Logs
Whenever GeSWall restricts an access, it records the event to the log. The log can be viewed in the 'Logs' folder of the GeSWall Console as shown in the picture below.
By default, it shows the records for the current day. You may adjust the view by Action\Log Properties... context menu to choose the required time period.
An event record has the following fields:
| Date |
Local zone date in format YYYY.MM.DD |
| Time |
Local zone time in format HH:MM:SS |
| Application file name |
The name of application executable (not a full path) |
| Access restriction type |
- READONLY access - access was restricted to read only
- REDIRECT access - access was redirected to a local copy
- DENY access - access was denied
- DENY message - window message sending was denied
|
| Resource name |
Full name of resource, e.g. file name, registry name. |
| Resource type |
| Native name of resource in terms of operation system: | |
- Debug
- Desktop
- Device
- Directory
- Event
- File
- IO completion port
- Job
|
- Registry
- Keyed event
- Mutant
- LPC port
- Process
- Profile
- Section
- Semaphore
|
- Symbolic link
- Thread
- Token
- Timer
- Waitable port
- Windows station
|
|
Usually you will find dozens of event records for running isolated applications because those applications are restricted in access according to
the Access Restriction Policy.
The event records do not necessarily indicate intrusion attempts but in most cases are restrictions of optional application functionality, which could be mal-ware or intrusion damage activity. This is similar to firewall logs which frequently show large numbers of blocked connection attempts.
Analyzing logged events for attack traces requires specialized expertise in computer security and GeSWall is not intended to be an intrusion detection product.
The log is particularly useful for debugging application problems while authoring specific rules for new applications.
|
