ZyXEL Communications ZyWALL5UTM 4.0 User Manual
ZyWALL 5/35/70 Series User’s Guide
Appendix S Log Descriptions
790
Syslog Logs
There are two types of syslog: event logs and traffic logs. The device generates an event log
when a system event occurs, for example, when a user logs in or the device is under attack.
The device generates a traffic log when a "session" is terminated. A traffic log summarizes the
session's type, when it started and stopped the amount of traffic that was sent and received and
so on. An external log analyzer can reconstruct and analyze the traffic flowing through the
device after collecting the traffic logs.
when a system event occurs, for example, when a user logs in or the device is under attack.
The device generates a traffic log when a "session" is terminated. A traffic log summarizes the
session's type, when it started and stopped the amount of traffic that was sent and received and
so on. An external log analyzer can reconstruct and analyze the traffic flowing through the
device after collecting the traffic logs.
Table 298 Syslog Logs
LOG MESSAGE
DESCRIPTION
Event Log: <Facility*8 +
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
msg="<msg>" note="<note>"
devID="<mac address>"
cat="<category>"
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
msg="<msg>" note="<note>"
devID="<mac address>"
cat="<category>"
This message is sent by the system ("RAS" displays as the
system name if you haven’t configured one) when the router
generates a syslog. The facility is defined in the web MAIN
MENU, LOGS, Log Settings page. The severity is the log’s
syslog class. The definition of messages and notes are
defined in the other log tables. The “devID” is the MAC
address of the router’s LAN port. The “cat” is the same as
the category in the router’s logs.
Traffic Log: <Facility*8 +
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
msg="Traffic Log"
note="Traffic Log" devID="<mac
address>" cat="Traffic Log"
duration=seconds
sent=sentBytes
rcvd=receiveBytes
dir="<from:to>"
protoID=IPProtocolID
proto="serviceName"
trans="IPSec/Normal"
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
msg="Traffic Log"
note="Traffic Log" devID="<mac
address>" cat="Traffic Log"
duration=seconds
sent=sentBytes
rcvd=receiveBytes
dir="<from:to>"
protoID=IPProtocolID
proto="serviceName"
trans="IPSec/Normal"
This message is sent by the device when the connection
(session) is closed. The facility is defined in the Log
Settings screen. The severity is the traffic log type. The
message and note always display "Traffic Log". The "proto"
field lists the service name. The "dir" field lists the incoming
and outgoing interfaces ("LAN:LAN", "LAN:WAN",
"LAN:DMZ", "LAN:DEV" for example).
Event Log: <Facility*8 +
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
ob="<0|1>" ob_mac="<mac
address>" msg="<msg>"
note="<note>" devID="<mac
address>" cat="<category>"
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
ob="<0|1>" ob_mac="<mac
address>" msg="<msg>"
note="<note>" devID="<mac
address>" cat="<category>"
This message is sent by the device ("RAS" displays as the
system name if you haven’t configured one) at the time
when this syslog is generated. The facility is defined in the
web MAIN MENU, LOGS, Log Settings page. The severity
is the log’s syslog class. The definition of messages and
notes are defined in the other log tables. OB is the Out
Break flag and the mac address of the Out Break PC .
Event Log: <Facility*8 +
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
ob="0|1" ob_mac="<mac
address>" msg="<msg>"
note="<note>" devID="<mac
address>" cat="Anti Virus"
encode="< uu | b64 >"
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
ob="0|1" ob_mac="<mac
address>" msg="<msg>"
note="<note>" devID="<mac
address>" cat="Anti Virus"
encode="< uu | b64 >"
This message is sent by the device ("RAS" displays as the
system name if you haven’t configured one) at the time
when this syslog is generated. The facility is defined in the
web MAIN MENU, LOGS, Log Settings page. The severity
is the log’s syslog class. The "encode" message indicates
the mail attachments encoding method. The definition of
messages and notes are defined in the Anti-Virus log
descriptions.
system name if you haven’t configured one) at the time
when this syslog is generated. The facility is defined in the
web MAIN MENU, LOGS, Log Settings page. The severity
is the log’s syslog class. The "encode" message indicates
the mail attachments encoding method. The definition of
messages and notes are defined in the Anti-Virus log
descriptions.