The following list describes the contents of each of the columns in the table below.
ID #—Event Item Number
Event Name—Value of event field in 7.x Version or status field in 6.2 or 6.1 Version is displayed otherwise it is Not Applicable (N/A)
Agile Reports—Defines if the Sidewinder event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.
Title/Comments—Sidewinder version number and comments if available. Comments are displayed if particular type in a version as more than one format supported.
Event Category—Audit or Operational
Event Type—Type of event such as t_iptraffic or t_attack
Reports Appears In—LogLogic-provided reports that the event appears in
Sample Log Message—Sample Sidewinder log messages converted into text (.txt) format. The Collector captures invaluable log data to track actions such as modifications to files, account changes, machine access, and other actions that can represent fraudulent activity. The LogLogic appliance can be configured to provide administrators with real-time alerts whenever data integrity and confidentiality is compromised. In addition, LogLogic’s Agile Reports and search capabilities can be used to analyze the captured log data.
Table 1 Sidewinder Events
Title Event Category
Event Type Reports Appears In
Sample Log Message
1 ACL allow Agile 7.x Audit t_aclallow Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 15:55:21 2007 hod=Password,acl_id="Secure Shell
Server",cache_hit=0,reason="Traffic allowed by policy."
2 ACL deny Agile 7.x Audit t_attack Denied
Connections <131>Jan 15 14:48:01 auditd: date="Jan 15 22:48:01 2008 acl_id="Deny All",cache_hit=0,reason="Traffic denied by policy."
3 auth deny Agile 7.x Audit t_attack User Last
Activity /User Authentication
<179>Jun 24 05:07:27 auditd: date="Aug 11 12:51:09 2008 son="Authentication failed.",information="cobra login authentication failed for user `admin', method Password, from 10.60.0.7"
4 auth allow Agile 7.x Audit t_auth_attempt User Last Activity /User Authentication
<179>Jun 24 05:07:27 auditd: date="Aug 11 08:25:23 2008
succeeded.",information="authentication Accepted for user `spippari', method Password from 10.60.0.7 port 1037"
5 authentication
failure lockout Agile 7.x Audit t_auth_lockout User Last
Activity <179>Jun 6 18:32:37 auditd: date="Aug 25 22:29:34 2008
PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid
=0,cmd=acld,domain=Acld,edomain=Acld,hostname=
sidewinder1.loglabs.com,event=authentication failure lockout,user_name=spippari,reason="Authentication failure limit exceeded."
McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 23 6 authentication
failure clear Agile 7.x Audit t_auth_lockout User Last
Activity <179>Jun 6 18:32:37 auditd: date="Aug 25 22:25:28 2008
PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid
=0,cmd=acld,domain=Acld,edomain=Acld,hostname=
sidewinder1.loglabs.com,event=authentication failure clear,user_name=rathna,admin=Rathna
7 config Modify Agile 7.x/
format 1 Audit t_cfg_change User Last
Activity <139>Sep 10 07:54:25 auditd: date="Sep 10 21:52:12 2008
modify,user_name=Rathna,config_area="admin user database",config_item=admins:testuser,information="
Changed Firewall administrator testuser: office='Wipro Technologies'"
8 config Modify Agile 7.x/
format 2 Audit t_cfg_change User Last Activity ,User Created/
Deleted
<139>Sep 10 07:54:25 auditd: date="Sep 10 14:54:25 2008
modify,user_name=spippari,config_area="admin user database",config_item=admins:cwee,information="Ad ded Firewall administrator cwee:
crypt_password='_v...03/FZ4a0ycYz/YU', directory='/
home/cwee', full_name='Chris Wee', home_phone='510-576-4891', office='Home', office_phone='510-781-9671', roles=[], shell='nologin'"
9 config Modify Agile 7.x/
format 3 Audit t_cfg_change User Last Activity ,User Created/
Deleted
<139>Sep 10 07:54:25 auditd: date="Sep 10 21:48:11 2008 ed User testuser: crypt='_x...mUCBgLf3lH4uf7Q', placeholder='not used',
swede_crypt_last_mod_time=1221108484.4916401, swede_expire_last_mod_time=0.0"
10 config Modify Agile 7.x/
format 4 Audit t_cfg_change User Last Activity ,User Created/
Deleted
<139>Sep 10 07:54:25 auditd: date="Sep 10 21:54:35 2008
modify,user_name=Rathna,config_area="admin user database",config_item=admins:testuser,information="
Deleted Firewall administrator testuser"
ID
Title Event Category
Event Type Reports Appears In
Sample Log Message
11 config Modify Agile 7.x/
format 5 Audit t_cfg_change User Last Activity ,User Created/
Deleted
<139>Sep 10 07:54:25 auditd: date="Sep 10 21:54:35 2008 eted User testuser"
12 IP Filter
session open Agile 7.x Audit t_ipftraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007
EST",fac=f_kernel_ipfilter,area=a_general_area,type=
t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=IP Filter session
open,rule_name=scobra_out_filter,srcip=80.80.80.80,
Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007
EST",fac=f_kernel_ipfilter,area=a_general_area,type=
t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=IP Filter session
timeout,rule_name=scobra_out_filter,srcip=70.70.70.
70,srcport=1662,dstip=80.80.80.80,dstport=9003,byte s_written_to_client=1446281,bytes_written_to_server
=122272,protocol=6,netsessid=45eba8ff00060315 14 IP Filter
session close Agile 7.x Audit t_ipftraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007
EST",fac=f_kernel_ipfilter,area=a_general_area,type=
t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=IP Filter session
close,rule_name=scobra_out_filter,srcip=10.10.10.10, srcport=1662,dstip=10.10.10.10,dstport=9003,bytes_
written_to_client=800,bytes_written_to_server=80,pro tocol=6,netsessid=45eba8ff00060315
15 proxy traffic
begin Agile 7.x Audit t_nettraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:01 2007
EDT",fac=f_http_proxy,area=a_libproxycommon,type
=t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic begin,service_name=http-all,netsessid=45f8e0e1000 ea505,srcip=60.60.60.60,srcport=57961,srcburb=inter nal,protocol=6,dstip=50.50.50.50,dstport=80,dstburb=
external,acl_id=nt_http_out-nt_http_servicesproxy-aut h-internal,cache_hit=0,request_status=0,start_time="
Thu Mar 15 02:00:01 2007"
ID
Title Event Category
Event Type Reports Appears In
Sample Log Message
McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 25 16 proxy traffic
continue Agile 7.x Audit t_nettraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007
EDT",fac=f_http_proxy,area=a_libproxycommon,type
=t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic continue,service_name=http-all,netsessid=45f8e0e10
time="Thu Mar 15 02:00:01 2007"
17 proxy traffic
end Agile 7.x Audit t_nettraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007
EDT",fac=f_http_proxy,area=a_libproxycommon,type
=t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic end,service_name=http-all,netsessid=45f8e0e1000ea
"Thu Mar 15 02:00:01 2007"
18 proxy
authentication failure
Agile 7.x Audit t_proxyauth Denied
Connections <131>Jan 15 14:51:23 auditd: date="Mar 16 16:33:55 2007 mail determined that this session is not allowed."
19 remote server authentication failure
Agile 7.x Audit t_proxyauth Denied
Connections <131>Jan 15 14:51:23 auditd: date="Mar 16 16:33:55 2007
CDT",fac=f_sendmail_daemon,area=a_server,type=t _proxyauth,pri=p_major,pid=2076,ruid=0,euid=0,pgid
=2071,logid=0,cmd=sendmail,domain=mta1,edomain
=mta1,hostname=carp.b.com,event=remote server authentication
failure,srcip=10.10.10.10,srcport=3578,srcburb=exter nal,protocol=6,dstip=10.10.10.10,dstport=456,dstburb
=dmz,interface=eth3,acl_id=acl_rul_1,reason="Send mail determined that this session is not allowed."
20 server traffic
begin Agile 7.x Audit t_servtraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:01 2007
Thu Mar 15 02:00:01 2007"
ID
Title Event Category
Event Type Reports Appears In
Sample Log Message
21 server traffic
continue Agile 7.x Audit t_servtraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007
time="Thu Mar 15 02:00:01 2007"
22 server traffic
end Agile 7.x Audit t_servtraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007
"Thu Mar 15 02:00:01 2007"
23 N/A Agile 6.2. Audit t_aclallow Accepted
Connections <179>May 22 17:16:52 auditd: date="May 22 17:16:52 2007
GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo
Connections <131>Jan 15 14:51:23 auditd: date="May 14 17:02:56 2001
Activity /User Authentication
<179>Jun 24 05:07:27 auditd: date="May 16 13:18:51 2001
CDT",fac=f_ftpproxy,area=a_server,type=t_auth_atte mpt,pri=p_major,pid=464,ruid=0,euid=0,pgid=464,logi d=0,cmd=pftp,domain=PFTx,edomain=PFTx,user_aut h_name=a,auth_method=password,result=1,info="aut hentication Accepted for user `a:password', method password"
26 ipf_open Agile 6.2 Audit t_ipftraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Oct 30 11:17:49 2006
Title Event Category
Event Type Reports Appears In
Sample Log Message
McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 27
27 ipf_close Agile 6.2 Audit t_ipftraffic Accepted
Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007 otocol=6,netsessid=45eba8ff00060315
28 conn_open Agile 6.2 Audit t_nettraffic Accepted
Connections <179>Jan 1 00:00:00 auditd: date="Apr 19 12:25:42 2002
Connections <179>Jan 1 00:00:00 auditd: date="Apr 19 12:25:42 2002 e="Fri Apr 19 12:25:42
2002",netsessid=3cc053160004222f
30 conn_close Agile 6.2 Audit t_nettraffic Accepted
Connections <179>Jan 1 00:00:00 auditd: date="Apr 19 12:25:42 2002 eason="proxy traffic
end",status=conn_close,auth_method=password,user _name=a,request_status=1,start_time="Fri Apr 19 12:25:42 2002",netsessid=3cc053160004222f
31 N/A Agile 6.2 Audit t_proxyauth Denied
Connections <135>Jan 1 00:00:03 sidewinder1 auditd: date="Jan 1 00:00:03 2008 Activity ,User Created/
Deleted
<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001
Title Event Category
Event Type Reports Appears In
Sample Log Message
33 N/A Agile 6.2/
<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001
Connections <179>May 22 17:16:52 auditd: date="May 22 17:16:52 2007
GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo
Connections <179>Jun 24 05:15:57 auditd: date="Jun 24 05:15:57 2008
Activity /User Authentication
<179>Jun 24 05:07:57 auditd: date="Jun 24 05:07:57 2008
EDT",fac=f_login,area=a_general_area,type=t_auth_
attempt,pri=p_major,pid=1880,ruid=0,euid=0,pgid=18 80,fid=0,logid=0,cmd=login,domain=Logn,edomain=L ogn,hostname=xxx,user_name=abc,auth_method=-p assword,result=1,information="cobra login
authentication Accepted for user `abc, method -password, from 20.20.20.02"
37 ipf_open Agile 6.1 Audit t_ipftraffic Accepted
Connections <179>Aug 13 14:49:19 auditd: date="Aug 13 14:49:19 2008
Connections <179>Aug 13 14:50:47 auditd: date="Aug 13 14:50:47 2008
Title Event Category
Event Type Reports Appears In
Sample Log Message
McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 29
39 conn_open Agile 6.1 Audit t_nettraffic Accepted
Connections <179>Jan 1 00:00:00 auditd: date="Jan 1 00:00:00 2008
Connections <179>Aug 13 14:16:09 auditd: date="Aug 13 14:16:09 2008
41 conn_close Agile 6.1/
format 1 Audit t_nettraffic Accepted
Connections <179>May 22 17:16:52 auditd: date="May 22 17:16:52 2007
GMT",fac=f_wwwproxy,area=a_libproxycommon,type
42 conn_close Agile 6.1/
format 2 Audit t_nettraffic Accepted
Connections <179>Aug 13 14:28:31 auditd: date="Aug 13 14:28:31 2008 delivery of message
m7D5SP6Z020754",status=conn_close,acl_id=smtp_
all,cache_hit=0,queueid=m7D5SP6Z020754,mail_sen [email protected],[email protected],start_time=
"Wed Aug 13 14:28:31
2008",netsessid=48a270ff00019957
Title Event Category
Event Type Reports Appears In
Sample Log Message
43 conn_close Agile 6.1/
format 3 Audit t_nettraffic Accepted
Connections <179>Aug 13 14:16:09 auditd: date="Aug 13 14:16:09 2008 delivery of message
m7D5G4Pe020434",status=conn_close,acl_id=smtp_
all,cache_hit=0,queueid=m7D5G4Pe020434,mail_se [email protected],[email protected],subject=
"FW: THANK YOU NOTE ON BEHALF OF COMMODORE KEARNS",start_time="Wed Aug 13 14:16:10 2008",netsessid=48a26e190009ff25
44 conn_open Agile 6.1 Audit t_servtraffic Accepted
Connections <179>Jul 28 09:06:25 auditd: date="Jul 28 09:06:25 2008
45 conn_close Agile 6.1 Audit t_servtraffic Accepted
Connections <179>Jul 28 09:12:33 auditd: date="Jul 28 09:12:33 2008 Activity ,User Created/
Deleted
<179>Jun 6 18:32:37 auditd: date="Jun 6 18:32:37 2008
Activity <179>Jun 6 18:32:37 auditd: date="Jun 6 18:32:37 2008
Title Event Category
Event Type Reports Appears In
Sample Log Message
McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 31
48 N/A Search
Filter 6.2 Operational t_acl_change Sidewinder 6.2: ACL Modification
<179>Jun 6 18:32:37 auditd: date="May 11 10:17:01 2001
CDT",fac=f_cf,area=a_acladm,type=t_acl_change,pri
=p_major,pid=1958,ruid=0,euid=0,pgid=1958,logid=1 00,cmd=COBRAD,domain=Admn,edomain=Admn,acl _admin=a,acl_op=add,acl_table=acl,acl_data="{'actio n': 'allow', 'ignore': 0, 'nat_addr':('host', 'localhost'), 'name': 'ping', 'agents':['proxy'], 'table': 'acl', 'services':
[('service','ping')], 'last_changed_by': 'a on 05/09/01 10:17:31','alert': None, 'pos': 18, 'auth_needed':
0,'external_groups': None}"
49 N/A Search
Filter 6.2 Operational t_proxy_flooded Sidewinder 6.2: Proxy Flooded
<179>Jun 6 18:32:37 auditd: date="Oct 30 12:41:25 2002
CST",fac=f_nss,area=a_server,type=t_proxy_flooded, pri=p_major,pid=179,ruid=0,euid=0,pgid=179,logid=0, cmd='nss',domain=nss2,edomain=nss2,srcburb=2,src ip=192.168.181.3,srcport=51210,dstip=192.168.180.8 7,dstport=80,information="55|No buffer
spaceavailable Could not connect to the http proxy, probablyflooded, temporarily suspended network fd 9 for 1second"
50 N/A Search
Filter 6.2 Operational t_snmp_coldtrap Sidewinder 6.2: SNMP Coldstart Trap
<179>Jun 6 18:32:37 auditd: date="May 30 13:46:10 2001
Filter 6.2 Operational t_syn_attack Sidewinder 6.2: SYN Attack
<179>Jun 6 18:32:37 auditd: date="May 30 13:46:10 2001
Filter 6.2 Operational t_tacrad_acct Sidewinder 6.2: TACACS/
RADIUS Accounting
<179>Jun 6 18:32:37 auditd: date="May 4 06:02:42 2000
Filter 6.2 Operational t_protocol_error Sidewinder 6.2: Protocol Error
<179>Jun 6 18:32:37 auditd: date="Oct 30 12:41:25 2002
Filter 6.2 Operational t_ddtviolation Sidewinder 6.2: Type Enforcement
<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 000041 perm wanted: 0x40<destroy>
permgranted:0x1<read>"
Title Event Category
Event Type Reports Appears In
Sample Log Message
55 N/A Search
Filter 6.2 Operational t_ditviolation Sidewinder 6.2: Type Enforcement
<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 000041 perm wanted: 0x40<destroy>
permgranted:0x1<read>"
56 N/A Search
Filter 6.2 Operational t_dmnprivdenied Sidewinder 6.2: Type Enforcement
<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 :0x2000041 perm wanted: 0x40<destroy>
permgranted:0x1<read>"
57 N/A Search
Filter 6.2 Operational t_chtype Sidewinder 6.2: Type Enforcement
<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 0041 perm wanted: 0x40<destroy>
permgranted:0x1<read>"
58 N/A Search
Filter 6.2 Operational t_udb_sysac Sidewinder 6.2: User Database Modification
<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001
Filter 6.2 Operational t_udb_useract Sidewinder 6.2: User Database Modification
<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001
Operational t_attack Sidewinder 7.x:
Application Defense Violation
No Sample log available
61 N/A Search
Operational t_attack Sidewinder 7.x: Buffer Overflow Attack
No Sample log available
62 N/A Search
No Sample log available ID
Title Event Category
Event Type Reports Appears In
Sample Log Message
McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 33
Operational t_attack Sidewinder 7.x: General Attack
No Sample log available
64 N/A Search
Operational t_attack Sidewinder 7.x: Policy Violation
No Sample log available
65 N/A Search
Operational t_attack Sidewinder 7.x: Protocol Violation
<179>Jun 6 18:32:37 auditd: date="Mar 15 02:28:54 2007 e=em1,reason="The Sidewinder received a RESET after the remote system connected, but no data was transferred. This could indicate a stealth connection attack."
Operational t_attack Sidewinder 7.x:
Signature-bas ed IPS Intrusion Attempt
No Sample log available
67 N/A Search
Filter 7.x/
Catoger y is spam
Operational t_attack Sidewinder
7.x: Spam <179>Jun 6 18:32:37 auditd: date="Mar 16 16:33:55 2007 76,reason="Sendmail determined that this session is not allowed.",information="550 5.7.1 TrustedSource determined this IP address is untrusted. Reputation value: xxx.x.x.xx"
68 N/A Search
Filter 7.x/
Catoger y is virus
Operational t_attack Sidewinder
7.x: Virus No Sample log available
69 N/A Search
Filter 7.x Operational t_auth_lockout Sidewinder 7.x:
Authentication Lockout
<179>Jun 6 18:32:37 auditd: date="Mar 15 22:50:02 2007
CDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=12227,ruid=0,euid=0,pgid=12227,log id=0,cmd=acld,domain=Acld,edomain=Acld,hostname
=xxxx.x.com,event=authentication failure
lockout,user_name=x,reason="Authentication failure limit exceeded."
Title Event Category
Event Type Reports Appears In
Sample Log Message
70 connect failed Search
Filter 7.x Operational t_info Sidewinder 7.x:
Connection Failed
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_info,pri=
p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,cm d=daemond,domain=Dmnd,edomain=Dmnd,hostnam e=sidewinder1.loglabs.com,event=connect failed,reason="Connection to server failed."
71 failed
connection Search
Filter 7.x Operational t_error Sidewinder 7.x:
Connection Failed
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_error,pri
=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=failed
connection,reason="Could not connect to server. The session was terminated."
72 TCP old
duplicate Search
Filter 7.x Operational t_error Sidewinder 7.x: Invalid TCP packets
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_error,pri
=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=TCP old duplicate,reason="The Sidewinder received packet that contains a timestamp from before this connection was established. It may be an old duplicate packet from a previous connection, or it may indicate a timestamp attack."
73 TCP data/
closed conn Search
Filter 7.x Operational t_error Sidewinder 7.x: Invalid TCP packets
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_error,pri
=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=TCP data/ closed conn,reason="The Sidewinder received data for a connection that has been closed. This may indicate an attack." 7.x: Invalid TCP packets
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_error,pri
=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=TCP RESET sequence error,reason="The Sidewinder received a RESET packet with an invalid sequence number. This may be a reset for an earlier connection, or it may indicate an attack."
75 license expire Search
Filter 7.x Operational t_license_expire Sidewinder 7.x: License Expiration
<179>Jun 6 18:32:37 auditd: date="Mar 15 21:59:33 2007
CDT",fac=f_license,area=a_server,type=t_lic_expire, pri=p_major,pid=12227,ruid=0,euid=0,pgid=12227,log id=0,cmd=acld,domain=Acld,edomain=Acld,hostname
=xxxx.x.com,event=license expire,reason="", information=""
Title Event Category
Event Type Reports Appears In
Sample Log Message
McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 35 76 passport
addition Search
Filter 7.x Operational t_passport_chng Sidewinder
7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007 Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"
77 passport
deletion Search
Filter 7.x Operational t_passport_chng Sidewinder
7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007 Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"
78 passport
updated Search
Filter 7.x Operational t_passport_chng Sidewinder
7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007 Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"
79 all passports
revoked Search
Filter 7.x Operational t_passport_chng Sidewinder
7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007
CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=all passports
revoked,srcip=xx.xx.xxx.xx,user_name=x,external_gr oup=(null),auth_method=Password,cache_time="Thu Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"
80 passport
expiration Search
Filter 7.x Operational t_passport_chng Sidewinder 7.x: Passport Expiration
<179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:49 2007
CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=passport
expiration,srcip=xx.xx.xxx.xx,access_time="Thu Mar 1522:42:49 2007"
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_info,pri=
p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,cm d=daemond,domain=Dmnd,edomain=Dmnd,hostnam e=sidewinder1.loglabs.com,event=system backup success,reason="System backup from Operational System (F%d) to Alternate System (F%d) succeeded."
ID
Title Event Category
Event Type Reports Appears In
Sample Log Message
82 system
backup failure Search
Filter 7.x Operational t_error Sidewinder 7.x: System Backup
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_error,pri
=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=system backup failure,reason="System backup from Operational System (F%d) to Alternate System (F%d) failed."
83 license notice Search
Filter 7.x Operational t_important Sidewinder 7.x: License Notice
<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008
UTC",fac=f_daemond,area=a_server,type=t_importan t,pri=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=
0,cmd=daemond,domain=Dmnd,edomain=Dmnd,host name=sidewinder1.loglabs.com,event=license notice,reason="Waiting to start '%s' because '%s' is
%s."
84 N/A Search
Filter 6.2 Operational t_cfg_change Sidewinder:
Configuration Change
<179>Jun 6 18:32:37 auditd: date="Nov 7 00:00:06 2002
CST",fac=f_system,area=a_general_area,type=t_cfg_
change,pri=p_major,pid=4517,ruid=0,euid=0,pgid=44 83,logid=0,cmd='cf',domain=CARW,edomain=CARW,
change,pri=p_major,pid=4517,ruid=0,euid=0,pgid=44 83,logid=0,cmd='cf',domain=CARW,edomain=CARW,