NSM Log Viewer / Log Investigator

Logs based on notification options you set for security policy rules.

Logs related to device events, such as changes in the state of a traffic interface.

NSM Security Monitor

Logs produced by the Profiler feature.

NSM Audit Log Viewer

Logs generated by NSM related to the use of NSM to manage the IDP device.

Log ID

Unique ID for the log entry, derived from the combination of the date and log number.

Time Received

Date and time that the management system received the log entry.

Alert

Displays an icon if the log matches a rule for which the alert flag was selected.

User Flag

To set a flag, right-click the log row, select Flag, and then select one of the following flags:

• High
• Medium
• Low
• Closed
• False Positive
• Assigned
• Investigate
• Follow-up
• Pending

Src Addr

Source IP address of the packet that generated the log entry.

Dst Addr

Destination IP address of the packet that generated the log entry.

Action

Action the security device performed on the packet/connection that generated this log entry:

• Accepted—The device did not block the packet.
• Closed Client—The device closed the connection and sent a RST packet to the client, but did neither to the server.
• Closed Server—The device closed the connection and sent a RST packet to the server, but did neither to the client.
• Closed—The device closed the connection and sent a RST packet to both the client and the server.
• Dropped—The device dropped the connection without sending a RST packet to the sender, preventing the traffic from reaching its destination.
• Dropped Packet—The device dropped a matching packet before it could reach its destination but did not close the connection.
• Ignored–Matched the attack, did not take action, and ignored the remainder of the connection.

Note: IDP logs show the action that was set in the rule, not necessarily the actual action taken. For TCP events, these are the same. For UDP and ICMP events, the IDP logs show close client, close server, and close client and server actions, even when the actual action taken was a drop (close actions are not possible for UDP or ICMP packets).

Protocol

Protocol that the packet that generated the log entry used.

Dst Port

Destination port of the packet that generated the log entry.

Rule #

The rule in a policy rulebase (in a specific version of a domain) that generated the log entry.

Nat Src Addr

The NAT source address of the packet that generated the log entry.

Nat Dst Addr

The NAT destination address of the packet that generated the log entry.

Details

Miscellaneous string associated with log entry.

Category

Type of log entry:

• Alarm. The device generates event alarms for any security event that has a predefined severity level of emergency, critical, or alert. Additionally, the device generates traffic alarm log entries when it detects network traffic that exceeds the specified alarm threshold in a rule (the traffic alarm log entry describes the security event that triggered the alarm).
• Config. A configuration change occurred on the device.
• Custom. A match with a custom attack object was detected.
• Implicit. An implicit rule was matched.
• Info. General system information.
• Profiler. Traffic matches a Profiler alert setting.
• Screen. Not applicable for IDP devices. Screen alarms are generated by ScreenOS firewall devices.
• Self. The device generated this log for a non-traffic related reason.
• Signature. Traffic matches an attack object.
• Traffic. Traffic matches a rule you have configured for harmless traffic.

Subcategory

Category-specific type of log entry (examples are "Reboot" or message ID).

Severity

Severity rating associated (if any) with this type of log entry:

• Not Set (the device could not determine a severity for this log entry)
• Info
• Device_warning_log
• Minor
• Major
• Device_critical_log
• Emergency
• Error
• Notice
• Informational
• Debug

Device

Device that generated this log entry.

Comment

User defined comment about the log entry.

Application Name

Application associated with the current log.

Bytes In

For sessions, specifies the number of inbound bytes.

Bytes Out

For sessions, specifies the number of outbound bytes.

Bytes Total

For sessions, specifies the combined number of inbound and outbound bytes.

Dev Domain Ver

Domain version that generated this log entry.

Device Domain

Domain for the device that generated this log entry.

Device family

Family of the device that generated this log entry.

Dst Intf

Name of the outbound interface of the packet that generated this log entry.

Tip: Use ACM to configure an alias for the interface if you want to be able to view or sort on the alias.

Dst Zone

Destination zone associated with a traffic log entry.

Elapsed Secs

For sessions, specifies how long the session lasted.

Has Packet Data

If a marker appears in this column, you can right click the row and select Show > Packet Data or Show > Packet Data in External Viewer to view the packet capture.

NAT Dst Port

The NAT destination port of the packet that generated the log entry.

NAT Src Port

The NAT source port of the packet that generated the log entry.

Packets In

For sessions, specifies the number of inbound packets.

Packets Out

For sessions, specifies the number of outbound packets.

Packets Total

For sessions, specifies the combined number of inbound and outbound packets.

Policy

The security policy (in a specific version of a domain) whose rule generated the log entry.

Roles

Role group associated with this log entry.

Rule Domain

The domain of the rule that generated the log entry.

Rule Domain Ver

The domain version of the rule that generated the log entry.

Rulebase

The security policy rulebase (in a specific version of a domain) that generated the log entry.

Src Intf

Name of the inbound interface of the packet that generated this log entry.

Tip: Use ACM to configure an alias for the interface if you want to be able to view or sort on the alias.

Src Port

Source port of the packet that generated the log entry.

Src Zone

Source zone associated with a traffic log entry.

Time Generated

Date and time the device generated the log entry.

User

User associated with this log entry.

Note: Data is collected for all fields but not all columns are displayed by default. Select View > Choose Columns to select the columns you want to monitor.

Note: Packet captures are included in NSM log records only if you configure the packet logging notification option in your security policy rule.

Critical

Displays events that match security policy rules marked with severity of critical.

Alarm

Displays events that match security policy rules with notification options set to mark the event as an alarm event.

DI/IDP

Displays all log entries with signature, anomaly, or custom in the sub category column. IDP log entries provide information about an attack match against an IDP attack object. DI log entries provide information about an attack match against a deep inspection profile object.

Screen

Not applicable for IDP devices. Screen alarms are generated by ScreenOS firewall devices.

Traffic

Displays logs for traffic that matches a rule but the severity is low and notification option is log only.

Info

Displays info log entries. Info log entries provide general system information.

Config

Displays all configuration log entries. Configuration log entries provide information about a configuration or operational state change in Network and Security Manager.

Self

Displays all logs generated for non-traffic related reasons.

Profiler

Displays Profiler logs.

Backdoor

Displays log records generated by rules in the Backdoor rulebase.

Scans

Displays log records with a scan entry in the subcategory column, such as port scan.

Tip: For details on using NSM to create custom views, see the NSM online Help.

Tip: For details on using NSM to modify aggregation or display options, see the NSM online Help.

Time Generated

The time the object was changed. The Audit Log Viewer displays log entries in order of time generated by Greenwich Mean Time (GMT).

Admin Name

The name of the NSM administrator who changed the object.

Admin Login Domain

The name of the domain (global or subdomain) that contains the changed object.

Authorization Status

The final access-control status of activities is either success or failure.

Command

The command applied to the object or system, for example, sys_logout or modify.

Targets

For changes made to a device configuration or object, the Audit Log Viewer displays the object type, object name, and object domain.

Devices

For changes made to a device, the Audit Log Viewer displays the device name, object type, and device domain.

For changes made to the management system, such as administrator login or logout, the Audit Log Viewer does not display target or device data.

Miscellaneous

Additional information that is not displayed in other audit log columns.

Target Name

To see additional details for an target view entry, double-click the entry. NSM displays the configuration screen that the change was made in and marks the changed field with a solid green triangle.

Table

To set the table details for the target view entry, double-click the table. Enter or update the options.

Domain ID

Specifies the domain ID of the target view.

Device Name

To see additional details for an device view entry, double-click the entry. NSM displays the Job Manager information window for the job task.

Table

To set the table details for the device view entry, double-click the table. Enter or update the options.

Domain ID

Specifies the domain ID of the device view.