ZyXEL Communications P-2302R Series User Manual
P-2302R Series User’s Guide
Chapter 18 Logs
194
18.1.2 Syslog Logs
There are two types of syslog: event logs and traffic logs. The device generates an event log
when a system event occurs, for example, when a user logs in or the device is under attack.
The device generates a traffic log when a "session" is terminated. A traffic log summarizes the
session's type, when it started and stopped the amount of traffic that was sent and received and
so on. An external log analyzer can reconstruct and analyze the traffic flowing through the
device after collecting the traffic logs.
when a system event occurs, for example, when a user logs in or the device is under attack.
The device generates a traffic log when a "session" is terminated. A traffic log summarizes the
session's type, when it started and stopped the amount of traffic that was sent and received and
so on. An external log analyzer can reconstruct and analyze the traffic flowing through the
device after collecting the traffic logs.
The following table shows RFC-2408 ISAKMP payload types that the log displays. Please
refer to the RFC for detailed information on each type.
refer to the RFC for detailed information on each type.
Table 73 Syslog Logs
LOG MESSAGE
DESCRIPTION
Event Log: <Facility*8 + Severity>Mon dd
hr:mm:ss hostname
src="<srcIP:srcPort>"
dst="<dstIP:dstPort>" msg="<msg>"
note="<note>" devID="<mac address>"
cat="<category>"
hr:mm:ss hostname
src="<srcIP:srcPort>"
dst="<dstIP:dstPort>" msg="<msg>"
note="<note>" devID="<mac address>"
cat="<category>"
This message is sent by the system ("RAS" displays as the
system name if you haven’t configured one) when the router
generates a syslog. The facility is defined in the Log
Settings screen. The severity is the log’s syslog class. The
definition of messages and notes are defined in the various
log charts throughout this appendix. The “devID” is the MAC
address of the router’s LAN port. The “cat” is the same as
the category in the router’s logs.
Traffic Log: <Facility*8 + Severity>Mon
dd hr:mm:ss hostname
src="<srcIP:srcPort>"
dst="<dstIP:dstPort>" msg="Traffic Log"
note="Traffic Log" devID="<mac
address>" cat="Traffic Log"
duration=seconds sent=sentBytes
rcvd=receiveBytes dir="<from:to>"
protoID=IPProtocolID
proto="serviceName" trans="IPSec/
Normal"
dd hr:mm:ss hostname
src="<srcIP:srcPort>"
dst="<dstIP:dstPort>" msg="Traffic Log"
note="Traffic Log" devID="<mac
address>" cat="Traffic Log"
duration=seconds sent=sentBytes
rcvd=receiveBytes dir="<from:to>"
protoID=IPProtocolID
proto="serviceName" trans="IPSec/
Normal"
This message is sent by the device when the connection
(session) is closed. The facility is defined in the Log
Settings screen. The severity is the traffic log type. The
message and note always display "Traffic Log". The "proto"
field lists the service name. The "dir" field lists the incoming
and outgoing interfaces ("LAN:LAN", "LAN:WAN",
"LAN:DEV" for example).
Table 74 RFC-2408 ISAKMP Payload Types
LOG DISPLAY
PAYLOAD TYPE
SA
Security Association
PROP
Proposal
TRANS
Transform
KE
Key Exchange
ID
Identification
CER
Certificate
CER_REQ
Certificate Request
HASH
Hash
SIG
Signature
NONCE
Nonce
NOTFY
Notification