Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Using NSM Logs

    You use NSM to view logs related to IDP Series device status and security events. This section includes the following topics:

    NSM Logs Overview

    NSM collects logs from managed IDP Series devices and stores them in a central log database. You can use NSM to view, manipulate, and export logs.

    Table 1 provides a reference of log views.

    Table 1: Log Viewing Options

    Log Views

    Description

    NSM Log Viewer / Log Investigator

    Logs based on notification options you set for security policy rules.

    Logs related to device events, such as changes in the state of a traffic interface.

    NSM Security Monitor

    Logs produced by the Profiler feature.

    NSM Audit Log Viewer

    Logs generated by NSM related to the use of NSM to manage the IDP Series device.

    Using NSM Log Viewer (NSM Procedure)

    Purpose

    You use the NSM Log Viewer to access logs generated when traffic matches a security policy rule.

    Figure 1 shows the NSM log viewer. You can use NSM management features to flag logs for filtering or follow up. The bottom panes include summary information for the attack and the data that matched the rule.

    Figure 1: NSM Log Viewer

    Image s036691.gif

    Table 2 describes the columns in the NSM Log Viewer table display.

    Table 2: NSM Log Viewer: Log Columns

    Column

    Description

    Log ID

    Unique ID for the log entry, derived from the combination of the date and log number.

    Time Received

    Date and time that the management system received the log entry.

    Alert

    Displays an icon if the log matches a rule for which the alert flag was selected.

    User Flag

    To set a flag, right-click the log row, select Flag, and then select one of the following flags:

    • High
    • Medium
    • Low
    • Closed
    • False Positive
    • Assigned
    • Investigate
    • Follow-up
    • Pending

    Src Addr

    Source IP address of the packet that generated the log entry.

    Dst Addr

    Destination IP address of the packet that generated the log entry.

    Action

    Action the security device performed on the packet/connection that generated this log entry:

    • Accepted—The device did not block the packet.
    • Closed Client—The device closed the connection and sent a RST packet to the client, but did neither to the server.
    • Closed Server—The device closed the connection and sent a RST packet to the server, but did neither to the client.
    • Closed—The device closed the connection and sent a RST packet to both the client and the server.
    • Dropped—The device dropped the connection without sending a RST packet to the sender, preventing the traffic from reaching its destination.
    • Dropped Packet—The device dropped a matching packet before it could reach its destination but did not close the connection.
    • Ignored–Matched the attack, did not take action, and ignored the remainder of the connection.

    Note: IDP logs show the action that was set in the rule, not necessarily the actual action taken. For TCP events, these are the same. For UDP and ICMP events, the IDP logs show close client, close server, and close client and server actions, even when the actual action taken was a drop (close actions are not possible for UDP or ICMP packets).

    Protocol

    Protocol that the packet that generated the log entry used.

    Dst Port

    Destination port of the packet that generated the log entry.

    Rule #

    The rule in a policy rulebase (in a specific version of a domain) that generated the log entry.

    Nat Src Addr

    The NAT source address of the packet that generated the log entry.

    Nat Dst Addr

    The NAT destination address of the packet that generated the log entry.

    Details

    Miscellaneous string associated with log entry.

    Category

    Type of log entry:

    • Alarm. The device generates event alarms for any security event that has a predefined severity level of emergency, critical, or alert. Additionally, the device generates traffic alarm log entries when it detects network traffic that exceeds the specified alarm threshold in a rule (the traffic alarm log entry describes the security event that triggered the alarm).
    • Config. A configuration change occurred on the device.
    • Custom. A match with a custom attack object was detected.
    • Implicit. An implicit rule was matched.
    • Info. General system information.
    • Profiler. Traffic matches a Profiler alert setting.
    • Screen. Not applicable for IDP Series devices. Screen alarms are generated by ScreenOS firewall devices.
    • Self. The device generated this log for a non-traffic related reason.
    • Signature. Traffic matches an attack object.
    • Traffic. Traffic matches a rule you have configured for harmless traffic.

    Subcategory

    Category-specific type of log entry (examples are "Reboot" or message ID).

    Severity

    Severity rating associated (if any) with this type of log entry:

    • Not Set (the device could not determine a severity for this log entry)
    • Info
    • Device_warning_log
    • Minor
    • Major
    • Device_critical_log
    • Emergency
    • Error
    • Notice
    • Informational
    • Debug

    Device

    Device that generated this log entry.

    Comment

    User defined comment about the log entry.

    Application Name

    Application associated with the current log.

    Bytes In

    For sessions, specifies the number of inbound bytes.

    Bytes Out

    For sessions, specifies the number of outbound bytes.

    Bytes Total

    For sessions, specifies the combined number of inbound and outbound bytes.

    Dev Domain Ver

    Domain version that generated this log entry.

    Device Domain

    Domain for the device that generated this log entry.

    Device family

    Family of the device that generated this log entry.

    Dst Intf

    Name of the outbound interface of the packet that generated this log entry.

    Tip: Use ACM to configure an alias for the interface if you want to be able to view or sort on the alias.

    Dst Zone

    Destination zone associated with a traffic log entry.

    Elapsed Secs

    For sessions, specifies how long the session lasted.

    Has Packet Data

    If a marker appears in this column, you can right click the row and select Show > Packet Data or Show > Packet Data in External Viewer to view the packet capture.

    NAT Dst Port

    The NAT destination port of the packet that generated the log entry.

    NAT Src Port

    The NAT source port of the packet that generated the log entry.

    Packets In

    For sessions, specifies the number of inbound packets.

    Packets Out

    For sessions, specifies the number of outbound packets.

    Packets Total

    For sessions, specifies the combined number of inbound and outbound packets.

    Policy

    The security policy (in a specific version of a domain) whose rule generated the log entry.

    Roles

    Role group associated with this log entry.

    Rule Domain

    The domain of the rule that generated the log entry.

    Rule Domain Ver

    The domain version of the rule that generated the log entry.

    Rulebase

    The security policy rulebase (in a specific version of a domain) that generated the log entry.

    Src Intf

    Name of the inbound interface of the packet that generated this log entry.

    Tip: Use ACM to configure an alias for the interface if you want to be able to view or sort on the alias.

    Src Port

    Source port of the packet that generated the log entry.

    Src Zone

    Source zone associated with a traffic log entry.

    Time Generated

    Date and time the device generated the log entry.

    User

    User associated with this log entry.

    Note: Data is collected for all fields but not all columns are displayed by default. Select View > Choose Columns to select the columns you want to monitor.

    You can drill from logs to packet captures by right clicking a log that contains the packet capture and selecting the NSM packet viewer or an external packet viewer. Figure 2 shows the NSM packet viewer.

    Figure 2: NSM Packet Viewer

    Image s036690.gif

    Note: Packet captures are included in NSM log records only if you configure the packet logging notification option in your security policy rule.

    Action

    To display logs in NSM Log Viewer:

    1. In the NSM navigation tree, select Investigate > Log Viewer > Predefined.
    2. Click a predefined category to display a filtered view of logs. Table 3 describes the predefined views.

    Table 3: NSM Log Viewer: Predefined Views

    View

    Description

    Critical

    Displays events that match security policy rules marked with severity of critical.

    Alarm

    Displays events that match security policy rules with notification options set to mark the event as an alarm event.

    DI/IDP

    Displays all log entries with signature, anomaly, or custom in the sub category column. IDP log entries provide information about an attack match against an IDP attack object. DI log entries provide information about an attack match against a deep inspection profile object.

    Screen

    Not applicable for IDP Series devices. Screen alarms are generated by ScreenOS firewall devices.

    Traffic

    Displays logs for traffic that matches a rule but the severity is low and notification option is log only.

    Info

    Displays info log entries. Info log entries provide general system information.

    Config

    Displays all configuration log entries. Configuration log entries provide information about a configuration or operational state change in Network and Security Manager.

    Self

    Displays all logs generated for non-traffic related reasons.

    Profiler

    Displays Profiler logs.

    Backdoor

    Displays log records generated by rules in the Backdoor rulebase.

    Scans

    Displays log records with a scan entry in the subcategory column, such as port scan.

    Tip: For details on using NSM to create custom views, see the NSM online Help.

    Using NSM Log Investigator (NSM Procedure)

    Purpose

    You use the NSM Log Investigator to analyze aggregations of logs and drill down based on properties of interest.

    Action

    To display logs in NSM Log Investigator, in the NSM navigation tree, select Investigate > Log Investigator.

    Tip: For details on using NSM to modify aggregation or display options, see the NSM online Help.

    Using NSM Audit Log Viewer (NSM Procedure)

    Purpose

    You use the NSM Audit Log Viewer to view logs generated by NSM related to the use of NSM to manage the IDP Series device.

    Action

    To display the NSM Audit Log Viewer table, in the NSM navigation tree, select Investigate > Audit Log Viewer.

    Table 4 describes the columns in the Audit Log Viewer table.

    Table 4: NSM Audit Log Viewer Table

    Column

    Description

    Time Generated

    The time the object was changed. The Audit Log Viewer displays log entries in order of time generated by Greenwich Mean Time (GMT).

    Admin Name

    The name of the NSM administrator who changed the object.

    Admin Login Domain

    The name of the domain (global or subdomain) that contains the changed object.

    Authorization Status

    The final access-control status of activities is either success or failure.

    Command

    The command applied to the object or system, for example, sys_logout or modify.

    Targets

    For changes made to a device configuration or object, the Audit Log Viewer displays the object type, object name, and object domain.

    Devices

    For changes made to a device, the Audit Log Viewer displays the device name, object type, and device domain.

    For changes made to the management system, such as administrator login or logout, the Audit Log Viewer does not display target or device data.

    Miscellaneous

    Additional information that is not displayed in other audit log columns.

    To display details of a configuration change, such as a changed IP address or renamed device, select the audit log entry for that change in the Audit Log table and view details in the Target View table, which appears below the Audit Log Viewer table.

    Table 5 describes the Target View table.

    Table 5: NSM Audit Log Viewer: Target View Table

    Column

    Description

    Target Name

    To see additional details for an target view entry, double-click the entry. NSM displays the configuration screen that the change was made in and marks the changed field with a solid green triangle.

    Table

    To set the table details for the target view entry, double-click the table. Enter or update the options.

    Domain ID

    Specifies the domain ID of the target view.

    To display details of a nonconfiguration event, such as adding the device, auto-detecting a device, or rebooting a device, select the audit log entry for that change in the Audit Log table and view details in the Device View table, which is displayed below the Audit Log Viewer table.

    Table 6 describes the Device View table.

    Table 6: NSM Audit Log Viewer: Device View Table

    Column

    Description

    Device Name

    To see additional details for an device view entry, double-click the entry. NSM displays the Job Manager information window for the job task.

    Table

    To set the table details for the device view entry, double-click the table. Enter or update the options.

    Domain ID

    Specifies the domain ID of the device view.


    Published: 2011-02-08