VII. Router Diagnostics

Syslog Messages - Interpreting Firewall and CSM logs

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
Content Security Management
Filter set 13
Syslog
URL Content Filtering
Show all

Syslog is a method of logging router activity. When enabled, the router continuously outputs Syslog event messages; these can be captured by a Syslog daemon (a listening/capturing program) and displayed or logged to a file. The initial configuration of Syslog on DrayTek Vigor routers is explained in this article.

This guide will demonstrate how to interpret Syslog messages for the Firewall (IP Filter Rules), and CSM (Content Security Management) facilities of DrayTek Vigor routers that use DrayOS, in these sections:

 

DrayTek Syslog Introduction

In the DrayTek Syslog utility, the [Firewall] tab contains Syslog messages relating to the Fiirewall, which includes both IP Filter Rules and CSM. These Syslog messages can be used to troubleshoot the Firewall and log traffic passing through the router. Each message contains information on whether a session has been be passed or blocked by the router and which Firewall Filter Rule, CSM rule or Keyword Object has been matched to perform that action.

In the example below for instance, we can see that the [FILTER], which is the router's IP Filter, has blocked ICMP (Ping) packets from the local IP address "192.168.100.10" to the remote IP address "8.8.4.4":

The DrayTek Syslog utility displays each Syslog message with four columns:

System Time Timestamp according to the time configured on the computer receiving the Syslog message
Router Time Timestamp according to the router's time in [System Maintenance] > [Time and Date]
Host The name configured for the router in [System Maintenance] > [Management]
Message This is the Syslog Message

If using a Syslog daemon other than the DrayTek Syslog Utility, the messages are separated with different Facility / Category codes. The Firewall messages from DrayTek Vigor routers use Facility "local0".

Interpreting Firewall IP Filter Syslogs

The router's Firewall related messages are located in the [Firewall] > [IP Filter Log] of the DrayTek Syslog utility.

When Firewall Filter Rules are configured, there is a "Syslog" tickbox by the side of each Filter Rule Action; If this is ticked, the router will send a syslog message when a session matches that rule and the Firewall performs the configured Action of that Filter Rule.

These Syslog messages can simplify the process of troubleshooting the Firewall configuration; For instance when a service is blocked unexpectedly, if the Firewall has blocked that service, the router will send a Syslog message with details of the session that has been blocked and the Filter Rule that caused it to be blocked.

An Example of Syslog messages for the Firewall's IP Filter, along with details of what each segment of the message indicates, is shown below.

In this example, the router's Firewall has blocked a local IP address "192.168.1.10" from creating a UDP session on port 53 (DNS) to the remote IP of "8.8.4.4":

[FILTER][Block][LAN/RT/VPN->WAN, 0:53:53 ][@S:R=6:1, 192.168.1.10:60475->8.8.4.4:53][UDP][HLen=20, TLen=56]

This can be broken down into these segments:

Breaking this down into each segment with details of what each indicator signifies:

ExampleSyntaxDescription
[FILTER] [<Category>] Category indicates that the router's IP Filter has sent this Syslog message
[Block] [<Filter Rule Action>]

Action performed on this session
[Block] indicates that the Firewall has dropped the session
[Pass] indicates that the Firewall has allowed the session through the IP Filter. This applies any other Actions specified on the Filter Rule including CSM, which could then potentially block the session (indicated in a separate Syslog message)

[LAN/RT/VPN->WAN, [<Source>-><Destination>,

Direction of the Filter Rule applied to this session.
LAN/RT/VPN = LAN interface, Static Route, VPN interface
WAN = WAN interface
In this example, LAN/RT/VPN->WAN indicates the session is initiated by a LAN IP to access a WAN IP

LAN->WAN - Indicates outgoing traffic
WAN->LAN - Indicates incoming traffic from the Internet
LAN->LAN - Indicates traffic moving from one LAN/VLAN, Route or VPN to another, based on Source & Destination IPs

0:53:53] hh:mm:ss] Uptime of the router at the time of sending the Syslog message
[@S:R=6:1, [@S:R=a:b,

Matching Filter Rule
a = Filter Set number
b = Filter Rule number
In this example, the session matches the criteria of Filter Set 6, Filter Rule 1 and the IP Filter has applied the Action configured in that Filter Rule

Note - Filter Set 13 "[@S:R=13:1" indicates that the Actions set in [Firewall] > [General Setup] > [Default Rule] have been applied to this session

192.168.1.10 : 60475
<Src IP>:<Src Port> Source IP Address and Source Port
In this example, the Source IP is "192.168.1.10" with a random NAT port number of "60475". Some Protocols such as ICMP (Ping) will not display a port number
-> 8.8.4.4 : 53 ] -> <Dst IP>:<Dst Port>] Destination IP Address and Destination Port
In this example, the Destination IP is "8.8.4.4" to the Destination Port of "53"
[UDP] [<Protocol>] Protocol
The Protocol of the session that the IP Filter has been applied to. Further details in the Protocol & Packet Information table below
[HLen=20, TLen=56] [<Packet Information>] Packet Information
Details of the packet sent such as size and sequence. Full details shown in the Protocol & Packet Information table below

Protocol & Packet Information

[UDP][HLen=20, TLen=56] UDP Protocol
HLen = Header Length (bytes)
TLen = Payload Length (bytes)
[TCP][HLen=20, TLen=40, Flag=S, Seq=3643099039, Ack=0, Win=41548]

TCP Protocol
HLen = Header Length (bytes)
TLen = Payload Length (bytes)
Flag = Packet Type (S=SYN, A=ACK, F=FIN, R=RST, P=PUSH, AP=ACK+PUSH)
Seq = Sequence Number
Ack = Ack Number
Win = Window Size (bytes)

[ICMP][HLen=20, TLen=56, Type=8, Code=0] ICMP (Ping) Protocol
HLen = Header Length (bytes)
TLen = Payload Length (bytes)
Type = ICMP Type
Code = ICMP Code

Interpreting CSM Syslog Information

The Syslog messages sent for Content Security Management are each tagged with the type of CSM that has been applied to each session.

The Syslog messages for Content Security Management can be found in the [Firewall] > [CSM Log] section of the DrayTek Syslog utility.

Examples of the Syslog message structure for each type of CSM and detailed explanations of their meaning can be found in the sections below:

  • [CSM_UF] - URL Content Filtering
  • [CSM_WF] - Web Content Filtering
  • [CSM_DNSF] - DNS Filtering
  • [CSM_AE] - App Enforcement

Compared to the IP Filter Syslog messages, the structure of the message is similar but no Direction is specified - this is because Content Security Management (CSM) applies only to outgoing traffic from local clients accessing the Internet. Therefore it can be assumed that all CSM entries have a direction of "LAN/RT/VPN -> WAN".

In this example, we can see that the router's DNS Filter applying the keyword filtering of the URL Content Filter has blocked access to Facebook.

URL Content Filtering - [CSM_UF]

Each URL Content Filter profile that is applied by the Firewall can be configured to send Syslog messages when blocking sessions, passing sessions, or both.

This is an example of the URL Content Filter's Syslog output; it can be broken down into sections, which are explained in the table below:

ExampleSyntaxDescription
[CSM_UF] [<Category>] Category indicates that the router's URL Content Filter element of Content Security Management has sent this Syslog message
[Block] [<CSM Action>]

Action performed on this session
[Block] indicates that the URL Content Filter has dropped the session
[Pass] indicates that the URL Content Filter has allowed the session through the Firewall

[Type=KW(G:O=0:4)] [Type=a(G:O=b:c)]

Matched Keyword Object/Group
a = The type of match, "KW" indicates "Keyword"
b = Keyword Group number in [Objects Setting] > [Keyword Group]. If this is "0", the Keyword Object is not a member of a Keyword Group
c = Keyword Object number in [Objects Setting] > [Keyword Object]

[@S:R=6:1, [@S:R=a:b,

Matching Filter Rule
a = Filter Set number
b = Filter Rule number
In this example, the session matches the criteria of Filter Set 6, Filter Rule 1. The IP Filter has passed the session to the URL Content Filter profile specified in that Filter Rule.

Note - Filter Set 13 "[@S:R=13:1" indicates that the Actions set in [Firewall] > [General Setup] > [Default Rule] have been applied to this session

192.168.1.10 : 4379
<Src IP>:<Src Port> Source IP Address and Source Port
In this example, the Source IP is "192.168.1.10" with a random NAT port number of "4379"
-> https://www.facebook.com:443] <URL>:<Dst Port>] URL Accessed (with IP Address / Hostname) and Destination Port
In this example, the URL accessed was "https://www.facebook.com" to the Destination Port of "443".
[HTTPS] [<Protocol>] Protocol The type of traffic (HTTP or HTTPS) that the URL Content Filter is blocking
[HLen=20 ...] [<Packet Information>]

Packet Information
Details of the packet sent such as size and sequence. Full details shown in the Protocol & Packet Information table above

Web Content Filtering - [CSM_WF]

Each Web Content Filter profile that is applied by the Firewall can be configured to send Syslog messages when blocking sessions, passing sessions, or both.

This is an example of the Web Content Filter's Syslog output; it can be broken down into sections, which are explained in the table below:

ExampleSyntaxDescription
[CSM_WF] [<Category>] Category indicates that the router's Web Content Filter element of Content Security Management has sent this Syslog message
[Block] [<CSM Action>]

Action performed on this session
[Block] indicates that the Web Content Filter has dropped the session
[Pass] indicates that the Web Content Filter has allowed the session through the Firewall

[Service_Provider=CYREN]
[Service_Provider=CYREN]

Web Content Filter Service Provider
When the DrayTek Web Content Filter is used in the UK, it should display "CYREN" as the provider. If this text shows "BPjM" or  another provider, the Web Content Filter Service may not be configured correctly for the router

[Category=News] [Category=<WCF Category>]

Matched Web Content Filter Category
The Category specified in the Web Content Filter profile that has matched and been applied to this session

[@S:R=6:1, [@S:R=a:b,

Matching Filter Rule
a = Filter Set number
b = Filter Rule number
In this example, the session matches the criteria of Filter Set 6, Filter Rule 1. The IP Filter has passed the session to the Web Content Filter profile specified in that Filter Rule.

Note - Filter Set 13 "[@S:R=13:1" indicates that the Actions set in [Firewall] > [General Setup] > [Default Rule] have been applied to this session

192.168.1.10 : 4421
<Src IP>:<Src Port> Source IP Address and Source Port
In this example, the Source IP is "192.168.1.10" with a random NAT port number of "4421"
-> http://news.bbc.co.uk:80] <URL>:<Dst Port>] URL Accessed (with IP Address / Hostname) and Destination Port
In this example, the URL accessed was "http://news.bbc.co.uk" to the Destination Port of "80"
[HTTP] [<Protocol>] Protocol The type of traffic (HTTP or HTTPS) that the URL Content Filter is blocking
[HLen=20 ...] [<Packet Information>]

Packet Information
Details of the packet sent such as size and sequence. Full details shown in the Protocol & Packet Information table above

DNS Filtering - [CSM_DNSF]

DrayTek's Content Security Management can be applied easily to encrypted or otherwise unidentifiable traffic passing through the router. It does this by performing Web Content Filtering and/or URL Content Filtering at the DNS (Domain Name Server lookup) level; when clients on the network look up the hostname for a website to determine which IP Address to access it on, the router can block this lookup and redirect the client to the router's CSM block page.

The DNS Filter links in to the Web Content Filter and URL Content Filter, therefore the Syslog message output is the same as the URL Content Filter and Web Content Filter. There are three differences in the Syslog message content from the URL Content Filter and Web Content Filter:

  1. Tagged with a Category of [CSM_DNSF]
  2. Protocol is [DNS] because the DNS Filter affects DNS traffic only
  3. Destination records the Hostname only instead of the full URL, due to the encrypted nature of HTTPS, determining a full URL is not possible

The examples below show the output of the DNS Filter Syslog messages. For the definitions and syntax of the categories of these examples, refer to the URL Content Filtering - [CSM_UF] and Web Content Filtering - [CSM_WF] sections above with their respective tables.

Example 1 - URL Content Filtering applied by the DNS Filter

It's possible to determine that this DNS Filter Syslog message relates to the URL Content Filter because it shows "[Type=KW..." which indicates that the DNS Filter has blocked the session because of a Keyword match, which is an element of the URL Content Filter:

Example 2 - Web Content Filtering applied by the DNS Filter

It's possible to determine that this DNS Filter Syslog message is linked to the Web Content Filter because it shows "[Category=News]"; Category based filtering is a feature of the DrayTek Web Content Filter:

App Enforcement - [CSM_AE]

DrayTek's App Enforcement can block Protocols and is able to prevent Applications / Programs accessing the Internet through the router by detecting their packet signatures and blocking their respective sessions. When App Enforcement blocks an Application or Protocol, it will send a Syslog message to indicate that it has done so.

This is an example of App Enforcement's Syslog output; it can be broken down into sections, which are explained in the table below:

ExampleSyntaxDescription
[CSM_AE] [<Category>] Category indicates that the router's URL Content Filter element of Content Security Management has sent this Syslog message
[Block] [<CSM Action>]

Action performed on this session
[Block] indicates that App Enforcement has dropped the session

[LogMeIn Pro2]
[<Application Name>]

Application Detected
This will display the name of the Application that has been detected and blocked. These are the options selected in each App Enforcement Profile under the IM / P2P / Protocol / Others sections

[@S:R=6:1, [@S:R=a:b,

Matching Filter Rule
a = Filter Set number
b = Filter Rule number
In this example, the session matches the criteria of Filter Set 6, Filter Rule 1. The IP Filter has passed the session to the Web Content Filter profile specified in that Filter Rule.

Note - Filter Set 13 "[@S:R=13:1" indicates that the Actions set in [Firewall] > [General Setup] > [Default Rule] have been applied to this session

192.168.1.10 : 443
<Local IP>:<Local Port> Local IP Address and Local Port
In this example, the Source IP is "192.168.1.10" with a port number of "443"
-> 95.172.70.144:4467] <Remote IP>:<Remote Port>] Remote IP Address / Hostname and Remote Port
In this example, the remote IP address was "95.172.70.144" using port "4467"
[TCP] [<Protocol>] Protocol
The Protocol of the session that has been blocked by App Enforcement
[HLen=20 ...] [<Packet Information>]

Packet Information
Details of the packet sent such as size and sequence. Full details shown in the Protocol & Packet Information table above


How do you rate this article?

1 1 1 1 1 1 1 1 1 1