Do not click the X in the upper right corner of the pop-up dialog as doing so deletes the filter.
Deleting the Filter

To delete a filter, click on the X in the box in the Filter View button, the [Category Filter] button, or the pop-up dialog. Displaying another page or logging out also deletes the filter.

Configuring Syslog Settings

Log > Syslog

In addition to displaying event messages in the GUI, the SonicWall security appliance can send the same messages to an external, user-configured Syslog server for viewing. The Syslog message format can be selected in Syslog Settings and the destination Syslog Servers can be specified in the table of Syslog Servers.

The SonicWall Syslog captures all log activity and includes every connection source and destination name and/or IP address, IP service, and number of bytes transferred. The SonicWall Syslog support requires an external server running a Syslog daemon; the UDP Port is configurable.

* 
TIP: See RCF 3164 - The BSD Syslog Protocol for more information.
* 
NOTE: Syslog output may be affected by changes to Event Priority for event, group, or global categories made on the Log > Settings page. For more information, see Configuring Event Attributes Globally.

To display the Dashboard > Log Monitor page, click on the Show Log Monitor icon in the upper right corner of the page.

Topics:

Syslog Settings

The Log > Syslog page enables you to configure the various settings you want when you send the log to a Syslog server. You can choose the Syslog Facility and the Syslog Format that you want.

* 
NOTE: If you are using SonicWall’s Global Management System (GMS) to manage your firewall, the Syslog Format is fixed to Default and the Syslog ID is fixed to firewall. Thus, these fields are greyed-out and can't be modified. All other fields, however, can still be customized as needed.

Configuring Syslog Settings

To configure the Syslog settings on your firewall:
1
Go to the Log > Syslog page.
2
The Syslog Facility may be left as the factory default. Optionally, however, in the Syslog Settings section, from the Syslog Facility menu, select the Syslog Facility appropriate to your network:
Kernel
User-Level Messages
Mail System
System Daemons
Security/Authorization Messages
Messages Generated Internally by syslogd
Line Printer Subsystem
Network News Subsystem
UUCP Subsystem
Clock Daemon (BSP Linux)
AUTHPRV Security/Authorization Messages
FTP Daemon
NTP Subsystem
Log Audit
Log Alert
Clock Daemon (Solaris)
Local Use 0
Local Use 1
Local Use 2
Local Use 3
Local Use 4
Local Use 5
Local Use 6
Local Use 7
3
(Optional) To override appliance Syslog settings with Reporting Software settings if you are using Reporting Software, select the Override Syslog Settings with Reporting Software Settings option.
4
From the Syslog Format menu list, select the Syslog format that you want:
Default – Use the default SonicWall Syslog format.
* 
NOTE: Default Syslog Format is required for GMS or Reporting software.
WebTrends – Use the WebTrends Syslog format. You must have WebTrends software installed on your system.
Enhanced Syslog – Use the Enhanced SonicWall Syslog format.
ArcSight – Use the Arcsight Syslog format. The Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages. ArcSight Logger runs on a Linux 64-bit platform with CentOS 5.4.

If you select Enhanced Syslog or Arcsight, the configure icon becomes active. Clicking on the configure icon launches a configuration dialog where you can select the specific settings that you want to log.

5
If you selected:
Default or WebTrends, go to Step 13.
Enhanced Syslog, go to Step 6.
ArcSight, go to Step 10.
6
(Optional) If you selected Enhanced Syslog, click the configure icon. The Enhanced Syslog configuration dialog appears.

7
(Optional) Select the Enhanced Syslog options that you want to log. To select all options, click Select All. To deselect all options, click Clear All.
8
Click Save.
9
Go to Step 13.
10
(Optional) If you selected ArcSight, click the configure icon. The ArcSight configuration dialog appears.

11
(Optional) Select the ArcSight options that you want to log. To select all options, click Select All. To deselect all options, click Clear All.
12
Click Save.
13
In the Syslog ID field, enter the Syslog ID that you want.

A Syslog ID field is included in all generated Syslog messages, prefixed by “id= ". Thus, for the default value, firewall, all Syslog messages include "id=firewall." The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.

* 
NOTE: The Syslog ID field is fixed to firewall when the Override Syslog Settings with Reporting Software Settings option is enabled, and therefore, cannot be modified.
14
(Optional) Select Enable Event Rate Limiting if you want it. This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events. Specify the maximum number of events in the Maximum Events Per Second field; the minimum number is 0, the maximum is 1000, and the default is 1000 per second.
* 
NOTE: Event rate and data rate limiting are applied regardless of Log Priority of individual events.
15
(Optional) Select the Enable Data Rate Limiting if you want it. This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events. Specify the maximum number of bytes in the Maximum Bytes Per Second field; the minimum is number is 0, the maximum is 1000000000, and the default is 10000000 bytes per second.
16
(Optional) Select the Enable NDPP Enforcement for Syslog Server if you want it.
17
When you’ve finished setting the Syslog options, click Accept at the top of the page.

Adding a Syslog Server

To add syslog servers to the SonicWall security appliance:
1
In the Syslog Servers section, click Add. The Add Syslog Server dialog displays.

2
Select the Syslog server name or IP address from the Name or IP Address drop-down menu. Messages from the SonicWall security appliance are then sent to the servers.
3
If your Syslog server does not use default port 514, type the port number in the Port Number field.
4
Click OK.
5
Click Accept to save all Syslog Server settings.

Configuring Log Automation

Log > Automation

The Log > Automation page includes settings for configuring the SonicWall to send log files using email and configuring mail server settings.

The Log > Automation page has three sections:

E-mail Log Automation

The E-mail Log Automation settings allow you to have email logs and/or alerts sent to your email address.

Send Log to E-mail address - Enter your email address (username@mydomain.com) in this field to receive the event log via email. Once sent, the log is cleared from the SonicWall memory. If this field is left blank, the log is not emailed.
Send Alerts to E-mail address - Enter your email address (username@mydomain.com) in the Send alerts to field to be immediately emailed when attacks or system errors occur. Type a standard email address or an email paging service. If this field is left blank, email alert messages are not sent.
Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every drop-down menu and the time of day in 24-hour format in the at field.
E-mail Format - Specifies whether log emails will be sent in Plain Text or HTML format.
Include All Log Information - Specifies whether all log information is to be included in the email.

Mail Server Settings

The mail server settings allow you to specify the name or IP address of your mail server, the From email address, and authentication method.

Mail Server (name or IP address) - Enter the IP address or FQDN of the email server used to send your log emails in this field.
* 
NOTE: If the Mail Server (name or IP address) is left blank, log and alert messages are not emailed.
Advanced - Click to enable SMTP authentication. The Log Mail Advance Setting dialog displays.

Configure the following options:

Smtp port - Enter the port used for SMTP authentication mail server. The default is 25.
Connection Security Method - Choose one of:
None - No encryption.
SSL/TLS - Use SSL or TLS to encrypt traffic on the connection.
STARTTLS - Upgrade an insecure connection to an encrypted (TLS or SSL) connection without using a different port.
Enable SMTP Authentication - Select to enable SMTP authentication for the mail server.
Username - Enter the username for the mail server.
Password - Enter the password for the mail server.
From E-mail Address - Enter the email address you want to display in the From field of the message.
Authentication Method - You can use the default None item or select POP Before SMTP.

Solera Capture Stack

Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time- sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.

Topics:

Configuring Your Appliance with Solera

To configure your SonicWall appliance with Solera:
1
In the Solera Capture Stack section of the Log > Automation page, select the Enable Solera Capture Stack Integration option.

2
Configure the following options:
Server - Select the host for the Solera server. You can dynamically create the host by selecting Create New Host...
Protocol - Select either HTTP or HTTPS.
Port - Specify the port number for connecting to the Solera server.
DeepSee Base URL - Defines the format for the base URL for the DeepSee path. In the actual URL, the special tokens are replaced with the actual values.

The following tokens can be used in the DeepSee Base URL and PCAP Base URL fields:

$host - server name or IP address that has the data
$port - HTTP/HTTPS port number where the server is listening
$usr - user name for authentication
$pwd - password for authentication
$start - start date and time
$stop - stop date and time
$ipproto - IP protocol
$scrip - source IP address
$dstip - destination IP address
$srcport - source port
$dstport - destination port
PCAP Base URL - Defines the format for the base URL for the PCAP path. In the actual URL, the special tokens are replaced with the actual values.
Base64-encoded Link Icon - Specifies a base 64-encoded GIF image to be used as a link icon.
* 
NOTE: Ensure that this icon is valid and make the size as small as possible.
Address to link from Email Alerts - Select Default LAN.
3
Click Accept.

Deep Packet Forensics

SonicWall network security appliances have configurable deep-packet classification capabilities that intersect with forensic and content-management products. While the SonicWall can reliably detect and prevent any ‘interesting-content’ events, it can only provide a record of the occurrence, but not the actual data of the event.

Of equal importance are diagnostic applications where the interesting-content is traffic that is being unpredictably handled or inexplicably dropped.

Although the SonicWall can achieve interesting-content using our Enhanced packet capture diagnostic tool, data-recorders are application-specific appliances designed to record all the packets on a network. They are highly optimized for this task, and can record network traffic without dropping a single packet.

While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis:

Reliable storage of data (done by a data recorder such as Solera)
Effective indexing of data (done by a data recorder such as Solera)
Classification of interesting content (done by SonicWall DPI)

Together, a SonicWall network security appliance and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.

Distributed Event Detection and Replay

The Solera appliance can search its data-repository, while also allowing the administrator to define “interesting-content” events on the SonicWall. The level of logging detail and frequency of the logging can be configured by the administrator. Nearly all events include Source IP, Source Port, Destination IP, Destination Port, and Time. SonicOS Enhanced has an extensive set of log events, including:

Debug/Informational Events—Connection setup/tear down
User-events—Administrative access, single sign-on activity, user logins, content filtering details
Firewall Rule/Policy Events—Access to and from particular IP:Port combinations, also identifiable by time
Interesting-content at the Network or Application Layer—Port-scans, SYN floods, DPI or AF signature/policy hits

The following is an example of the process of distributed event detection and replay:

1
The administrator defines the event trigger. For example, an Application Firewall policy is defined to detect and log the transmission of an official document:

2
A user (at IP address 192.168.19.1) on the network retrieves the file.
3
The event is logged by the SonicWall.
4
The administrator selects the Recorder icon from the left column of the log entry. Icon/link only appears in the logs when a NPCS is defined on the SonicWall (for example, IP: [192.168.169.100], Port: [443]). The defined NPCS appliance will be the link’s target. The link will include the query string parameters defining the desired connection.
5
The NPCS will (optionally) authenticate the user session.
6
The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local machine.

Methods of Access

The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWall appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWall. Administrators in a remote location will require some method of VPN connectivity to the internal network. Access from a centralized GMS console will have similar requirements.

Configuring Name Resolution

Log > Name Resolution

The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports.

The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page.

Selecting Name Resolution Settings

The security appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names.

In the Name Resolution Method list, select:

None: The security appliance will not attempt to resolve IP addresses and Names in the log reports.
DNS: The security appliance will use the DNS server(s) you specify to resolve addresses and names. If you select DNS, the following section, DNS Settings, displays:

Specify DNS Servers Manually – Select this option if you want to specify the servers to be used for DNS. You can specify up to three DNS servers.
Inherit DNS Settings Dynamically from WAN Zone (Default) – Select this option to have use WAN Zone servers automatically. The form fields for up to three servers are populated automatically.
NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary.
DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS. The DNS Settings section is displayed with the same options as for DNS.

Generating Log Reports

Log > Reports

The SonicWall security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page.

* 
NOTE: SonicWall ViewPoint provides a comprehensive Web-based reporting solution for SonicWall security appliances. For more information on SonicWall ViewPoint, go to http://www.SonicWall.com.

The Log > Reports page contains these sections:

Data Collection

Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.

The Data Collection section also contains Notes about how bandwidth usage is calculated as well as a link to information about comprehensive reporting.

View Data

Select the desired report from the Report View menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below.

Click Refresh Data to update the report statistics.

Click Reset Data to clear the report statistics and begin a new sample period.

The sample period is also reset when data collection is stopped or started, and when the SonicWall security appliance is restarted.

The length of time analyzed by the report is displayed in the Elapsed Collection Time: Days, Hours, Minutes, and Seconds.

Web Site Hits

Selecting Web Site Hits from the Report View menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.

The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites.

Click on the name of a Web site to open that site in a new window.

Bandwidth Usage by IP Address

Selecting Bandwidth Usage by IP Address from the Report View menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period.

Bandwidth Usage by Service

Selecting Bandwidth Usage by Service from the Report View menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period.

The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.

Configuring the Log Analyzer

Log > Analyzer

The Log > Log Analyzer page provides information about your Analyzer, a link to the Analyzer User’s Guide, and enables you to add the IP address and port number of your Analyzer server.

Syslog Servers

Topics:

Adding an Analyzer Server Connection

To add an Analyzer server connection to your firewall:
1
Go to the Log > Analyzer page.
2
Click the Enable Analyzer Settings check box.
3
Click the Add button. The Add Syslog Server dialog appears.

4
From the Name or IP Address menu, select:
The item that you want.
Create New Address Object.

5
In the Port box, enter the port number for the analyzer. The default port is 514.
6
(Optional) To connect to your analyzer through a VPN tunnel, under Bind to VPN Tunnel and Create Network Monitor Policy in NDPP Mode:
a
In the Outbound Interface menu, choose a tunnel interface.
b
In the Local Interface drop-down menu, choose an interface.
7
Click OK.
8
Click Accept.
* 
NOTE: For information about configuring and managing your Analyzer, refer to your Analyzer User's Guide.

Editing an Analyzer Server Connection

1
In the Syslog Servers table, click the Configure icon for the Analyzer server to be edited. The Edit Syslog Server dialog displays.

2
Make the desired changes.
3
Click OK.
4
Click Accept.

Deleting an Analyzer Server

To delete an individual Analyzer server:
1
Click the Delete icon in the Configure column for that server. A warning message displays, requesting confirmation of the action.
2
Click OK.
To delete all Analyzer servers:
1
Click the Delete All button. A warning message displays, requesting confirmation of the action.
2
Click OK.