Traffic log example messages
2002 Jun 19 15:35:09 src=192.168.2.1 dst=216.21.132.114 proto=80 msg="TCP,
sport=3125, SYN, ACCEPT"
2002 Jun 19 16:35:09 src=192.1.1.2 dst=2.3.4.5 proto=25 msg="UDP, sport=UDP,
sport=5214, ACCEPT"
Event log message format
Event logs record management events and activity events. Management events include changes to the
system configuration as well as administrator and user logins and logouts. Activity events include system
activities, such as VPN tunnel establishment, URL blocking, antivirus scanning or blocking, and so on.
Each event log message records the date and time of the event and a description of the event. For
connections to the DFL-500 for management and for configuration changes, the event log message also
includes the IP address of the management computer.
Management messages
All management event messages have a message type of
mgmt
, except messages that record VPN
configuration changes which have the type
vpn,mgt
.
Management messages have the following format:
2002 Jun 19 15:35:10 type=mgmt,msg="User admin login successful at 192.168.2.2
by admin"
2002 Jun 21 20:35:09 type=mgmt,msg="Log&Report setting set successful at
192.168.100.111 by admin"
2002 Jun 19 15:23:09 type=mgmt,msg="Web-Filter banned-word add successful at
192.168.100.111 by admin"
2002 Jun 22 15:35:09 type=vpn,mgmt msg="VPN-ipsec_auto auto add successful at
192.168.100.111 by admin"
Antivirus messages
Antivirus event log messages record when the antivirus scanner blocks a file or detects a virus or worm in a
file. Antivirus event log messages have the following format:
<date> <time> src=<source IP> dst=<destination IP> proto=<protocol>
msg="type=<Firewall event type> status=<status information> filename=<filename
blocked/infected> virusname=<name of virus detected (infected status only)>"
Example antivirus event log messages:
2002 Jun 9 10:22:09 src=65.55.34.2 dst=192.168.100.105 proto=smtp
msg="type=Anti-Virus status=BLOCKED filename=readme.txt.vbs"
2002 Jun 11 12:35:09 src=65.55.34.2 dst=192.168.100.105 proto=http
msg="type=Anti-Virus status=INFECTED filename=readme.exe virusname=W32/Klez.h"
2002 Jun 12 10:35:09 src=65.55.34.2 dst=192.168.100.105 proto=pop3
msg="type=Anti-Virus status=INFECTED filename=readme.exe virusname=CodeRed"
2002 Jun 13 15:35:09 src=65.55.34.2 dst=192.168.100.105 proto=http
msg="type=Anti-Virus status=WORM virusname=CodeRed"
Content filtering messages
Content filtering messages record when content blocking or URL blocking deletes a web page from a content
stream. Content filtering messages have the following format:
<date> <time> src=<source IP> dst=<destination IP> proto=<protocol>
msg="type=<Firewall event type> status=<status information> url=<url blocked>"
DFL-500 User Manual
105