C H A P T E R 2 3

Logs

23.1 Overview

The web configurator allows you to choose which categories of events and/or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL

Device send them to an administrator (as e-mail) or to a syslog server.

23.1.1 What You Can Do in the Log Screens

• Use the View Log screen ( Section 23.2 on page 391 ) to see the logs for the

categories that you selected in the Log Settings screen.

• Use The Log Settings screen (

Section 23.3 on page 392

) to configure to where the ZyXEL Device is to send logs; the schedule for when the ZyXEL Device is to send the logs and which logs and/or immediate alerts the ZyXEL Device is to record.

23.1.2 What You Need To Know About Logs

Alerts and Logs

An alert is a type of log that warrants more serious attention. They include system errors, attacks (access control) and attempted access to blocked web sites. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in red and logs display in black.

23.2 The View Log Screen

Click Maintenance > Logs to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see

Section 23.3 on page 392

).

391

P-2612HW Series User’s Guide

Chapter 23 Logs

Log entries in red indicate alerts. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order.

Figure 234 Maintenance > Logs > View Log

The following table describes the fields in this screen.

Table 129 Maintenance > Logs > View Log

LABEL

Display

DESCRIPTION

The categories that you select in the Log Settings screen display in the drop-down list box.

Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.

Email Log Now Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the E-mail Log Settings fields in Log Settings).

Refresh

Clear Log

#

Time

Message

Source

Destination

Notes

Click Refresh to renew the log screen.

Click Clear Log to delete all the logs.

This field is a sequential value and is not associated with a specific entry.

This field displays the time the log was recorded.

This field states the reason for the log.

This field lists the source IP address and the port number of the incoming packet.

This field lists the destination IP address and the port number of the incoming packet.

This field displays additional information about the log entry.

23.3 The Log Settings Screen

Use the Log Settings screen to configure to where the ZyXEL Device is to send logs; the schedule for when the ZyXEL Device is to send the logs and which logs

392

P-2612HW Series User’s Guide

Chapter 23 Logs and/or immediate alerts the ZyXEL Device is to record. See

Section 23.1 on page

391 for more information.

To change your ZyXEL Device’s log settings, click Maintenance > Logs > Log

Settings. The screen appears as shown.

Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full. Selecting many alert and/or log categories (especially Access Control) may result in many e-mails being sent.

Figure 235 Maintenance > Logs > Log Settings

P-2612HW Series User’s Guide

393

Chapter 23 Logs

The following table describes the fields in this screen.

Table 130 Maintenance > Logs > Log Settings

LABEL DESCRIPTION

E-mail Log Settings

Mail Server

Mail Subject

Send Log to

Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via E-mail.

Type a title that you want to be in the subject line of the log e-mail message that the ZyXEL Device sends. Not all ZyXEL Device models have this field.

The ZyXEL Device sends logs to the e-mail address specified in this field.

If this field is left blank, the ZyXEL Device does not send logs via e-mail.

Send Alerts to Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack, system error, or forbidden web access attempt occurs.

Enter the E-mail address where the alert messages will be sent. Alerts include system errors, attacks and attempted access to blocked web sites. If this field is left blank, alert messages will not be sent via E-mail.

Enable SMTP

Authentication

SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.

User Name

Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs.

Enter the user name (up to 31 characters) (usually the user name of a mail account).

Password Enter the password associated with the user name above.

Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail:

Day for

Sending Log

Time for

Sending Log

Clear log after sending mail

Syslog

Logging

Active

• Daily

• Weekly

• Hourly

• When Log is Full

• None.

If you select Weekly or Daily, specify a time of day when the E-mail should be sent. If you select Weekly, then also specify which day of the week the E-mail should be sent. If you select When Log is Full, an alert is sent when the log fills up. If you select None, no log messages are sent.

Use the drop down list box to select which day of the week to send the logs.

Enter the time of the day in 24-hour format (for example 23:00 equals

11:00 pm) to send the logs.

Select this to delete all the logs after the ZyXEL Device sends an E-mail of the logs.

The ZyXEL Device sends a log to an external syslog server.

Click Active to enable syslog logging.

394

P-2612HW Series User’s Guide

Chapter 23 Logs

Table 130 Maintenance > Logs > Log Settings

LABEL

Syslog IP

Address

DESCRIPTION

Enter the server name or IP address of the syslog server that will log the selected categories of logs.

Log Facility

Send

Immediate

Alert

Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to the syslog server manual for more information.

Active Log and Alert

Log Select the categories of logs that you want to record.

Select log categories for which you want the ZyXEL Device to send E-mail alerts immediately.

Apply

Cancel

Click Apply to save your customized settings and exit this screen.

Click Cancel to return to the previously saved settings.

23.4 SMTP Error Messages

If there are difficulties in sending e-mail the following error message appears.

“SMTP action request failed. ret= ??". The “??"are described in the following table.

Table 131 SMTP Error Messages

-1 means ZyXEL Device out of socket

-2 means tcp SYN fail

-3 means smtp server OK fail

-4 means HELO fail

-5 means MAIL FROM fail

-6 means RCPT TO fail

-7 means DATA fail

-8 means mail data send fail

23.4.1 Example E-mail Log

An "End of Log" message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail.

• You may edit the subject title.

• The date format here is Day-Month-Year.

• The date format here is Month-Day-Year. The time format is Hour-Minute-

Second.

P-2612HW Series User’s Guide

395

Chapter 23 Logs

• "End of Log" message shows that a complete log has been sent.

Figure 236 E-mail Log Example

Subject:

Firewall Alert From

Date:

Fri, 07 Apr 2000 10:05:42

From:

[email protected]

To:

[email protected]

1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default policy |forward

| 09:54:03 |UDP src port:00520 dest port:00520 |<1,00> |

2|Apr 7 00 |From:192.168.1.131 To:192.168.1.255 |default policy |forward

| 09:54:17 |UDP src port:00520 dest port:00520 |<1,00> |

3|Apr 7 00 |From:192.168.1.6 To:10.10.10.10 |match |forward

| 09:54:19 |UDP src port:03516 dest port:00053 |<1,01> |

……………………………..{snip}…………………………………..

……………………………..{snip}…………………………………..

126|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |match |forward

| 10:05:00 |UDP src port:00520 dest port:00520 |<1,02> |

127|Apr 7 00 |From:192.168.1.131 To:192.168.1.255 |match |forward

| 10:05:17 |UDP src port:00520 dest port:00520 |<1,02> |

128|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |match |forward

| 10:05:30 |UDP src port:00520 dest port:00520 |<1,02> |

End of Firewall Log

23.5 Log Descriptions

This section provides descriptions of example log messages.

Table 132 System Maintenance Logs

LOG MESSAGE

Time calibration is successful

Time calibration failed

WAN interface gets IP: %s

DHCP client IP expired

DHCP server assigns %s

Successful WEB login

WEB login failed

Successful TELNET login

TELNET login failed

Successful FTP login

DESCRIPTION

The router has adjusted its time based on information from the time server.

The router failed to get information from the time server.

A WAN interface got a new IP address from the DHCP,

PPPoE, or dial-up server.

A DHCP client's IP address has expired.

The DHCP server assigned an IP address to a client.

Someone has logged on to the router's web configurator interface.

Someone has failed to log on to the router's web configurator interface.

Someone has logged on to the router via telnet.

Someone has failed to log on to the router via telnet.

Someone has logged on to the router via ftp.

396

P-2612HW Series User’s Guide

Chapter 23 Logs

Table 132 System Maintenance Logs (continued)

LOG MESSAGE

FTP login failed

NAT Session Table is Full!

Starting Connectivity

Monitor

DESCRIPTION

Someone has failed to log on to the router via ftp.

The maximum number of NAT session table entries has been exceeded and the table is full.

Starting Connectivity Monitor.

Time initialized by Daytime

Server

Time initialized by Time server

Time initialized by NTP server

The router got the time and date from the Daytime server.

The router got the time and date from the time server.

The router got the time and date from the NTP server.

Connect to Daytime server fail

Connect to Time server fail

Connect to NTP server fail

Too large ICMP packet has been dropped

Configuration Change: PC =

0x%x, Task ID = 0x%x

The router was not able to connect to the Daytime server.

The router was not able to connect to the Time server.

The router was not able to connect to the NTP server.

The router dropped an ICMP packet that was too large.

The router is saving configuration changes.

Successful SSH login

SSH login failed

Successful HTTPS login

HTTPS login failed

Someone has logged on to the router’s SSH server.

Someone has failed to log on to the router’s SSH server.

Someone has logged on to the router's web configurator interface using HTTPS protocol.

Someone has failed to log on to the router's web configurator interface using HTTPS protocol.

Table 133 System Error Logs

LOG MESSAGE

%s exceeds the max. number of session per host!

setNetBIOSFilter: calloc error readNetBIOSFilter: calloc error

WAN connection is down.

DESCRIPTION

This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.

The router failed to allocate memory for the NetBIOS filter settings.

The router failed to allocate memory for the NetBIOS filter settings.

A WAN connection is down. You cannot access the network through this interface.

P-2612HW Series User’s Guide

397

Chapter 23 Logs

Table 134 Access Control Logs

LOG MESSAGE

Firewall default policy: [ TCP |

UDP | IGMP | ESP | GRE | OSPF ]

<Packet Direction>

Firewall rule [NOT] match:[ TCP

| UDP | IGMP | ESP | GRE | OSPF

] <Packet Direction>, <rule:%d>

DESCRIPTION

Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy’s setting.

Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule.

The firewall allowed a triangle route session to pass through.

Triangle route packet forwarded:

[ TCP | UDP | IGMP | ESP | GRE |

OSPF ]

Packet without a NAT table entry blocked: [ TCP | UDP | IGMP |

ESP | GRE | OSPF ]

Router sent blocked web site message: TCP

The router blocked a packet that didn't have a corresponding NAT table entry.

The router sent a message to notify a user that the router blocked access to a web site that the user requested.

Table 135 TCP Reset Logs

LOG MESSAGE

Under SYN flood attack, sent TCP RST

Exceed TCP MAX incomplete, sent TCP RST

Peer TCP state out of order, sent TCP RST

Firewall session time out, sent TCP RST

DESCRIPTION

The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.)

The router sent a TCP reset packet when the number of

TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Note: Refer to TCP Maximum Incomplete in the

Firewall Attack Alerts screen.

The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.

The router sent a TCP reset packet when a dynamic firewall session timed out.Default timeout values:ICMP idle timeout (s): 60UDP idle timeout (s): 60TCP connection (three way handshaking) timeout (s): 30TCP

FIN-wait timeout (s): 60TCP idle (established) timeout

(s): 3600

398

P-2612HW Series User’s Guide

Chapter 23 Logs

Table 135 TCP Reset Logs (continued)

LOG MESSAGE

Exceed MAX incomplete, sent TCP RST

Access block, sent TCP

RST

DESCRIPTION

The router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all

TCP and UDP connections through the firewall.)Note:

When the number of incomplete connections (TCP + UDP)

> “Maximum Incomplete High”, the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections <

“Maximum Incomplete Low”.

The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst").

Table 136 Packet Filter Logs

LOG MESSAGE

[ TCP | UDP | ICMP | IGMP |

Generic ] packet filter matched (set: %d, rule: %d)

DESCRIPTION

Attempted access matched a configured filter rule

(denoted by its set and rule number) and was blocked or forwarded according to the rule.

For type and code details, see

Table 145 on page 402

.

Table 137 ICMP Logs

LOG MESSAGE

Firewall default policy: ICMP

<Packet Direction>, <type:%d>,

<code:%d>

Firewall rule [NOT] match: ICMP

<Packet Direction>, <rule:%d>,

<type:%d>, <code:%d>

Triangle route packet forwarded:

ICMP

Packet without a NAT table entry blocked: ICMP

Unsupported/out-of-order ICMP:

ICMP

Router reply ICMP packet: ICMP

DESCRIPTION

ICMP access matched the default policy and was blocked or forwarded according to the user's setting.

ICMP access matched (or didn’t match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule.

The firewall allowed a triangle route session to pass through.

The router blocked a packet that didn’t have a corresponding NAT table entry.

The firewall does not support this kind of ICMP packets or the ICMP packets are out of order.

The router sent an ICMP reply packet to the sender.

P-2612HW Series User’s Guide

399

Chapter 23 Logs

Table 138 CDR Logs

LOG MESSAGE board %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %s

DESCRIPTION

The router received the setup requirements for a call.

“call” is the reference (count) number of the call.

“dev” is the device type (3 is for dial-up, 6 is for

PPPoE, 10 is for PPTP). "channel" or “ch” is the call channel ID.For example,"board 0 line 0 channel 0, call

3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.

The PPPoE, PPTP or dial-up call is connected.

board %d line %d channel %d, call %d, %s C02 OutCall

Connected %d %s board %d line %d channel %d, call %d, %s C02 Call

Terminated

The PPPoE, PPTP or dial-up call was disconnected.

Table 139 PPP Logs

LOG MESSAGE DESCRIPTION ppp:LCP Starting

The PPP connection’s Link Control Protocol stage has started.

ppp:LCP Opening

The PPP connection’s Link Control Protocol stage is opening.

ppp:CHAP Opening

The PPP connection’s Challenge Handshake Authentication Protocol stage is opening.

ppp:IPCP

Starting

The PPP connection’s Internet Protocol Control Protocol stage is starting.

ppp:IPCP Opening

The PPP connection’s Internet Protocol Control Protocol stage is opening.

ppp:LCP Closing

The PPP connection’s Link Control Protocol stage is closing.

ppp:IPCP Closing

The PPP connection’s Internet Protocol Control Protocol stage is closing.

Table 140 UPnP Logs

LOG MESSAGE

UPnP pass through Firewall

DESCRIPTION

UPnP packets can pass through the firewall.

Table 141 Content Filtering Logs

LOG MESSAGE

%s: block keyword

%s

DESCRIPTION

The content of a requested web page matched a user defined keyword.

The system forwarded web content.

400

P-2612HW Series User’s Guide

Chapter 23 Logs

For type and code details, see

Table 145 on page 402

.

Table 142 Attack Logs

LOG MESSAGE attack [ TCP | UDP | IGMP

| ESP | GRE | OSPF ]

DESCRIPTION

The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.

The firewall detected an ICMP attack.

attack ICMP (type:%d, code:%d) land [ TCP | UDP | IGMP |

ESP | GRE | OSPF ]

The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.

The firewall detected an ICMP land attack.

land ICMP (type:%d, code:%d) ip spoofing - WAN [ TCP |

UDP | IGMP | ESP | GRE |

OSPF ]

The firewall detected an IP spoofing attack on the WAN port.

ip spoofing - WAN ICMP

(type:%d, code:%d)

The firewall detected an ICMP IP spoofing attack on the

WAN port.

The firewall detected an ICMP echo attack. icmp echo : ICMP

(type:%d, code:%d) syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d)

The firewall detected a TCP syn flood attack.

The firewall detected a TCP port scan attack.

The firewall detected a TCP teardrop attack.

The firewall detected an UDP teardrop attack.

The firewall detected an ICMP teardrop attack. illegal command TCP

NetBIOS TCP ip spoofing - no routing entry [ TCP | UDP | IGMP

| ESP | GRE | OSPF ]

The firewall detected a TCP illegal command attack.

The firewall detected a TCP NetBIOS attack.

The firewall classified a packet with no source routing entry as an IP spoofing attack.

ip spoofing - no routing entry ICMP (type:%d, code:%d)

The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack.

vulnerability ICMP

(type:%d, code:%d) traceroute ICMP (type:%d, code:%d)

The firewall detected an ICMP vulnerability attack.

The firewall detected an ICMP traceroute attack.

Table 143 802.1X Logs

LOG MESSAGE

RADIUS accepts user.

RADIUS rejects user. Pls check

RADIUS Server.

User logout because of session timeout expired.

DESCRIPTION

A user was authenticated by the RADIUS Server.

A user was not authenticated by the RADIUS

Server. Please check the RADIUS Server.

The router logged out a user whose session expired.

P-2612HW Series User’s Guide

401

Chapter 23 Logs

Table 143 802.1X Logs (continued)

LOG MESSAGE

User logout because of user deassociation.

DESCRIPTION

The router logged out a user who ended the session.

User logout because of no authentication response from user.

The router logged out a user from which there was no authentication response.

User logout because of idle timeout expired.

The router logged out a user whose idle timeout period expired.

A user logged out.

User logout because of user request.

No response from RADIUS. Pls check RADIUS Server.

Use RADIUS to authenticate user.

There is no response message from the RADIUS server, please check the RADIUS server.

The RADIUS server is operating as the authentication server.

No Server to authenticate user.

There is no authentication server to authenticate a user.

Table 144 ACL Setting Notes

PACKET

DIRECTION

(L to W)

(W to L)

(L to L/ZyXEL

Device)

(W to W/ZyXEL

Device)

DIRECTION

LAN to WAN

WAN to LAN

LAN to LAN/

ZyXEL Device

WAN to WAN/

ZyXEL Device

DESCRIPTION

ACL set for packets traveling from the LAN to the

WAN.

ACL set for packets traveling from the WAN to the

LAN.

ACL set for packets traveling from the LAN to the

LAN or the ZyXEL Device.

ACL set for packets traveling from the WAN to the

WAN or the ZyXEL Device.

Table 145 ICMP Notes

TYPE

0

3

CODE DESCRIPTION

Echo Reply

0

0

1

2

3

4

5

Echo reply message

Destination Unreachable

Net unreachable

Host unreachable

Protocol unreachable

Port unreachable

A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)

Source route failed

402

P-2612HW Series User’s Guide

Chapter 23 Logs

Table 145 ICMP Notes (continued)

TYPE

4

5

8

11

12

13

14

15

16

CODE DESCRIPTION

Source Quench

0

0

1

2

3

0

0

1

0

0

0

0

0

A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.

Redirect

Redirect datagrams for the Network

Redirect datagrams for the Host

Redirect datagrams for the Type of Service and Network

Redirect datagrams for the Type of Service and Host

Echo

Echo message

Time Exceeded

Time to live exceeded in transit

Fragment reassembly time exceeded

Parameter Problem

Pointer indicates the error

Timestamp

Timestamp request message

Timestamp Reply

Timestamp reply message

Information Request

Information request message

Information Reply

Information reply message

Table 146 Syslog Logs

LOG MESSAGE

<Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address last three numbers>" cat="<category>

DESCRIPTION

"This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the router generates a syslog. The facility is defined in the web MAIN

MENU->LOGS->Log Settings page. The severity is the log’s syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The “devID” is the last three characters of the MAC address of the router’s

LAN port. The “cat” is the same as the category in the router’s logs.

P-2612HW Series User’s Guide

403

Chapter 23 Logs

Table 147 SIP Logs

LOG MESSAGE

SIP Registration Success by SIP:SIP Phone Number

SIP Registration Fail by

SIP:SIP Phone Number

SIP UnRegistration

Success by SIP:SIP Phone

Number

SIP UnRegistration Fail by SIP:SIP Phone Number

DESCRIPTION

The listed SIP account was successfully registered with a

SIP register server.

An attempt to register the listed SIP account with a SIP register server was not successful.

The listed SIP account’s registration was deleted from the

SIP register server.

An attempt to delete the listed SIP account’s registration from the SIP register server failed.

Table 148 RTP Logs

LOG MESSAGE

Error, RTP init fail

Error, Call fail: RTP connect fail

Error, RTP connection cannot close

DESCRIPTION

The initialization of an RTP session failed.

A VoIP phone call failed because the RTP session could not be established.

The termination of an RTP session failed.

Table 149 FSM Logs: Caller Side

LOG MESSAGE

VoIP Call Start Ph[Phone

Port Number] <- Outgoing

Call Number

DESCRIPTION

Someone used a phone connected to the listed phone port to initiate a VoIP call to the listed destination.

VoIP Call Established

Ph[Phone Port] ->

Outgoing Call Number

Someone used a phone connected to the listed phone port to make a VoIP call to the listed destination.

VoIP Call End Phone[Phone

Port]

A VoIP phone call made from a phone connected to the listed phone port has terminated.

404

P-2612HW Series User’s Guide

Chapter 23 Logs

Table 150 FSM Logs: Callee Side

LOG MESSAGE

VoIP Call Start from

SIP[SIP Port Number]

VoIP Call Established

Ph[Phone Port] <-

Outgoing Call Number

DESCRIPTION

A VoIP phone call came to the ZyXEL Device from the listed SIP number.

A VoIP phone call was set up from the listed SIP number to the ZyXEL Device.

VoIP Call End Phone[Phone

Port]

A VoIP phone call that came into the ZyXEL Device has terminated.

The following table shows RFC-2408 ISAKMP payload types that the log displays.

Please refer to RFC 2408 for detailed information on each type.

Table 151 RFC-2408 ISAKMP Payload Types

LOG DISPLAY

SA

PROP

TRANS

KE

ID

CER

CER_REQ

HASH

SIG

NONCE

NOTFY

DEL

VID

PAYLOAD TYPE

Security Association

Proposal

Transform

Key Exchange

Identification

Certificate

Certificate Request

Hash

Signature

Nonce

Notification

Delete

Vendor ID

P-2612HW Series User’s Guide

405

Chapter 23 Logs

406

P-2612HW Series User’s Guide