The meaning of various computer and security logs
Page 1 of 39
A collection of various computer
and security logs

The logs contained in this document are divided in four categories. The categories are
router, firewall, Intrusion Detection Systems (IDS) and miscellaneous. These logs are
meet to be used as reference to identify the type of software that generated a log model
and if necessary, how they can be interpreted.

Copyright  Guy Bruneau, 2000-2001. All rights reserved.

Router

• Ascend
• Cisco
• Cisco ACL

Firewall

• Gauntlet
• Raptor
• IPFilter (FreeBSD, OpenBSD)
• IPChains (Linux)
• ConSeal Firewall (Windows)
• ZoneAlarm (Windows)
• Cisco PIX
• SonicWall SOHO
• Cyberguard
• EnterNet
• Check Point FireWall-1

• Protolog UDP
• Protolog ICMP
• Windows NT 4 Security log
• Sniffer Pro
• Samba NMB
• Samba SMB
• Solaris snoop
• TCPDump
• TCPDump and DNS
• TCPDump ICMP and TCP stimulus response
• IP and TCP
• IP and UDP
• IP and ICMP Revision history:

Guy Bruneau, version 0.5 – 14 February 2001
The meaning of various computer and security logs
Page 3 of 39
Router Logs

Ascend router

Oct 24 01:03:13 192.168.101.20 ASCEND: wan4 tcp 192.168.101.2;9704 <- dsl.subscr.6.105;9704 40 syn fin !pass (totcp-1)
Oct 24 01:03:13 192.168.101.20 ASCEND: wan4 tcp 255.255.255.255;9704 <- dsl.subscr.6.105;9704 40 syn fin !pass (totcp-1)
Oct 24 01:04:23 192.168.101.20 ASCEND: wan4 tcp 192.168.101.208;9704 <- dsl.subscr.6.105;9704 40 syn fin !pass (totcp-1)

denied tcp 10.90.24.12(2533) -> 192.168.1.1(16), 1 packet
Oct 15 22:21:54 [192.168.50.32] 508476: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(101), 1 packet
Oct 15 22:21:57 [192.168.50.32] 508477: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), 1 packet
Oct 15 22:22:05 [192.168.50.32] 508481: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2533) -> 192.168.1.1(16), 1 packet
Oct 15 22:22:06 [192.168.50.32] 508482: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(101), 1 packetMore information available at:
The meaning of various computer and security logs
Page 4 of 39
Cisco ACL

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
access-list 101 permit ip any any
(implicit deny all)

interface ethernet 0
ip access-group 101 out

Access-list Command Description
101 Access list number, indicates extended IP access list
deny Traffic that matches selected parameters will not be
forwarded
tcp Transport-layer protocol

The meaning of various computer and security logs
Page 5 of 39
Access List Type Number Range/Identifier
IP Standard
Extended
Named
1 - 99
100 - 199
Name (Cisco IOS 11.2 and later)
IPX Standard
Extended
SAP filters
Named
800 - 899
900 - 999
1000 - 1099
Name (Cisco IOS 11.2.F and later) More information available at:
Firewall Logs Gauntlet Firewall

Oct 24 08:47:16 server kernel: securityalert: tcp if=ef0 from 10.60.255.46:1720 to
10.4.12.99 on unserved port 27374
Field Meaning of field
Sep 2 15:53:27.755

Timestamp
Kernel Device name
120 ICMP Service error
Info: Not sending ICMP Unreachable in response to non-
information ICMP
Informational field
Above.sea.above.net[192.168.175.105] Source name, IP address
10.253.5.12 Destination IP address
Protocol=ICMP Protocol

More information available at:
/>029 IPfilter firewall

This firewall is used with OpenBSD and FreeBSD Unix systems.

Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129790 rl0 @0:1 p 10.245.45.90 -> my-fw PR
icmp len 20 29 icmp 13/0 IN
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129826 rl0 @0:1 p 10.46.101.79 -> my-fw PR
icmp len 20 29 icmp 14/0 IN
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129861 rl0 @0:1 p 10.208.1.4 -> my-fw PR
icmp len 20 29 icmp 15/0 IN
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129897 rl0 @0:1 p 10.129.70.57 -> my-fw PR

Facility
kernel: Packet log: The syslog level at which the syslog event occurred. Should
always be ‘kernel’. ‘Packet log:’ is appended for clarity’s sake
and can be used in searching the logs.
Chain Name Input The chain to which the rule is attached to. Possible values are:
input, output and forward.
Action Taken REJECT How the packet was handled. Possible values are: ACCEPT,
REJECT, DENY, MASQ, REDIRECT and RETURN.
Interface eth0 The network interface on which the packet was detected.
Protocol # PROTO=17 The protocol of the packet. Common values are: 1 (ICMP), 6
(TCP), and 17 (UDP). ICMP traffic is also displayed with the
ICMP code.
Source 10.100.1.228:57048 The source IP address and port number of the packet.
Destination 192.168.1.211:137 The destination IP address and port number of the packet.
Length L=78 The total length of the packet.
TOS S=0x00 The ‘Type of Service’ values from the packet.
ID I=53412 Either the Packet ID or the segment that the TCP fragment
belongs to.
Fragment
Offset
F=0x0000 If the packet is part of a fragment, this field contains the
fragment offset.
TTL T=108 The time-to-live values from the packet.
Rule # (#3) The rule number that logged this entry. More information is available at: ConSeal firewall

PE 2000/04/28 11:04:58 -5:00 GMT Telnet Program 10.0.0.120:10023
FWIN 2000/04/28 11:05:24 -5:00 GMT 192.168.120.24:0 192.168.209.246:0 ICMP
PE 2000/04/28 11:05:29 -5:00 GMT Telnet Program 10.0.0.120:10023
PE 2000/04/28 11:06:23 -5:00 GMT Telnet Program 10.0.0.120:10023
FWIN 2000/04/28 11:12:32 -5:00 GMT 192.168.1.151:0 192.168.209.246:0 ICMP
FWIN 2000/04/28 11:37:50 -5:00 GMT 192.168.1.150:0 192.168.209.246:0 ICMP

Meaning Firewall information
Type (Firewall Input)
FWIN
Date (yyyy/mm/dd)
2000/04/28
Time (GMT-00:00)
09:48:24 -5:00 GMT
Source IP
192.168.120.24
Source Port
1364
Destination IP
192.168.209.246
Destination Port
161
Transport Protocol (ICMP/TCP/UDP/IGMP)
UDP More information available at: Cisco PIX Firewall

Cyberguard

2000/07/06 00:14:55: http: 10.250.1.30 --- 192.168.1.138 :14055: connection established
2000/07/06 00:14:55: http: 10.125.10.100 --> 192.168.78.173 :14080: GET / HTTP/1.0
2000/07/06 00:14:55: http: 10.125.10.100 --- 192.168.78.173 :14080: access to web site 192.168.78.173
denied
2000/07/06 00:14:56: http: 10.125.10.100 <-- 192.168.1.138 :14055: Content-type: text/html, Content-
length:
2000/07/06 00:14:56: http: 10.125.10.100 --- 192.168.1.138 :14055: connection closed
2000/07/06 00:14:57: http: 10.125.10.100 --> 192.168.1.57 :14075: GET
/image.ng/Params.richmedia=yes&uniqueID=unique_id&size=468x60&site=cbcca&zone=news§or=1&pa
geloc=1 HTTP/1.0
2000/07/06 00:14:57: http: 10.125.10.100 --- 192.168.1.57 :14075: connection established
2000/07/06 00:14:57: http: 10.125.10.100 <-- 192.168.1.57 :14075: Content-type: text/html, Content-
length: 305
2000/07/06 00:14:57: http: 10.125.10.100 --- 192.168.1.57 :14075: connection closed
2000/07/06 00:14:57: http: 10.125.10.100 --> 192.168.1.57 :14077: GET
/image.ng/Params.richmedia=yes&uniqueID=unique_id&size=468x60&site=cbcca&zone=news§or=1&pa
geloc=1 HTTP/1.0
2000/07/06 00:14:58: http: 10.125.10.100 --- 192.168.1.57 :14077: connection established
2000/07/06 00:14:58: http: 10.125.10.100 <-- 192.168.1.57 :14077: Content-type: text/html, Content-
length: 305
2000/07/06 00:14:58: http: 10.125.10.100 --- 192.168.1.57 :14077: connection closed Meaning Firewall information
Date/Time 2000/07/06 00:14:55:
Destination Port http:
Firewall Address 10.250.1.30
Direction of the connection (Initial or closure) -- (out) --> or <-- (in)

11:11:22 Firewall-1 reject 9200 192.168.59.9 172.15.100.5 Tcp 1111

More information available at: 3Com OfficeConnect Internet Firewall 25

Note: due to NAT on Internet side of firewall, attacked host IP is shown as
192.168.99.12. Times are shown as UTC. Numbers following source and destination IP
are the port numbers.

UTC 11/22/2000 04:04:13.128 - TCP connection dropped - Source:192.168.143.189,
2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7
UTC 11/22/2000 04:04:14.000 - TCP connection dropped - Source:192.168.143.189,
2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7

Times are shown as local. The above events get reported in syslog by the firewall in the
following format:

The meaning of various computer and security logs
Page 11 of 39
11-21-2000 23:04:13 Local0.Notice wall.blilly.com id=firewall sn=00D096BF23C5
time="2000-11-22 04:04:13 UTC" fw=192.168.99.12 pri=5 c=64 m=36 msg="TCP
connection dropped" src=192.168.143.189:2980:WAN dst=192.168.99.12:27374: LAN
rule=7
11-21-2000 23:04:14 Local0.Notice wall.blilly.com id=firewall sn=00D096BF23C5
time="2000-11-22 04:04:14 UTC" fw=192.168.99.12 pri=5 c=64 m=36 msg="TCP
connection dropped" src=192.168.143.189:2980:WAN dst=192.168.99.12:27374: LAN
rule=7


05/01/2001 15:51:10 Allowed User-Agent: Mozilla/4.0 (compatible; MSIE 5.=
5; Windows 98; Win 9x 4.90) sent to
ad.html?group=3Dbasics&count=3D1

System Event Log

The meaning of various computer and security logs
Page 12 of 39
Info 04/01/2001 21:23:31 NAM Service NISServ started as Windows Service.
Info 04/01/2001 21:15:16 NAM Service NISServ stopped as Windows Service.
Info 04/01/2001 21:15:15 NAM Service NISServ stopped as Windows Service.
Info 04/01/2001 17:22:01 NAM Service NISServ started as Windows Service.

Web History Event Log

05/01/2001 15:46:06 />auth.pl?file=3D/48/55.html&lm=3D978455234
05/01/2001 15:42:41 />auth.pl?file=3D/48/53.html&lm=3D978717822
05/01/2001 15:17:33 />auth.pl?file=3D/48/55.htl&lm=3D978455234

This firewall provides Internet protection for the family with a complete, integrated
security and privacy suite.

More information available at: The meaning of various computer and security logs
Page 13 of 39
Intrusion Detection Systems Logs

Type of Service (TOS)
TOS:0x0

Packet ID in binary
ID:39426

TCP flags set
**SF****

Sequence # in Hex
Seq: 0x76F7894

Acknowledgement # in Hex
Ack: 0x59E55EAE

Windows size in Hex
Win: 0x404Syslog formatSep 23 08:00:37 seeker snort[18701]: IDS212 - MISC - DNS Zone Transfer: 192.168.30.1:4175 ->
10.207.90.9:53
Sep 23 08:01:44 seeker snort[18701]: IDS277 - NAMED Iquery Probe: 192.168.30.1:53 -> 10.2.0.27:53
Sep 23 08:01:51 seeker snort[18701]: PING-ICMP Destination Unreachable: 10.32.29.18 -> 192.168.30.1

Snort Portscan file