![background image](/i/zyxel/144701/zyxel-zywall-2wg-ee/h/zyxel-zywall-2wg-ee-503.png)
Chapter 27 Logs Screens
ZyWALL 2WG User’s Guide
503
Syslog Logs
There are two types of syslog: event logs and traffic logs. The device generates an event log
when a system event occurs, for example, when a user logs in or the device is under attack.
The device generates a traffic log when a "session" is terminated. A traffic log summarizes the
session's type, when it started and stopped the amount of traffic that was sent and received and
so on. An external log analyzer can reconstruct and analyze the traffic flowing through the
device after collecting the traffic logs.
0
Time to live exceeded in transit
1
Fragment reassembly time exceeded
12
Parameter Problem
0
Pointer indicates the error
13
Timestamp
0
Timestamp request message
14
Timestamp Reply
0
Timestamp reply message
15
Information Request
0
Information request message
16
Information Reply
0
Information reply message
Table 179
ICMP Notes (continued)
TYPE
CODE
DESCRIPTION
Table 180
Syslog Logs
LOG MESSAGE
DESCRIPTION
Event Log: <Facility*8 +
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
msg="<msg>" note="<note>"
devID="<mac address>"
cat="<category>"
This message is sent by the system ("RAS" displays as the
system name if you haven’t configured one) when the
router generates a syslog. The facility is defined in the web
MAIN MENU
>
LOGS
>
Log Settings
page. The severity
is the log’s syslog class. The definition of messages and
notes are defined in the other log tables. The “devID” is the
MAC address of the router’s LAN port. The “cat” is the
same as the category in the router’s logs.
Traffic Log: <Facility*8 +
Severity>Mon dd hr:mm:ss
hostname src="<srcIP:srcPort>"
dst="<dstIP:dstPort>"
msg="Traffic Log"
note="Traffic Log" devID="<mac
address>" cat="Traffic Log"
duration=seconds
sent=sentBytes
rcvd=receiveBytes
dir="<from:to>"
protoID=IPProtocolID
proto="serviceName"
trans="IPSec/Normal"
This message is sent by the device when the connection
(session) is closed. The facility is defined in the Log
Settings screen. The severity is the traffic log type. The
message and note always display "Traffic Log". The "proto"
field lists the service name. The "dir" field lists the incoming
and outgoing interfaces ("LAN:LAN", "LAN:WAN",
"LAN:DMZ", "LAN:DEV" for example).