Sunteți pe pagina 1din 87

SonicOS Combined Log Event Reference Guide

SonicOS Combined Log Event Reference Guide | 1

|

1

Notes, Cautions, and Warnings

NOTE : A NOTE indicates impo rtant information that helps you make better use of

NOTE: A NOTE indicates important information that helps you make better use of your system.

CAUTION : A CAUTION indicates potential damage to hardware or loss of data if instructions

CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING : A WARNING indicates a potential for property damage, personal injury, or death.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2013 Dell Inc.

Trademarks: Dell™, the DELL logo, SonicWALL™, SonicWALL GMS™, SonicWALL Analyzer™, Reassem- bly-Free Deep Packet Inspection™, Dynamic Security for the Global Network™, SonicWALL Clean VPN™, SonicWALL Clean Wireless™, SonicWALL Comprehensive Gateway Security Suite™, SonicWALL Mobile Connect™, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc.

2013 – 09

P/N 232-001771-00

Rev. C

Overview

This reference guide lists and describes SonicOS log event messages for SonicOS 5.8.1, 6.0.1, and 6.1. Reference a log event message by using the alphabetical index from the Log Event Message Index table of this document.

This document contains the following sections:

Log > Monitor on page 1

Log > Categories on page 2

Index of Log Event Messages on page 2

Log > Syslog on page 67

Index of Syslog Tag Field Descriptions on page 68

Table of Values on page 79

Log > Monitor

The Dell SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed by navigating to the Dashboard > Log Monitor or Log > View page, or it can be automatically sent to an email address for convenience and archiving. The log is displayed in a table and can be sorted by column.

For more information on configuring the Log Monitor page, refer to the SonicOS Administrator’s Guide.

column. For more information on configuring the Log Monitor page, refer to the SonicOS Administrator’s Guide

Log > Categories

The Log > Categories page allows you to categorize and customize the logging functions on your Dell SonicWALL security appliance for troubleshooting and diagnostics.

For more information on configuring and managing the Log > Categories page, refer to the SonicOS Administrator’s Guide.

page, refer to the SonicOS Administrator’s Guide . Index of Log Event Messages The following table

Index of Log Event Messages

The following table is the Log Event Message Index, which is an alphabetical list of log event messages for the SonicOS 5.8.1,

, and 6.1 firmware.

Each log event message described in the following table provides the following log event details:

Log Event Messages—Displays the name of the event message.

SonicOS Category—Displays the SonicOS category type. This is the same category as Table 2: Expanded Categories on page 80.

Legacy Category—Displays the category event type. This is the same category as Table 1:

Legacy Category on page 79.

Priority Level—Displays the level of urgency of the log event message. For additional information, you can also reference Table 3: Priority Leve on page 83.

Log Event Message ID Number—Displays the ID number of the log event message.

SNMP Trap Type—Displays the SNMP Trap ID number of the log event message.

       

Log

 

Message

SNMP

ID

Trap

Log Event Messages

SonicOS Category

Legacy Category

Priority Level

Number

Type

DOS protection on WAN %s

Intrusion Prevention

Network Debug

ALERT

1181

‐‐‐

DOS protection on WAN begins %s

Intrusion Prevention

Network Debug

ALERT

1180

‐‐‐

"As per Diagnostic Autorestart configuration request, restarting system"

Firewall Event

‐‐‐

INFO

1047

‐‐‐

#Web site hit

Network Traffic

Syslog only – for traffic reporting

INFO

97

‐‐‐

%s auto dial failed: Current Connection Model is configured as Ethernet Only

PPP Dial Up

System Errors

ALERT

1028

‐‐‐

%s Ethernet Port Down

Firewall Event

System Errors

ERROR

333

641

%s Ethernet Port Up

Firewall Event

System Errors

WARNING

332

640

%s is operational

Anti Spam Service

‐‐‐

WARNING

1082

13801

%s is unavailable

Anti Spam Service

‐‐‐

WARNING

1083

13802

<b>Registration Update Needed:</b> Restore your

         

existing security service subscriptions by clicking <a

href="/Security_Services/

System

enable_services.html">here</a>

Security Services

Maintenance

WARNING

496

‐‐‐

   

System

     

3G/4G %s device detected

Firewall Hardware

Environment

INFO

1017

‐‐‐

3G/4G Dial up: %s

PPP Dial Up

User Activity

ALERT

1026

‐‐‐

3G/4G Dial up: data usage limit reached for the '%s' billing cycle. Disconnecting the 3G/4G session.

PPP Dial Up

User Activity

ALERT

1027

7643

3G/4G: No SIM detected

Firewall Hardware

‐‐‐

ALERT

1055

‐‐‐

   

802.11

     

802.11 Management

Wireless

Management

INFO

518

‐‐‐

A

high percentage of the system

         

packet buffers are held waiting for SSO

SSO Agent

Authentication

User Activity

ALERT

1178

‐‐‐

A

prior version of preferences

         

was loaded because the most

recent preferences file was

inaccessible

Firewall Event

System Errors

WARNING

572

648

SonicOS Standard to Enhanced Upgrade was performed

A

 

System

     

Firewall Event

Maintenance

INFO

611

‐‐‐

A

user has a very high number of

SSO Agent

       

connections waiting for SSO

Authentication

User Activity

ALERT

1179

‐‐‐

Access attempt from host out of compliance with GSC policy

 

System

     

Security Services

Maintenance

INFO

761

‐‐‐

Access attempt from host without AntiVirus agent installed

 

System

     

Security Services

Maintenance

INFO

123

‐‐‐

Access attempt from host without GSC installed

 

System

     

Security Services

Maintenance

INFO

763

8627

Access rule added

Firewall Rule

User Activity

INFO

440

‐‐‐

Access rule deleted

Firewall Rule

User Activity

INFO

442

‐‐‐

Access rule modified

Firewall Rule

User Activity

INFO

441

‐‐‐

Access rules restored to defaults

Firewall Rule

User Activity

INFO

443

‐‐‐

Access to proxy server denied

Network Access

Blocked Web Sites

NOTICE

60

705

Active Backup detects Active Primary: Backup going Idle

 

System

     

High Availability

Maintenance

INFO

154

‐‐‐

Active/Active Clustering license is not activated on the following cluster units: %s

High Availability

‐‐‐

ERROR

1152

‐‐‐

ActiveX access denied

Network Access

Blocked Java Etc

NOTICE

18

‐‐‐

ActiveX or Java archive access

         

denied

Network Access

Blocked Java Etc

NOTICE

20

‐‐‐

ADConnector %s response timedout; applying caching policy

Microsoft Active

       

Directory

‐‐‐

ERROR

769

‐‐‐

Add an attack message

Firewall Event

Attacks

ERROR

143

525

Added a new member to an LDAP mirror user group

Remote

       

Authentication

User Activity

INFO

1192

‐‐‐

Added host entry to dynamic address object

Dynamic Address

System

     

Objects

Maintenance

INFO

911

‐‐‐

Added new LDAP mirror user group: %s

Remote

       

Authentication

User Activity

INFO

1190

‐‐‐

Adding Dynamic Entry for Bound MAC Address

Network

‐‐‐

INFO

813

‐‐‐

Adding L2TP IP pool Address object Failed.

L2TP Server

System Errors

ERROR

603

661

Adding to multicast policyList , interface : %s

Multicast

‐‐‐

DEBUG

697

‐‐‐

Adding to Multicast policyList , VPN SPI : %s

Multicast

‐‐‐

DEBUG

699

‐‐‐

 

Authenticated

       

Administrator logged out

Access

User Activity

INFO

261

‐‐‐

Administrator logged out inactivity timer expired

Authenticated

       

Access

User Activity

INFO

262

‐‐‐

 

Authenticated

       

Administrator login allowed

Access

User Activity

INFO

29

‐‐‐

Administrator login denied due to bad credentials

Authenticated

       

Access

Attacks

ALERT

30

560

Administrator login denied from %s; logins disabled from this interface

Authenticated

       

Access

Attacks

ALERT

35

506

 

Authenticated

System

     

Administrator name changed

Access

Maintenance

INFO

328

‐‐‐

All DDNS associations have been deleted

 

System

     

DDNS

Maintenance

INFO

783

‐‐‐

All preference values have been set to factory default values

Firewall Event

System Errors

WARNING

574

650

Allowed LDAP server certificate with wrong host name

Remote

       

Authentication

User Activity

WARNING

752

‐‐‐

An LDAP user group nesting is not being mirrored

Remote

       

Authentication

User Activity

WARNING

1246

‐‐‐

AntiSpam service is disabled by administrator.

Anti Spam Service

‐‐‐

INFO

1085

13804

AntiSpam service is enabled by administrator.

Anti Spam Service

‐‐‐

INFO

1084

13803

AntiSpam Startup Failure %s

Anti Spam Service

‐‐‐

WARNING

1088

13807

AntiSpam Teardown Failure %s

Anti Spam Service

‐‐‐

WARNING

1089

13808

AntiSpyware Detection Alert: %s

Intrusion Prevention

Attacks

ALERT

795

6438

AntiSpyware Prevention Alert:

         

%s

Intrusion Prevention

Attacks

ALERT

794

6437

   

System

     

AntiSpyware Service Expired

Security Services

Maintenance

WARNING

796

8631

AntiVirus agent out of date on host

 

System

     

Security Services

Maintenance

INFO

124

‐‐‐

   

System

     

AntiVirus Licenses Exceeded

Security Services

Maintenance

INFO

408

‐‐‐

Appflow Server Event

App Flow Server

‐‐‐

INFO

1263

‐‐‐

Application Control Detection Alert: %s

Application Control

‐‐‐

ALERT

1154

15001

Application Control Prevention Alert: %s

Application Control

‐‐‐

ALERT

1155

15002

Application Filter Detection Alert:

         

%s

Intrusion Prevention

Attacks

ALERT

650

‐‐‐

Application Filters Block Alert: %s

Intrusion Prevention

Attacks

ALERT

649

‐‐‐

Application Firewall Alert: %s

App Rules

User Activity

ALERT

793

13201

ARP request packet received

Network

‐‐‐

INFO

717

‐‐‐

ARP request packet sent

Network

‐‐‐

INFO

715

‐‐‐

ARP response packet received

Network

‐‐‐

INFO

716

‐‐‐

ARP response packet sent

Network

‐‐‐

INFO

718

‐‐‐

ARP timeout

Network

Network Debug

DEBUG

45

‐‐‐

Assigned IP address %s

DHCP Server

‐‐‐

INFO

1110

‐‐‐

Association Flood from WLAN station

WLAN IDS

Expanded WLAN IDS activity

ALERT

548

903

Attempt to contact Remote backup server for upload approval failed

 

System

     

Firewall Event

Maintenance

DEBUG

1160

‐‐‐

Authentication timeout during Remotely Triggered Dial out session

Authenticated

       

Access

User Activity

INFO

821

‐‐‐

Back Orifice attack dropped

Intrusion Prevention

Attacks

ALERT

73

512

Backup active

High Availability

System Errors

INFO

825

‐‐‐

Backup firewall being preempted by Primary

High Availability

System Errors

ERROR

152

619

Backup firewall has transitioned to Active

 

System

     

High Availability

Maintenance

ALERT

145

‐‐‐

Backup firewall has transitioned to Idle

 

System

     

High Availability

Maintenance

ALERT

147

‐‐‐

Backup firewall rebooting itself as it transitioned from Active to Idle while Preempt

High Availability

‐‐‐

INFO

1059

‐‐‐

Backup going Active in preempt mode Application Firewall reboot

High Availability

System Errors

ERROR

170

622

Backup missed heartbeats from Primary

High Availability

System Errors

ERROR

149

616

Backup received error signal from Primary

High Availability

System Errors

ERROR

151

618

Backup received heartbeat from wrong source

 

System

     

High Availability

Maintenance

INFO

161

‐‐‐

Backup received reboot signal from Primary

High Availability

System Errors

ERROR

672

666

Backup remote server did not approve upload request

 

System

     

Firewall Event

Maintenance

DEBUG

1161

‐‐‐

Backup shut down because license is expired

High Availability

System Errors

ERROR

824

‐‐‐

Backup WAN link down, Primary going Active

High Availability

System Errors

ERROR

219

633

Backup will be shut down in %s minutes

High Availability

System Errors

ERROR

823

‐‐‐

Bad CRL format

VPN PKI

User Activity

ALERT

277

‐‐‐

 

Remote

       

Bind to LDAP server failed

Authentication

System Errors

ERROR

1009

‐‐‐

Blocked Quick Mode for Client using Default KeyId

VPN Client

System Errors

ERROR

505

660

BOOTP Client IP address on LAN conflicts with remote device IP, deleting IP address from remote table

 

System

     

BOOTP

Maintenance

INFO

619

‐‐‐

BOOTP reply relayed to local device

 

System

     

BOOTP

Maintenance

INFO

620

‐‐‐

BOOTP Request received from remote device

BOOTP

Network Debug

DEBUG

621

‐‐‐

BOOTP server response relayed to remote device

BOOTP

Network Debug

DEBUG

618

‐‐‐

Broadcast packet dropped

Network Access

Network Debug

DEBUG

46

‐‐‐

Cannot connect to the CRL server

VPN PKI

User Activity

ALERT

274

‐‐‐

Cannot Validate Issuer Path

VPN PKI

User Activity

ALERT

878

‐‐‐

Certificate on Revoked list(CRL)

VPN PKI

User Activity

ALERT

279

‐‐‐

CFL auto download disabled, time problem detected

 

System

     

Security Services

Maintenance

INFO

268

‐‐‐

Chat %s

PPP Dial Up

User Activity

INFO

1022

‐‐‐

Chat completed

PPP Dial Up

User Activity

INFO

1020

‐‐‐

Chat failed: %s

PPP Dial Up

User Activity

INFO

1023

‐‐‐

Chat started

PPP Dial Up

User Activity

INFO

1019

‐‐‐

Chat started by '%s'

PPP Dial Up

User Activity

INFO

1032

‐‐‐

Chat wrote '%s'

PPP Dial Up

User Activity

INFO

1021

‐‐‐

 

Authenticated

       

CLI

administrator logged out

Access

User Activity

INFO

520

‐‐‐

 

Authenticated

       

CLI

administrator login allowed

Access

User Activity

INFO

199

‐‐‐

CLI

administrator login denied

Authenticated

       

due to bad credentials

Access

User Activity

WARNING

200

‐‐‐

Computed hash does not match hash received from peer; preshared key mismatch

VPN IKE

User Activity

WARNING

410

‐‐‐

Configuration mode administration session ended

Authenticated

       

Access

User Activity

INFO

995

‐‐‐

Configuration mode administration session started

Authenticated

       

Access

User Activity

INFO

994

‐‐‐

Connection Closed

Network Traffic

Syslog only for traffic reporting

INFO

537

‐‐‐

Connection Opened

Network Traffic

Syslog only for traffic reporting

INFO

98

‐‐‐

Connection timed out

VPN PKI

User Activity

ALERT

273

‐‐‐

Content filter subscription expired.

Security Services

System Errors

ERROR

197

631

Cookie removed

Network Access

Blocked Java Etc

NOTICE

21

‐‐‐

CPU reaches 80% utilization for more than 10 seconds.

Firewall Hardware

‐‐‐

ALERT

1248

17002

CRL has expired

VPN PKI

User Activity

ALERT

874

‐‐‐

CRL loaded from

VPN PKI

User Activity

INFO

270

‐‐‐

CRL missing Issuer requires CRL checking.

VPN PKI

User Activity

ALERT

876

‐‐‐

CRL validation failure for Root Certificate

VPN PKI

User Activity

ALERT

877

‐‐‐

   

System

     

Crypto DES test failed

Crypto Test

Maintenance

ERROR

360

‐‐‐

   

System

     

Crypto DH test failed

Crypto Test

Maintenance

ERROR

361

‐‐‐

   

System

     

Crypto hardware 3DES test failed

Crypto Test

Maintenance

ERROR

367

‐‐‐

Crypto Hardware 3DES with SHA test failed

 

System

     

Crypto Test

Maintenance

ERROR

369

‐‐‐

   

System

     

Crypto Hardware AES test failed

Crypto Test

Maintenance

ERROR

610

‐‐‐

   

System

     

Crypto hardware DES test failed

Crypto Test

Maintenance

ERROR

366

‐‐‐

Crypto hardware DES with SHA test failed

 

System

     

Crypto Test

Maintenance

ERROR

368

‐‐‐

   

System

     

Crypto Hmac MD5 fest failed

Crypto Test

Maintenance

ERROR

362

‐‐‐

   

System

     

Crypto Hmac Sha1 test failed

Crypto Test

Maintenance

ERROR

363

‐‐‐

   

System

     

Crypto MD5 test failed

Crypto Test

Maintenance

ERROR

370

‐‐‐

   

System

     

Crypto RSA test failed

Crypto Test

Maintenance

ERROR

364

‐‐‐

Crypto SHA1 based DRNG KAT test failed

Crypto Test

‐‐‐

ERROR

1060

‐‐‐

   

System

     

Crypto Sha1 test failed

Crypto Test

Maintenance

ERROR

365

‐‐‐

CSR Generation: %s

VPN PKI

‐‐‐

INFO

1109

‐‐‐

Current dynamic NAT translation count is more than 50% of the configured maximum.

Firewall Hardware

‐‐‐

ALERT

1250

17004

Current session count is more than 50% of the supported maximum.

Firewall Hardware

‐‐‐

ALERT

1249

17003

   

System

     

DDNS association %s disabled

DDNS

Maintenance

INFO

781

‐‐‐

   

System

     

DDNS association %s enabled

DDNS

Maintenance

INFO

780

‐‐‐

   

System

     

DDNS association %s added

DDNS

Maintenance

INFO

779

‐‐‐

   

System

     

DDNS association %s deactivated

DDNS

Maintenance

INFO

784

‐‐‐

   

System

     

DDNS association %s deleted

DDNS

Maintenance

INFO

785

‐‐‐

   

System

     

DDNS Association %s put on line

DDNS

Maintenance

INFO

782

‐‐‐

DDNS association %s taken Offline locally

 

System

     

DDNS

Maintenance

INFO

778

‐‐‐

DDNS association %s updated

DDNS

‐‐‐

INFO

786

‐‐‐

DDNS Failure: Provider %s

DDNS

System Errors

ERROR

774

‐‐‐

DDNS Failure: Provider %s

DDNS

System Errors

ERROR

775

‐‐‐

DDNS Failure: Provider %s

DDNS

System Errors

ERROR

773

‐‐‐

DDNS Update success for domain %s

 

System

     

DDNS

Maintenance

INFO

776

‐‐‐

DDNS Warning: Provider %s

DDNS

System Errors

WARNING

777

‐‐‐

Default to not blacklisted

Anti Spam Service

‐‐‐

DEBUG

1144

‐‐‐

Delete invalid scope because port ip in the range of this DHCP scope.

DHCP Server

‐‐‐

WARNING

1184

‐‐‐

Deleted LDAP mirror user group:

Remote

       

%s

Authentication

User Activity

INFO

1191

‐‐‐

Deleting from Multicast policy list, interface : %s

Multicast

‐‐‐

DEBUG

698

‐‐‐

Deleting from Multicast policy list, VPN SPI : %s

Multicast

‐‐‐

DEBUG

700

‐‐‐

Deleting IPsec SA

VPN IKE

User Activity

INFO

92

‐‐‐

Deleting IPsec SA for destination

VPN IKE

User Activity

INFO

91

‐‐‐

Deleting IPsec SA. (Phase 2)

VPN IKE

User Activity

DEBUG

1183

‐‐‐

Destination IP address connection status: %s

Firewall Event

‐‐‐

INFO

735

‐‐‐

DHCP client enabled but not ready

 

System

     

DHCP Client

Maintenance

INFO

504

‐‐‐

DHCP Client did not get DHCP ACK.

 

System

     

DHCP Client

Maintenance

INFO

109

‐‐‐

DHCP Client failed to verify and lease has expired. Go to INIT state.

 

System

     

DHCP Client

Maintenance

INFO

119

‐‐‐

DHCP Client failed to verify and lease is still valid. Go to BOUND state.

 

System

     

DHCP Client

Maintenance

INFO

120

‐‐‐

DHCP Client got a new IP address lease.

 

System

     

DHCP Client

Maintenance

INFO

121

‐‐‐

   

System

     

DHCP Client got ACK from server.

DHCP Client

Maintenance

INFO

111

‐‐‐

   

System

     

DHCP Client got NACK.

DHCP Client

Maintenance

INFO

110

‐‐‐

DHCP Client is declining address offered by the server.

 

System

     

DHCP Client

Maintenance

INFO

112

‐‐‐

DHCP Client sending REQUEST and going to REBIND state.

 

System

     

DHCP Client

Maintenance

INFO

113

‐‐‐

DHCP Client sending REQUEST and going to RENEW state.

 

System

     

DHCP Client

Maintenance

INFO

114

‐‐‐

DHCP DECLINE received from remote device

DHCP Relay

Network Debug

INFO

475

‐‐‐

DHCP DISCOVER received from local device

DHCP Relay

Network Debug

INFO

479

‐‐‐

DHCP DISCOVER received from remote device

DHCP Relay

Network Debug

INFO

474

‐‐‐

DHCP INFORM received from remote device

DHCP Relay

Network Debug

INFO

1215

‐‐‐

DHCP lease dropped. Lease from Central Gateway conflicts with Relay IP

 

System

     

DHCP Relay

Maintenance

WARNING

228

‐‐‐

DHCP lease dropped. Lease from Central Gateway conflicts with Remote Management IP

 

System

     

DHCP Relay

Maintenance

WARNING

484

‐‐‐

DHCP lease file in the flash is corrupted; read failed

Firewall Event

System Errors

WARNING

833

‐‐‐

DHCP lease relayed to local device

 

System

     

DHCP Relay

Maintenance

INFO

223

‐‐‐

DHCP lease relayed to remote device

DHCP Relay

Network Debug

INFO

225

‐‐‐

DHCP lease to LAN device conflicts with remote device, deleting remote IP entry

 

System

     

DHCP Relay

Maintenance

INFO

226

‐‐‐

   

System

     

DHCP leases written to flash

Firewall Event

Maintenance

INFO

835

‐‐‐

DHCP NACK received