Viewing the Security Log

The Security Log displays security-related events, including the following:

Connections logged by firewall rules
Connections logged by VStream Antivirus
Connection logged by VStream Antispam
Security events logged by SmartDefense
Web sites blocked by Web rules or the centralized Web Filtering service

This information is useful for troubleshooting. You can export the logs to an *.xls (Microsoft Excel) file, and then store it for analysis purposes or send it to technical support.

Note: You can configure the UTM-1 appliance to send event and security logs to a Syslog server. For information, see Configuring Syslog Logging.

To view the security log

Click Logs in the main menu, and click the Security Log tab.
The Security Log page appears.

The log table contains the columns described in Security Log Columns. The log messages are color-coded as described in Security Log Color Coding.
To display information about a connection source or destination, click the relevant IP address.
The UTM-1 appliance queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. This information is useful in tracking down hackers.
To view information about a destination port, click the port.
A window opens displaying information about the port.
To navigate the log table, do any of the following:
- To scroll through the displayed log page:
  - Use the scroll bars, or
  - Click on a log message and then press the UP and DOWN arrows on your keyboard.
- To view the next log page, click Next.
- To view the previous log page, click Back.
To specify the number of logs to display per page, in the drop-down list at the bottom of the log table, select the desired number.
To resize a column, drag the relevant column divider right or left.
To refresh the display, click Refresh.
To save the displayed events to an *.xls file:
1. Click Save.
  A standard File Download dialog box appears.
2. Click Save.
  The Save As dialog box appears.
3. Browse to a destination directory of your choice.
4. Type a name for the configuration file and click Save.
  The *.xls file is created and saved to the specified directory.
To copy log messages, do the following:
1. Select the desired logs, by clicking in the log table and dragging the cursor.
  The selected logs are highlighted in yellow.
2. Press CTRL+C.
  If you are using Internet Explorer, and this is the first time that you copy logs, a dialog box asks you whether you want to allow the UTM-1 Portal to access your clipboard. In this case, click Allow access.
  
  The selected logs are copied to your clipboard.
To clear all displayed events:
1. Click Clear.
  A confirmation message appears.
2. Click OK.
  All events are cleared.

See Also

Viewing Logs

Viewing the Event Log

Security Log Columns

This column...	Displays...
No	The log message number
Date	The date on which the action occurred, in the format DD:MM:YYYY, where: DD=date MM=month, in abbreviated form YYYY=year
Time	The time at which the action occurred, in the format hh:mm:ss, where: hh=hour mm=minutes ss=seconds
Dir	An icon indicating the direction of the connection on which the firewall acted. This can be one of the following: Incoming connection Outgoing connection Internal connection
Act	An icon indicating the action that the firewall performed on a connection. For a list of Actions icons, see Security Log Actions.
Source	The IP address of the connection's source.
Port	The source port used for the connection.
Destination	The IP address of the connection's destination.
Service	The protocol and destination port used for the connection.
Reason	The reason the action was logged.
Rule	The number of the firewall rule that was executed.
Net	The internal network where the action occurred.
Information	Additional information about the logged action.

Security Log Actions

Action	Icon	Description
Connection Accepted		The firewall accepted a connection.
Connection Decrypted		The firewall decrypted a connection.
Connection Dropped		The firewall dropped a connection.
Connection Encrypted		The firewall encrypted a connection.
Connection Rejected		The firewall rejected a connection.
Connection Monitored		A security event was monitored; however, it was not blocked, due to the current configuration.
URL Allowed		The firewall allowed a URL.
URL Filtered		The firewall blocked a URL.
Virus Detected		A virus was detected in an email.
Potential Spam Stamped		An email was marked as potential spam.
Potential Spam Detected		An email was rejected as potential spam.
Mail Allowed		A non-spam email was logged.
Blocked by VStream Antivirus		VStream Antivirus blocked a connection.

Security Log Color Coding

An event marked in this color…	Indicates…
Red	Connection attempts that were blocked by your firewall, by a security policy downloaded from your Service Center, or by user-defined rules.
Orange	Traffic detected as suspicious, but accepted by the firewall. For example, if a SmartDefense protection's Action field is set to "Track" instead of "Block", and a connection triggers this protection, the connection is accepted and logged in orange.
Green	Traffic accepted by the firewall. By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center, or if specified in user-defined rules.

An event marked in this color…

Indicates…

Red

Connection attempts that were blocked by your firewall, by a security policy downloaded from your Service Center, or by user-defined rules.

Orange

Traffic detected as suspicious, but accepted by the firewall.

For example, if a SmartDefense protection's Action field is set to "Track" instead of "Block", and a connection triggers this protection, the connection is accepted and logged in orange.

Green

Traffic accepted by the firewall.

By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center, or if specified in user-defined rules.