[Dshield] ZoneAlarm 3

Wayne Larmon wlarmon at dshield.org
Sun Mar 10 00:31:36 GMT 2002


> Does anyone know how ZA Pro 3 (Just released, about 3 days ago) stores
> it's logs?  Zalog.txt no longer is updated, and VisualZone isn't pulling
> it in anymore.  I updated (probably unwisely - new software, new bugs)
> and I really like the new style (Although the loss of the toolbar really
> bugs me, I liked that sat on my menu showing things were working...) but
> I can't seem to send any reports!

I forwarded this post to Rob Vandenberg, the author of VisualZone.   He sent
several replies, as he is investigating the issue right now, but we want to
get the information out as soon as possible:

---------------------------------------------------------------------------
VisualZone is compatible with ZoneAlarm 3.0 and I'm almost certain CVTWIN is
too (depending on how it handles the field delimiter character). The only
thing that ZoneLabs has changed in the log file format is the default field
delimiter character (TAB vs. comma). However, there are more logging
configuration options now. To get the same logging behavior as with the pre
3.0 versions, do this:

Open the ZoneAlarm 3.0 window
Select "Alerts & Logs"
* Make sure that "Event Logging" is turned ON (=default)
* Make sure that "Program Logging" is set to HIGH
   - also click on the "Custom" button, click "Check All" to enable all
options and click OK.
* Click on the"Advanced" button, click "Check All" to enable all options and
click OK.

These settings will log *everything* (which may be too much for some users).

There is just 1 catch, which may be the cause of the problem of the poster:
By default ZoneAlarm 3.0 has the following option enabled:  "Archive log
text files every 1 days".
(ZoneAlarm Pro 2.6 also had this feature but it was turned off by default).

The archive option is located here:
* Open the ZoneAlarm 3.0 window and select "Alerts & Logs"
* Click on the "Advanced" button
* Select the "Log Control" tab
* Disable the option "Archive log text files every xx days"

It is best to disable this option, at least for VisualZone (not sure if it
would also help CVTWIN users but I think it will because otherwise log
entries may be missed by CVTWIN and won't get sent to DShield).
----------------------------------------------------------------------

Then, after I asked his permission to repost to our list, he sent additional
information.

-----------------------------------------------------------------------
It looks like, if you disable the archive function, it does indeed disable
logging to a file (it keeps the log entries in memory instead).  Best
solution I can come up with at this moment is to increase the log archive
interval to maximum (= 30 days). Unfortunately it isn't possible to leave
the option enabled and reduce the interval to 0 (in an attempt to disable it
that way).
-----------------------------------------------------------------------

So it looks like the archiving is causing problems with saving the log to a
file that either VisualZone and CVTWIN can read.  But it can be dealt with.

Rob promised to report again after he does more investigating.

Wayne Larmon
wlarmon at dshield.org




More information about the list mailing list