Logging
For each specific UTM feature, particular information will be generated in the log messages, as
described below.
IPS Log Messages
IPS log messages have severity 'info' (6). The message part includes information in the following
format:
<action> IPS: <alert-msg> [URL:<url>] <protocol> <source-ip>:<source-port> ->
<dest-ip>:<dest-port>
Table 5: Elements in IPS log messages
Message element
<action>
<alert-msg>
<url>
<protocol>
<source-ip>:<source-port>
<dest-ip>:<dest-port>
Output 7: Example IPS log messages
2016 Nov 17 02:49:57 local5.info awplus IPS[2369]: [Alert] IPS: smtp-events SMTP
no server welcome message [smtp] 172.16.92.2:25 -> 192.168.92.1:35992
2016 Nov 17 02:55:18 local5.info awplus IPS[2682]: [Alert] IPS: icmp-decoder-
events ICMPv4 unknown type [icmp] 172.16.92.2 -> 192.168.92.1
2016 Nov 17 03:15:23 local5.info awplus IPS[2398]: [Alert] IPS: checksum UDPv4
invalid checksum [udp] 192.168.92.1:2718 -> 172.16.92.2:0
2016 Nov 17 03:08:01 local5.info awplus IPS[2064]: [Drop] IPS: icmp-decoder-
events ICMPv4 unknown type [icmp] 192.168.92.1 -> 172.16.92.2
C613-22104-00 REV B
Description
The action applied; [ALERT] or [DROP].
The rule specific message.
The requested URL if the flow is HTTP.
The protocol e.g., SMTP, HTTP, TCP, ICMP
The source IP address and source port for the packet.
The destination IP address and source port for the packet.
Advanced Network Protection
|
IPS Log Messages
Page 67