Documentation Search
Using NSM Logs
You use NSM to view logs related to IDP Series device status and security events. This section includes the following topics:
NSM Logs Overview
NSM collects logs from managed IDP Series devices and stores them in a central log database. You can use NSM to view, manipulate, and export logs.
Table 1 provides a reference of log views.
Table 1: Log Viewing Options
Log Views | Description |
|---|---|
NSM Log Viewer / Log Investigator | Logs based on notification options you set for security policy rules. Logs related to device events, such as changes in the state of a traffic interface. |
NSM Security Monitor | Logs produced by the Profiler feature. |
NSM Audit Log Viewer | Logs generated by NSM related to the use of NSM to manage the IDP Series device. |
Using NSM Log Viewer (NSM Procedure)
Purpose
You use the NSM Log Viewer to access logs generated when traffic matches a security policy rule.
Figure 1 shows the NSM log viewer. You can use NSM management features to flag logs for filtering or follow up. The bottom panes include summary information for the attack and the data that matched the rule.
Figure 1: NSM Log Viewer
Table 2 describes the columns in the NSM Log Viewer table display.
Table 2: NSM Log Viewer: Log Columns
Column | Description |
|---|---|
Log ID | Unique ID for the log entry, derived from the combination of the date and log number. |
Time Received | Date and time that the management system received the log entry. |
Alert | Displays an icon if the log matches a rule for which the alert flag was selected. |
User Flag | To set a flag, right-click the log row, select Flag, and then select one of the following flags:
|
Src Addr | Source IP address of the packet that generated the log entry. |
Dst Addr | Destination IP address of the packet that generated the log entry. |
Action | Action the security device performed on the packet/connection that generated this log entry:
Note: IDP logs show the action that was set in the rule, not necessarily the actual action taken. For TCP events, these are the same. For UDP and ICMP events, the IDP logs show close client, close server, and close client and server actions, even when the actual action taken was a drop (close actions are not possible for UDP or ICMP packets). |
Protocol | Protocol that the packet that generated the log entry used. |
Dst Port | Destination port of the packet that generated the log entry. |
Rule # | The rule in a policy rulebase (in a specific version of a domain) that generated the log entry. |
Nat Src Addr | The NAT source address of the packet that generated the log entry. |
Nat Dst Addr | The NAT destination address of the packet that generated the log entry. |
Details | Miscellaneous string associated with log entry. |
Category | Type of log entry:
|
Subcategory | Category-specific type of log entry (examples are "Reboot" or message ID). |
Severity | Severity rating associated (if any) with this type of log entry:
|
Device | Device that generated this log entry. |
Comment | User defined comment about the log entry. |
Application Name | Application associated with the current log. |
Bytes In | For sessions, specifies the number of inbound bytes. |
Bytes Out | For sessions, specifies the number of outbound bytes. |
Bytes Total | For sessions, specifies the combined number of inbound and outbound bytes. |
Dev Domain Ver | Domain version that generated this log entry. |
Device Domain | Domain for the device that generated this log entry. |
Device family | Family of the device that generated this log entry. |
Dst Intf | Name of the outbound interface of the packet that generated this log entry. Tip: Use ACM to configure an alias for the interface if you want to be able to view or sort on the alias. |
Dst Zone | Destination zone associated with a traffic log entry. |
Elapsed Secs | For sessions, specifies how long the session lasted. |
Has Packet Data | If a marker appears in this column, you can right click the row and select Show > Packet Data or Show > Packet Data in External Viewer to view the packet capture. |
NAT Dst Port | The NAT destination port of the packet that generated the log entry. |
NAT Src Port | The NAT source port of the packet that generated the log entry. |
Packets In | For sessions, specifies the number of inbound packets. |
Packets Out | For sessions, specifies the number of outbound packets. |
Packets Total | For sessions, specifies the combined number of inbound and outbound packets. |
Policy | The security policy (in a specific version of a domain) whose rule generated the log entry. |
Roles | Role group associated with this log entry. |
Rule Domain | The domain of the rule that generated the log entry. |
Rule Domain Ver | The domain version of the rule that generated the log entry. |
Rulebase | The security policy rulebase (in a specific version of a domain) that generated the log entry. |
Src Intf | Name of the inbound interface of the packet that generated this log entry. Tip: Use ACM to configure an alias for the interface if you want to be able to view or sort on the alias. |
Src Port | Source port of the packet that generated the log entry. |
Src Zone | Source zone associated with a traffic log entry. |
Time Generated | Date and time the device generated the log entry. |
User | User associated with this log entry. |
 | Note: Data is collected for all fields but not all columns are displayed by default. Select View > Choose Columns to select the columns you want to monitor. |
You can drill from logs to packet captures by right clicking a log that contains the packet capture and selecting the NSM packet viewer or an external packet viewer. Figure 2 shows the NSM packet viewer.
Figure 2: NSM Packet Viewer
| Note: Packet captures are included in NSM log records only if you configure the packet logging notification option in your security policy rule. |
Action
To display logs in NSM Log Viewer:
- In the NSM navigation tree, select Investigate > Log Viewer > Predefined.
- Click a predefined category to display a filtered view of logs. Table 3 describes the predefined views.
Table 3: NSM Log Viewer: Predefined Views
View | Description |
|---|---|
Critical | Displays events that match security policy rules marked with severity of critical. |
Alarm | Displays events that match security policy rules with notification options set to mark the event as an alarm event. |
DI/IDP | Displays all log entries with signature, anomaly, or custom in the sub category column. IDP log entries provide information about an attack match against an IDP attack object. DI log entries provide information about an attack match against a deep inspection profile object. |
Screen | Not applicable for IDP Series devices. Screen alarms are generated by ScreenOS firewall devices. |
Traffic | Displays logs for traffic that matches a rule but the severity is low and notification option is log only. |
Info | Displays info log entries. Info log entries provide general system information. |
Config | Displays all configuration log entries. Configuration log entries provide information about a configuration or operational state change in Network and Security Manager. |
Self | Displays all logs generated for non-traffic related reasons. |
Profiler | Displays Profiler logs. |
Backdoor | Displays log records generated by rules in the Backdoor rulebase. |
Scans | Displays log records with a scan entry in the subcategory column, such as port scan. |
 | Tip: For details on using NSM to create custom views, see the NSM online Help. |
Using NSM Log Investigator (NSM Procedure)
Purpose
You use the NSM Log Investigator to analyze aggregations of logs and drill down based on properties of interest.
Action
To display logs in NSM Log Investigator, in the NSM navigation tree, select Investigate > Log Investigator.
| Tip: For details on using NSM to modify aggregation or display options, see the NSM online Help. |
Using NSM Audit Log Viewer (NSM Procedure)
Purpose
You use the NSM Audit Log Viewer to view logs generated by NSM related to the use of NSM to manage the IDP Series device.
Action
To display the NSM Audit Log Viewer table, in the NSM navigation tree, select Investigate > Audit Log Viewer.
Table 4 describes the columns in the Audit Log Viewer table.
Table 4: NSM Audit Log Viewer Table
Column | Description |
|---|---|
Time Generated | The time the object was changed. The Audit Log Viewer displays log entries in order of time generated by Greenwich Mean Time (GMT). |
Admin Name | The name of the NSM administrator who changed the object. |
Admin Login Domain | The name of the domain (global or subdomain) that contains the changed object. |
Authorization Status | The final access-control status of activities is either success or failure. |
Command | The command applied to the object or system, for example, sys_logout or modify. |
Targets | For changes made to a device configuration or object, the Audit Log Viewer displays the object type, object name, and object domain. |
Devices | For changes made to a device, the Audit Log Viewer displays the device name, object type, and device domain. For changes made to the management system, such as administrator login or logout, the Audit Log Viewer does not display target or device data. |
Miscellaneous | Additional information that is not displayed in other audit log columns. |
To display details of a configuration change, such as a changed IP address or renamed device, select the audit log entry for that change in the Audit Log table and view details in the Target View table, which appears below the Audit Log Viewer table.
Table 5 describes the Target View table.
Table 5: NSM Audit Log Viewer: Target View Table
Column | Description |
|---|---|
Target Name | To see additional details for an target view entry, double-click the entry. NSM displays the configuration screen that the change was made in and marks the changed field with a solid green triangle. |
Table | To set the table details for the target view entry, double-click the table. Enter or update the options. |
Domain ID | Specifies the domain ID of the target view. |
To display details of a nonconfiguration event, such as adding the device, auto-detecting a device, or rebooting a device, select the audit log entry for that change in the Audit Log table and view details in the Device View table, which is displayed below the Audit Log Viewer table.
Table 6 describes the Device View table.
Table 6: NSM Audit Log Viewer: Device View Table
Column | Description |
|---|---|
Device Name | To see additional details for an device view entry, double-click the entry. NSM displays the Job Manager information window for the job task. |
Table | To set the table details for the device view entry, double-click the table. Enter or update the options. |
Domain ID | Specifies the domain ID of the device view. |
