Viewing the Security Log

The Security Log records potentially threatening activity directed towards your computer, such as port scanning, or denial of service attacks. The Security Log is probably the most important log file in the Personal Firewall.

Viewing the Security Log

To view the Security Log on the Personal Firewall:

  1. Click the down-arrow near the Logs icon on the toolbar, and then choose Security Log...

    OR

    Click Tools|Logs|Security Log...

    OR

    Right-click the Tool Bar icon, and then click Logs|Security Log...

You can also click the down-arrow next to the Logs icon to choose a different log. The most recently viewed log appears by default, but you can choose any of the logs to view.

  1. From the View list, select Local View, the default setting, or Source View. You can select how you view local and remote IP addresses or names.

  1. Click a different log name if you wish to view a different log.

  2. Click Refresh or press F5 to update the log that you are viewing.

Icons for the Security Log

When you open a Security Log, icons are displayed at the left side of the first column. These are graphical representations of the kind of attack logged on each line, and they provide an easy way to scan the Security Log for possible system errors.

Personal Firewall Security Log Icons

Icon

Description

Severe attack

Major attack

Minor attack

Information

 

Personal Firewall Security Log Parameters and Description

The log is a data sheet, where each row represents a logged event, and the columns display information regarding the event. The columns are:

Personal Firewall Security Log Parameters and Description

Name of Parameter

Description

Time

The exact date and time that the event was logged

Security Type

Type of Security Alert (for example: DoS attack, executable file, Ping of Death)

Severity

The severity of the attack (either Severe, Major, Minor, or Information)

Direction

Direction that the traffic was traveling in (incoming, outgoing, or unknown)Most attacks are incoming, that is, they originate in another computer. Other attacks, like Trojan horses, are programs that have been downloaded to your computer and therefore are already present; they are considered outgoing. Still other attacks are unknown in direction; they include Active Response or application executable changed.

Protocol

Type of protocolUDP, TCP, and ICMP

Remote Host

Name of the remote computer (only appears in Local View - this is the default)

Remote MAC

MAC address of the remote computer (only appears in Local View - this is the default)

Local Host

IP address of the local computer (only appears in Local View - this is the default)

Local MAC

MAC address of the local computer (only appears in Local View - this is the default)

Source Host

Name of the source computer (only appears in Source View)

Source MAC

MAC address of the source computer (only appears in Source View)

Destination Host

IP address of the destination computer (only appears in Source View)

Destination MAC

MAC address of the destination computer (only appears in Source View)

Application Name

Name of the application associated with the attack

User Name

The User or Computer client that sent or received the traffic

Domain

Domain of the user

Location

The Location (Office, Home, VPN, etc.) that was in effect at the time of the attack

Occurrences

Number of occurrences of the attack method

Begin Time

The time the attack began

End Time

Time that the attack ended

 

Description and Data Fields for the Security Log

Below the rows of logged events are the Description and Data fields. When you click on an event row, the entire row is highlighted. A description of the event, such as "Somebody is scanning your computer, with 13 attempts", appears in the Description field.

Back Tracing Hack Attempts for the Security Log

  1. From the Traffic Log file, click on the event you want to back trace so that the entire row is highlighted.

  2. Either right-click the row and select Back Trace from the pop-up window or click the Action menu and select Back Trace.

The Personal Firewall traces the event information. The Back Trace Information window is displayed with a trace route log.

  1. To view detailed information on the original IP address, click the Whois>> button at the bottom of the Back Trace Information window. A drop panel appears, displaying detailed information about the owner of the IP Address from which the security event originated.

  2. Click the Whois<< button again to hide the information.

Filtering the Log Events by Severity in the Security Log

  1. In the Security log, you can filter the events that you are viewing by the severity level of the attack.

  2. In the Log Viewer, open the Filter menu.

  3. Select Severity.

    The Severity window appears.

  4. Place check marks in each box next to the severity level(s) that you want to view.
    You have the following options:

You can view more than one type of event at once. The Log Viewer is automatically reloaded.

Filtering the Log Events by Date in the Security Log

To filter the log events by date:

  1. Click the Filter menu in the Log Viewer window.

  2. Select which events you want to view from the list:

Viewing Personal Firewall Security Log Events by Date

Events for...

Displays...

1 Day Logs

the events recorded on the current day

2 Day Logs

the events recorded over the past 2 days

3 Day Logs

the events recorded over the last 3 days, including the current day

1 Week Logs

the events recorded over the past 7 days

2 Week Logs

the events recorded over the past 14 days

1 Month Logs

the events recorded over the last 30 days

Show All Logs

all Security Log events

  1. The log displays the requested events.