Home » ZyXEL Manuals » Networking » ZyXEL Vantage Report 2.3 » Manual Viewer

ZyXEL Vantage Report 2.3 User Guide - Page 667

Syslog Logs

Get ZyXEL Vantage Report 2.3 PDF manuals and user guides

View all ZyXEL Vantage Report 2.3 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 667 highlights

Appendix C ZyNOS Log Descriptions Table 317 AS Directions for Single WAN Devices FROM\TO LAN WAN DMZ LAN (L to L) (L to W) (L to D) WAN (W to L) (W to W) (W to D) DMZ (D to L) (D to W) (D to D) WLAN (WL to L) (WL to W) (WL to D) WLAN (L to WL) (W to WL) (D to WL) (WL to WL) Syslog Logs There are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs. Table 318 Syslog Logs LOG MESSAGE DESCRIPTION Event Log: Mon dd hr:mm:ss hostname src="" dst="" msg="" note="" devID="" cat="" This message is sent by the system ("RAS" displays as the system name if you haven't configured one) when the router generates a syslog. The facility is defined in the web MAIN MENU, LOGS, Log Settings page. The severity is the log's syslog class. The definition of messages and notes are defined in the other log tables. The "devID" is the MAC address of the router's LAN port. The "cat" is the same as the category in the router's logs. Traffic Log: Mon dd hr:mm:ss hostname src="" dst="" msg="Traffic Log" note="Traffic Log" devID="" cat="Traffic Log" duration=seconds sent=sentBytes rcvd=receiveBytes dir="" protoID=IPProtocolID proto="serviceName" trans="IPSec/Normal" This message is sent by the device when the connection (session) is closed. The facility is defined in the Log Settings screen. The severity is the traffic log type. The message and note always display "Traffic Log". The "proto" field lists the service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN", "LAN:DMZ", "LAN:DEV" for example). Vantage Report User's Guide 667

Section	Page
Vantage Report	1
About This User's Guide	3
Document Conventions	5
Contents Overview	7
Table of Contents	9
Introduction	19
Introducing Vantage Report	21
1.1 Introduction	21
1.2 License Versions	22
1.3 Hardware Requirements	22
The Vantage Report Server	23
2.1 Starting and Stopping the Vantage Report Server	23
2.2 E-Mail in the Vantage Report Server	24
2.3 Time in the Vantage Report Server	25
2.4 Common Terms	25
2.5 Common Icons	27
2.6 ZyXEL Device Configuration and Source Data	27
The Web Configurator	33
3.1 Web Configurator Requirements	33
3.2 Web Configurator Access	33
3.3 Main Menu Bar	37
3.3.1 The About Screen	37
3.4 Device Window	37
3.5 Menu Panel	41
3.6 Report and Setting Window	52
3.6.1 Device Information Screen	53
3.6.2 Monitors and Statistical Reports	54
3.6.3 View Logs	59
3.7 System Dashboard	59
Monitors, Reports and Logs	63
Monitor	65
4.1 Monitor (Folder)	65
4.1.1 Customize the Column Fields	66
4.2 Dashboard	67
4.3 Dashboard	69
4.4 CPU Usage Monitor	71
4.5 Memory Usage Monitor	72
4.6 Session Usage Monitor	73
4.7 Port Usage Monitor	74
4.8 Interface Usage Monitor	75
4.9 Web Monitor	77
4.10 FTP Monitor	78
4.11 E-Mail Monitor	79
4.12 Site to Site (IPSec) VPN Monitor	80
4.13 Client to Site (IPSec) VPN Monitor	81
4.14 Client to Site (SSL) VPN Monitor	82
4.15 Firewall Access Control Monitor	83
4.16 Attack Monitor	84
4.17 Intrusion Hits	85
4.18 Anti-Virus Monitor	86
4.19 E-Mail Virus Found Monitor	87
4.20 Spam Monitor	88
4.21 E-Mail Intrusion Hits Monitor	89
4.22 Web Security - Security Threat Monitor	90
4.23 Web Security Virus Found Monitor	91
4.24 Web Security Intrusion Hits Monitor	92
4.25 Content Filter Monitor	93
4.26 Application Patrol Monitor	94
Network Traffic	95
5.1 Bandwidth	95
5.1.1 Bandwidth Summary	95
5.1.2 Bandwidth Summary Drill-Down	99
5.1.3 Bandwidth Top Protocols	100
5.1.4 Bandwidth Top Protocols Drill-Down	104
5.1.5 Top Bandwidth Hosts	106
5.1.6 Top Bandwidth Hosts Drill-Down	110
5.1.7 Top Bandwidth Users	112
5.1.8 Top Bandwidth Users Drill-Down	115
5.1.9 Top Bandwidth Destinations	117
5.1.10 Top Bandwidth Destinations Drill-Down	121
5.2 Web Traffic	123
5.2.1 Top Web Sites	123
5.2.2 Top Web Sites Drill-Down	126
5.2.3 Top Web Hosts	128
5.2.4 Top Web Hosts Drill-Down	131
5.2.5 Top Web Users	133
5.2.6 Top Web Users Drill-Down	136
5.3 FTP Traffic	138
5.3.1 Top FTP Sites	138
5.3.2 Top FTP Sites Drill-Down	141
5.3.3 Top FTP Hosts	143
5.3.4 Top FTP Hosts Drill-Down	146
5.3.5 Top FTP Users	148
5.3.6 Top FTP Users Drill-Down	151
5.4 Mail Traffic	153
5.4.1 Top Mail Sites	153
5.4.2 Top Mail Sites Drill-Down	156
5.4.3 Top Mail Hosts	158
5.4.4 Top Mail Hosts Drill-Down	161
5.4.5 Top Mail Users	163
5.4.6 Top Mail Users Drill-Down	166
5.5 Other Traffic	168
5.5.1 Platform Selection	169
5.5.2 Service Settings	169
5.5.3 Top Destinations of Other Traffic	170
5.5.4 Top Destinations of Other Traffic Drill-Down	173
5.5.5 Top Sources of Other Traffic	174
5.5.6 Top Sources of Other Traffic Drill-Down	177
5.5.7 Top Other Traffic Users	178
5.5.8 Top Users of Other Traffic Drill-Down	181
Secure Remote Access	183
6.1 Secure Remote Access - Site-to-Site (IPSec)	183
6.1.1 Secure Remote Access Link Status	183
6.1.2 Secure Remote Access Traffic Monitor	185
6.1.3 Top VPN Peer Gateways	186
6.1.4 Top VPN Peer Gateways Drill-Down	189
6.1.5 Top Secure Remote Access Sites	191
6.1.6 Top Secure Remote Access Sites Drill-Down	194
6.1.7 Top Secure Remote Access Tunnels	196
6.1.8 Top Secure Remote Access Tunnels Drill-Down	199
6.1.9 Top Secure Remote Access Protocols	201
6.1.10 Top Secure Remote Access Protocols Drill-Down	204
6.1.11 Top Secure Remote Access Hosts	206
6.1.12 Top Secure Remote Access Hosts Drill-Down	210
6.1.13 Top Secure Remote Access Users	212
6.1.14 Top Secure Remote Access Users Drill-Down	215
6.1.15 Top Secure Remote Access Destinations	217
6.1.16 Top Secure Remote Access Destinations Drill-Down	220
6.2 Secure Remote Access - Client-to-Site (IPSec)	222
6.2.1 Secure Remote Access User Status	223
6.2.2 Secure Remote Access User Status Drill-Down	225
6.2.3 Top Secure Remote Access Protocols	227
6.2.4 Top Secure Remote Access Protocols Drill-Down	230
6.2.5 Top Secure Remote Access Destinations	232
6.2.6 Top Secure Remote Access Destinations Drill-Down	235
6.2.7 Secure Remote Access Top Users	237
6.2.8 Secure Remote Access Top Users Drill-Down	240
6.3 Secure Remote Access - Client-to-Site (SSL)	242
6.3.1 Secure Remote Access User Status	243
6.3.2 Secure Remote Access User Status Drill-Down	245
6.3.3 Top Secure Remote Access Protocols	246
6.3.4 Top Secure Remote Access Protocols Drill-Down	249
6.3.5 Top Secure Remote Access Destinations	251
6.3.6 Top Secure Remote Access Destinations Drill-Down	254
6.3.7 Top Secure Remote Access Applications	256
6.3.8 Top Secure Remote Access Applications Drill-Down	259
6.3.9 Secure Remote Access Top Users	261
6.3.10 Secure Remote Access Top Users Drill-Down	263
6.4 Xauth	265
6.4.1 Secure Remote Access Successful Login	265
6.4.2 Secure Remote Access Failed Login	267
Network Security	269
7.1 Firewall Access Control	269
7.1.1 Top Users Blocked	269
7.1.2 Top Packets Blocked	272
7.2 Attack	275
7.2.1 Attack Summary	275
7.2.2 Attack Summary Drill-Down	278
7.2.3 Top Attacks	279
7.2.4 Top Attacks Drill-Down	282
7.2.5 Top Attack Sources	283
7.2.6 Top Attack Sources Drill-Down	286
7.2.7 Attack Types	288
7.2.8 Attack Types Drill-Down	290
7.3 Intrusion Hits	291
7.3.1 Intrusion Hits Summary	291
7.3.2 Intrusion Hits Summary Drill-Down	294
7.3.3 Top Intrusion Hits Signatures	296
7.3.4 Top Intrusion Hits Signatures Drill-Down	299
7.3.5 Top Intrusion Hits Sources	301
7.3.6 Top Intrusion Hits Sources Drill-Down	304
7.3.7 Top Intrusion Hits Destinations	306
7.3.8 Top Intrusion Hits Destinations Drill-Down	309
7.3.9 Intrusion Hits Severities	311
7.3.10 Intrusion Hits Severities Drill-Down	314
7.4 Antivirus	315
7.4.1 Antivirus Summary	315
7.4.2 Virus Summary Drill-Down	318
7.4.3 Top Viruses	319
7.4.4 Top Viruses Drill-Down	322
7.4.5 Top Virus Sources	323
7.4.6 Top Virus Sources Drill-Down	326
7.4.7 Top Virus Destinations	328
7.4.8 Top Virus Destinations Drill-Down	330
E-Mail Security	333
8.1 Virus Found	333
8.1.1 Virus Found Summary	333
8.1.2 Virus Found Summary Drill-Down	336
8.1.3 Top Viruses	337
8.1.4 Top Viruses Drill-Down	340
8.1.5 Top Virus Sources	341
8.1.6 Top Virus Sources Drill-Down	344
8.1.7 Top Virus Destinations	346
8.1.8 Top Virus Destinations Drill-Down	348
8.2 Spam	349
8.2.1 Spam Summary	349
8.2.2 Spam Summary Drill-Down	352
8.2.3 Top Spam Senders	353
8.2.4 Top Spam Sources	356
8.2.5 Spam Scores	359
8.3 Intrusion Hits	361
8.3.1 Intrusion Hits Summary	361
8.3.2 Intrusion Hits Summary Drill-Down	363
8.3.3 Top Intrusion Hits Signatures	365
8.3.4 Top Intrusion Hits Signatures Drill-Down	367
8.3.5 Top Intrusion Hits Sources	368
8.3.6 Top Intrusion Hits Sources Drill-Down	371
8.3.7 Top Intrusion Hits Destinations	373
8.3.8 Top Intrusion Hits Destinations Drill-Down	376
8.3.9 Intrusion Hits Severities	378
8.3.10 Intrusion Hits Severities Drill-Down	380
Web Security	383
9.1 Security Threat	383
9.1.1 Security Threat Summary	383
9.1.2 Security Threat Summary Drill-Down	385
9.1.3 Security Threat Top Web Sites	387
9.1.4 Security Threat Top Sites Drill-Down	390
9.1.5 Security Threat Top Users	391
9.1.6 Security Threat Top Users Drill-Down	394
9.1.7 Security Threat Top Hosts	395
9.1.8 Security Threat Top Hosts Drill-Down	398
9.1.9 Security Threat Categories	399
9.1.10 Security Threat Categories Drill-Down	401
9.2 Virus Found	403
9.2.1 Virus Found Summary	403
9.2.2 Virus Found Summary Drill-Down	406
9.2.3 Top Viruses	407
9.2.4 Top Viruses Drill-Down	409
9.2.5 Top Virus Sources	410
9.2.6 Top Virus Sources Drill-Down	413
9.2.7 Top Virus Destinations	414
9.2.8 Top Virus Destinations Drill-Down	417
9.3 Intrusion Hits	418
9.3.1 Intrusion Hits Summary	418
9.3.2 Intrusion Hits Summary Drill-Down	421
9.3.3 Top Intrusion Hits Signatures	423
9.3.4 Top Intrusion Hits Signatures Drill-Down	426
9.3.5 Top Intrusion Hits Sources	428
9.3.6 Top Intrusion Hits Sources Drill-Down	431
9.3.7 Top Intrusion Hits Destinations	433
9.3.8 Top Intrusion Hits Destinations Drill-Down	436
9.3.9 Intrusion Hits Severities	438
9.3.10 Intrusion Hits Severities Drill-Down	440
Security Policy Enforcement	443
10.1 EPS	443
10.1.1 What Endpoint Security Can Check	443
10.1.2 EPS Summary	444
10.1.3 View Logs	445
10.2 Content Filter (All)	446
10.2.1 Summary	446
10.2.2 Summary Drill-Down	448
10.2.3 Top Sites	450
10.2.4 Top Sites Drill-Down	453
10.2.5 Top Users	455
10.2.6 Top Users Drill-Down	458
10.2.7 Top Hosts	459
10.2.8 Top Hosts Drill-Down	462
10.2.9 By Category	463
10.2.10 By Category Drill-Down	466
10.3 Content Filter (Blocked)	467
10.3.1 Summary	467
10.3.2 Summary Drill-Down	469
10.3.3 Top Blocked Sites	471
10.3.4 Top Blocked Sites Drill-Down	474
10.3.5 Top Blocked Users	476
10.3.6 Top Blocked Users Drill-Down	479
10.3.7 Top Blocked Hosts	480
10.3.8 Top Blocked Hosts Drill-Down	483
10.3.9 Blocked Web Categories	484
10.3.10 Blocked Web Categories Drill-Down	487
10.4 Application Access Control	488
10.4.1 Top Applications Blocked	488
10.4.2 Top Users Blocked	491
10.4.3 Top Applications Allowed	494
Event	499
11.1 Successful Logins	499
11.2 Failed Logins	501
11.3 Top Sessions Per Host	502
11.4 Top Sessions Per User	505
Schedule Report	509
12.1 Scheduled Report Summary Screen	509
12.2 Customize Daily Report Screen	510
12.3 Customize Weekly Report Screen	518
12.4 Customize Overtime Report Screen	520
12.5 Configure Template List	522
12.6 Template Add/Edit	523
12.7 Logo Template	523
12.8 Logo Template Add/Edit	524
Logs	527
13.1 Log Viewer	527
13.2 Log Receiver	531
13.2.1 By Day (Summary)	531
13.3 By Device	533
13.3.1 Log Receiver > By Device > By Category Screen	535
13.4 VRPT System Logs	536
13.5 Log Archiving	538
13.5.1 File Archiving Settings	538
13.5.2 View Archived Files	541
13.5.3 Log Transfer	543
13.6 Log Remove	544
System Setting, User Management and Troubleshooting	547
System Setting	549
14.1 General Configuration Screen	549
14.1.1 Configuring for Hostname Reverse	551
14.2 Server Configuration Screen	554
14.3 Data Maintenance Screens	555
14.3.1 Data Backup and Data Restore Screen	555
14.3.2 Device List Screen	556
14.4 Upgrade Screen	557
14.5 Registration Screens	558
14.5.1 Registration Summary Screen	559
14.5.2 Registration > Upgrade Screen	560
14.6 Notification	561
14.6.1 Add/Edit a Notification	563
14.7 Rule-Based Alert	565
14.7.1 Add/Edit a Rule-based Alert	566
User Management	577
15.1 Group Screen	577
15.1.1 Group > Add/Edit Group Screen	578
15.2 Account Screen	579
15.2.1 Account > Add/Edit User Account Screen	580
Troubleshooting	583
Appendices and Index	587
Product Specifications	589
ZyWALL USG Series and ZyWALL 1050 Log Descriptions	599
ZyNOS Log Descriptions	645
Open Software Announcements	671
Legal Information	709

Match case Limit results 1 per page

Appendix C ZyNOS Log Descriptions

Vantage Report User’s Guide

667

Syslog Logs

There are two types of syslog: event logs and traffic logs. The device generates an

event log when a system event occurs, for example, when a user logs in or the

device is under attack. The device generates a traffic log when a "session" is

terminated. A traffic log summarizes the session's type, when it started and

stopped the amount of traffic that was sent and received and so on.

An external

log analyzer can reconstruct and analyze the traffic flowing through the device

after collecting the traffic logs.

Table 317

AS Directions for Single WAN Devices

FROM\TO

LAN

WAN

DMZ

WLAN

LAN

(L to L)

(L to W)

(L to D)

(L to WL)

WAN

(W to L)

(W to W)

(W to D)

(W to WL)

DMZ

(D to L)

(D to W)

(D to D)

(D to WL)

WLAN

(WL to L)

(WL to W)

(WL to D)

(WL to WL)

Table 318

Syslog Logs

LOG MESSAGE

DESCRIPTION

Event Log: <Facility*8 +

Severity>Mon dd hr:mm:ss

hostname src="<srcIP:srcPort>"

dst="<dstIP:dstPort>"

msg="<msg>" note="<note>"

devID="<mac address>"

cat="<category>"

This message is sent by the system ("RAS" displays

as the system name if you haven’t configured one)

when the router generates a syslog. The facility is

defined in the web

MAIN MENU

LOGS

Log

Settings

page. The severity is the log’s syslog

class. The definition of messages and notes are

defined in the other log tables. The “devID” is the

MAC address of the router’s LAN port. The “cat” is

the same as the category in the router’s logs.

Traffic Log: <Facility*8 +

Severity>Mon dd hr:mm:ss

hostname src="<srcIP:srcPort>"

dst="<dstIP:dstPort>"

msg="Traffic Log"

note="Traffic Log" devID="<mac

address>" cat="Traffic Log"

duration=seconds

sent=sentBytes

rcvd=receiveBytes

dir="<from:to>"

protoID=IPProtocolID

proto="serviceName"

trans="IPSec/Normal"

This message is sent by the device when the

connection (session) is closed. The facility is defined

in the Log Settings screen. The severity is the traffic

log type. The message and note always display

"Traffic Log". The "proto" field lists the service

name. The "dir" field lists the incoming and outgoing

interfaces ("LAN:LAN", "LAN:WAN", "LAN:DMZ",

"LAN:DEV" for example).