Download - Firewall Log Format
-
Firewall Log Format
Applicable Version: 10.00 onwards
Overview
Cyberoam provides extensive logging capabilities for traffic, system and network protection functions.
Detailed log information and reports provide historical as well as current analysis of network activity to
help identify security issues and reduce network misuse and abuse.
Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards
Firewall logs to syslog server in the below given format.
To know how to configure Cyberoam to send logs to external syslog server, refer to the article How
To Configure Syslog Server.
To know how to configure Cyberoam to forward logs, refer to the article How To Enable Logging
and Forward Logs to Syslog.
Log Structure
Log ID
Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g. 0101011, 0102011
Where:
c1c2 - Log Type ID
c3c4 - Log Component ID
c5c6 - Log Sub Type ID
c7 - Priority
c8c9c10c11c12 - Message ID
Log Type
Log Component
Log Type ID Log Type
01 Firewall
02 IPS
03 Anti Virus
04 Anti Spam
05 Content Filtering
06 Event
07 WAF
Log Component ID Log Component
01 Firewall Rule
02 Invalid Traffic
03 Appliance Access
Firewall Log Format
-
Firewall Log Format
04 DoS Attack
05 ICMP Redirection
06 Source Routed
07 Anomaly
08 Signatures
09 HTTP
10 FTP
11 SMTP
12 POP3
13 IMAP4
14 Fragmented Traffic
15 Invalid Fragmented Traffic
16 HA
17 Foreign Host
18 IPMAC Filter
19 IP Spoof
20 GUI
21 CLI
22 LCD
23 CCC
24 IM
25 IPSec
26 L2TP
27 PPTP
28 SSLVPN
29 Firewall Authentication
30 VPN Authentication
31 SSL VPN Authentication
32 My AccountAuthentication
33 Appliance
34 DHCP server
35 Interface
36 Gateway
37 DDNS
38 WebCat
39 IPS
40 AV
41 Dial-In Authentication
42 Dial-In
43 Quarantine
44 Application filter
45 Landing Page
46 WLAN
47 ARP Flood
48 HTTPS
49 Guest User
50 WAF
51 Virtual Host
-
Firewall Log Format
Log Subtype
Priority
Priority Description
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notification
6 Information
7 Debug
Message ID
Message ID Message Log Component
00001 Firewall Traffic Allowed Firewall Rule
00002 Firewall Traffic Denied Firewall Rule
01001 Invalid traffic dropped Invalid Traffic
01301 Fragmented traffic denied Fragmented Traffic
01601 Invalid fragmented traffic denied Invalid Fragmented Traffic
02001 Local ACL traffic allowed Local ACL
02002 Local ACL traffic denied Local ACL
03001 DoS attack dropped DoS Attack
04001 ICMP Redirected packet dropped ICMP Redirection
05001 Source Routed packet dropped Source Routed
05051 Foreign Host denied Foreign Host
05101 IPMAC pair denied IPMAC Filter
52 CTA
53 NTLM
Log Subtype ID Sub Type
01 Allowed
02 Denied
03 Detect
04 Drop
05 Clean
06 Virus
07 Spam
08 Probable Spam
09 Admin
10 Authentication
11 System
-
Firewall Log Format
05151 IP Spoof denied IP Spoof
05201 SSL VPN Resource Access Denied SSL VPN
05301 ARP Flood traffic denied ARP Flood
05401
Traffic for Virtual Host is denied, No Internal server is available to process the traffic. Virtual Host
Sample Logs
Event: Firewall Traffic Allowed
Component: Firewall Rule
Sample Log:
date=2013-08-07 time=15:00:38 timezone="IST" device_name="CR500ia"
device_id=C070123456-ABCDEF log_id=010101600001 log_type="Firewall"
log_component="Firewall Rule" log_subtype="Allowed" status="Allow"
priority=Information duration=0 fw_rule_id=4 user_name="john.smith"
user_gp="Cyberoam General Department_grp" iap=7 ips_policy_id=0
appfilter_policy_id=16 application="Skype Services" in_interface="PortG.5"
out_interface="PortB" src_mac=00: 0:00: 0:00: 0 src_ip=172.16.16.79
src_country_code= dst_ip=192.168.2.4 dst_country_code=USA protocol="UDP"
src_port=20796 dst_port=40025 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0
tran_src_ip=203.88.165.23 tran_src_port=0 tran_dst_ip= tran_dst_port=0
srczonetype="" dstzonetype="" dir_disp="" connevent="Start" connid="2254113600"
vconnid=""
Event: Firewall Traffic Denied
Component: Firewall Rule
Sample Log:
date=2013-08-07 time=13:25:27 timezone="IST" device_name="CR500ia" device_id=
C070123456-ABCDEF log_id=010102600002 log_type="Firewall"
log_component="Firewall Rule" log_subtype="Denied" status="Deny"
priority=Information duration=0 fw_rule_id=3 user_name="" user_gp="" iap=2
ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="PortG.16"
out_interface="PortB" src_mac=00:0d:48:0a:05:45 src_ip=172.16.16.95
src_country_code= dst_ip=192.168.5.2 dst_country_code= protocol="UDP"
src_port=42288 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0
tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=""
dstzonetype="" dir_disp="" connid="" vconnid=""
Event: Local ACL traffic allowed
Component: Local ACL
Sample Log:
date=2013-08-07 time=13:24:57 timezone="IST" device_name="CR500ia" device_id=
C070123456-ABCDEF log_id=010301602001 log_type="Firewall"
log_component="Appliance Access" log_subtype="Allowed" status="Allow"
priority=Information duration=30 fw_rule_id=0 user_name="" user_gp="" iap=0
ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="PortG.2"
out_interface="" src_mac=00: 0:00: 0:00: 0 src_ip=172.16.16.54 src_country_code=
dst_ip=192.168.52.31 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0
sent_pkts=1 recv_pkts=1 sent_bytes=212 recv_bytes=212 tran_src_ip=
-
Firewall Log Format
tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype=""
dir_disp="" connevent="Stop" connid="3153155488" vconnid=""
Event: Local ACL traffic denied
Component: Local ACL
Sample Log:
date=2013-08-07 time=13:25:27 timezone="IST" device_name="CR500ia"
device_id=C070100126-VW717U log_id=010302602002 log_type="Firewall"
log_component="Appliance Access" log_subtype="Denied" status="Deny"
priority=Information duration=0 fw_rule_id=0 user_name="" user_gp="" iap=0
ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="PortG.4"
out_interface="" src_mac=d0:27:88:d6:4c:b0 src_ip=10.104.1.150 src_country_code=
dst_ip=255.255.255.255 dst_country_code= protocol="UDP" src_port=47779
dst_port=8167 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=
tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype=""
dir_disp="" connid="" vconnid=""
Event: IP Spoof denied
Component: IP Spoof
Sample Log:
date=2013-08-07 time=13:25:27 timezone="IST" device_name="CR500ia"
device_id=C070100126-VW717U log_id=011902605151 log_type="Firewall" log_component="IP Spoof" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="" out_interface="" src_mac=
src_ip=172.17.16.254 src_country_code= dst_ip=172.17.16.30 dst_country_code= protocol="ICMP" icmp_type=0 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connid="" vconnid=""
Log Fields and Description
DATA FIELDS TYPE DESCRIPTION
date date Date (yyyy-mm-dd) when the event occurred
time time Time (hh:mm:ss) when the event occurred
timezone string Time zone set on the appliance e.g. IST
device_name string Model Number of the Appliance
device_id string Unique Identifier of the Appliance
log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11) e.g. 0101011, 0102011 c1c2 - Log Type e.g. 01 for firewall log c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack etc. c5c6 - Log Sub Type i.e. allow/violation c7 - Priority e.g. 0 for Emergency c8c9c10c11 - Message ID e.g. 00001 for traffic allowed by firewall
log_type string Type of event e.g. firewall event
log_component string Component responsible for logging e.g. Firewall rule
log_subtype string Sub type of event
status string Ultimate status of traffic allowed or denied
-
Firewall Log Format
priority string Severity level of traffic
duration integer Durability of traffic (seconds)
firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the traffic
user_name string User name
user_group string Group Id of user
iap integer Internet Access policy Id applied on the traffic
ips_policy_id integer IPS policy ID applied on the traffic
appfilter_policy_id Integer Application Filter Policy applied on the traffic
application string Application name
in_interface string Interface for incoming traffic e.g. Port A Blank for outgoing traffic
out_interface string Interface for outgoing traffic e.g. Port B Blank for incoming traffic
src_ip string Original Source IP address of traffic
src_mac string Original source MAC address of traffic
src_country_code string Code of the country to which the source IP belongs
dst_ip string Original Destination IP address of traffic
dst_country_code string Code of the country to which the destination IP belongs
protocol integer Protocol number of traffic
src_port integer Original Source Port of TCP and UDP traffic
dst_port integer Original Destination Port of TCP and UDP traffic
icmp_type integer ICMP type of ICMP traffic
icmp_code integer ICMP code of ICMP traffic
sent_pkts integer Total number of packets sent
received_pkts integer Total number of packets received
sent_bytes integer Total number of bytes sent
recv_bytes integer Total number of bytes received
trans_src_ ip integer Translated source IP address for outgoing traffic. It is applicable only in route mode. Possible values: "" When appliance is deployed in Bridge mode or source IP address translation is not done IP Address IP Address with which the original source IP address is translated
trans_src_port integer Translated source port for outgoing traffic. It is applicable only in route mode. Possible values: "" When appliance is deployed in Bridge mode or source port translation is not done Port Port with which the original port is translated
trans_dst_ip integer Translated Destination IP address for outgoing traffic. It is applicable only in route mode. Possible values: "" When appliance is deployed in Bridge mode or destination IP address translation is not done IP Address IP Address with which the original destination IP address is translated
trans_dst_port integer Translated Destination port for outgoing traffic. It is applicable only in route mode.
-
Firewall Log Format
Possible values: "N/A" When appliance is deployed in Bridge mode or destination port translation is not done Port Port with which the original port is translated
srczonetype string Type of source zone e.g. LAN
dstzonetype string Type of destination zone e.g. WAN
dir_disp string Packet direction Possible values: org, reply,
connection_event Event on which this log is generated
conn_id integer Unique identifier of connection
vconn_id integer Connection ID of the master connection
Document Version: 1.0 16/08/2013