Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ZoneAlarm Pro Version 3 Firewall Setup ZoneAlarm Pro Version 3 Firewall Setup

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Right click on the ZoneAlarm icon  ZoneAlarm taskbar icon in your task bar. Select Restore ZoneAlarm Pro Control Center. You should see

Screenshot of ZoneAlarm 3 log configuration

Click on Alerts and Logs.

Screenshot of ZoneAlarm 3 Alerts and Logs configuration

  • Make sure that "Event Logging" is turned ON (=default)
  • Make sure that "Program Logging" is set to HIGH
    • also click on the "Custom" button, click "Check All" to enable all options and click OK.

Then click on Advanced.

Screenshot of ZoneAlarm 3 log configuration

Check all the "Log" events, because we want everything logged. But because you probably don't want to see pop-up alerts for all this stuff, only check the "Alert" events for the events that you want to be alerted to. Then click OK.

Then select the Log Control tab.

Screenshot of ZoneAlarm 3 log configuration

Make sure that Archive log files every 1 days is checked. Change the "days" spin control from "1" to "30."

This is currently problematic. Archiving the log files changes the name of ZALog.txt into a date stamped filename that CVTWIN (and VisualZone) won't know about But if you don't enable archiving, ZoneAlarm won't write any ZALog.txt log file at all. So the best compromise is to enable archiving, but set it to the maximum time possible, which is 30 days. You can minimize data loss when ZoneAlarm "archives" if you can determine the time of day that ZoneAlarm archives the log and then set the time the Task Manager will run CVTWIN to be just before that time.

Log Archive Location defines where ZoneAlarm saves the log file that CVTWIN needs to read in order to convert it to DShield format. The default location is "C:\WINDOWS\Internet Logs\ZALogs.txt" This is what you enter in CVTWIN's Configuration dialog for log location.

You can choose any of the Tab, Comma, or Semicolon options under Log Archive Appearance. CVTWIN will work with any of these.

Click on OK.

Thanks to Rob Vandenberg of VisualizeSoftware for helping with this. Thanks to Peter Stendahl-Juvonen for some much needed corrections, after I mangled some of the information that Rob told me.