Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Audit log messages

ChrisLaneChrisLane Newbie ✭
in Mid Range Firewalls

I often see messages in the format "Download file xyz Failed", e.g.

49 38 07:13:03 May 10 2024 Download file mw.exe Failed 84.252.92.18 (59993) xxxx (80) X1
48 37 07:13:00 May 10 2024 Download file db.exe Failed 84.252.92.18 (59587) xxxx (80) X1

In this case I know this is a scheduled external test. Today I have seen messages as follows, which are speculative requests from a Russian ASN:

188 117 06:59:07 Jul 16 2024 Export to file user_data.csv Failed 91.92.244.227 (45204) xxxx (80) X1
187 116 06:59:07 Jul 16 2024 Download file wallet_backup.zip Failed 91.92.244.227 (47880) xxxx (80) X1
186 115 06:59:07 Jul 16 2024 Export to file event_log.csv Failed 91.92.244.227 (46846) xxxx (80) X1

But I haven't seen "Export to file" before, how is the remote user triggering that behaviour?

Category: Mid Range Firewalls
Reply

Answers

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    They are presumably fetching the required URL to do that. You can test this yourself with Web Developer tools in a browser and see what URL is access when you export the logs, for example.

    I assume they are denied because they're not logged in.

    But….you really shouldn't be listening on port 80!

  • ChrisLaneChrisLane Newbie ✭

    I think it's just set to redirect 80 > 443 so will still get a response. I'll turn that off in any case.

    I can't see anything via the browser tools as the Export button just posts server side (I'm no dev so unsure of the terminology).

    Thanks.

Sign In or Register to comment.