Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

Transcription

1 Firewall Log Format Applicable Version: onwards Overview Cyberoam provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse. Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards Firewall logs to syslog server in the below given format. To know how to configure Cyberoam to send logs to external syslog server, refer to the article How To Configure Syslog Server. To know how to configure Cyberoam to forward logs, refer to the article How To Enable Logging and Forward Logs to Syslog. Log Structure Log ID Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g , Where: c1c2 - Log Type ID c3c4 - Log Component ID c5c6 - Log Sub Type ID c7 - Priority c8c9c10c11c12 - Message ID Log Type Log Component Log Type ID Log Type 01 Firewall 02 IPS 03 Anti Virus 04 Anti Spam 05 Content Filtering 06 Event 07 WAF Log Component ID Log Component 01 Firewall Rule 02 Invalid Traffic 03 Appliance Access

2 04 DoS Attack 05 ICMP Redirection 06 Source Routed 07 Anomaly 08 Signatures 09 HTTP 10 FTP 11 SMTP 12 POP3 13 IMAP4 14 Fragmented Traffic 15 Invalid Fragmented Traffic 16 HA 17 Foreign Host 18 IPMAC Filter 19 IP Spoof 20 GUI 21 CLI 22 LCD 23 CCC 24 IM 25 IPSec 26 L2TP 27 PPTP 28 SSLVPN 29 Firewall Authentication 30 VPN Authentication 31 SSL VPN Authentication 32 My AccountAuthentication 33 Appliance 34 DHCP server 35 Interface 36 Gateway 37 DDNS 38 WebCat 39 IPS 40 AV 41 Dial-In Authentication 42 Dial-In 43 Quarantine 44 Application filter 45 Landing Page 46 WLAN 47 ARP Flood 48 HTTPS 49 Guest User 50 WAF 51 Virtual Host Firewall Log Format

3 52 CTA 53 NTLM Log Subtype Log Subtype ID Sub Type 01 Allowed 02 Denied 03 Detect 04 Drop 05 Clean 06 Virus 07 Spam 08 Probable Spam 09 Admin 10 Authentication 11 System Priority Priority Description 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notification 6 Information 7 Debug Message ID Message ID Message Log Component Firewall Traffic Allowed Firewall Rule Firewall Traffic Denied Firewall Rule Invalid traffic dropped Invalid Traffic Fragmented traffic denied Fragmented Traffic Invalid fragmented traffic denied Invalid Fragmented Traffic Local ACL traffic allowed Local ACL Local ACL traffic denied Local ACL DoS attack dropped DoS Attack ICMP Redirected packet dropped ICMP Redirection Source Routed packet dropped Source Routed Foreign Host denied Foreign Host IPMAC pair denied IPMAC Filter

4 05151 IP Spoof denied IP Spoof SSL VPN Resource Access Denied SSL VPN ARP Flood traffic denied ARP Flood Traffic for Virtual Host <virtualhostname> is denied, No Internal server is available to process the traffic. Virtual Host Sample Logs Event: Firewall Traffic Allowed Component: Firewall Rule date= time=15:00:38 timezone="ist" device_name="cr500ia" device_id=c abcdef log_id= log_type="firewall" log_component="firewall Rule" log_subtype="allowed" status="allow" priority=information duration=0 fw_rule_id=4 user_name="john.smith" user_gp="cyberoam General Department_grp" iap=7 ips_policy_id=0 appfilter_policy_id=16 application="skype Services" in_interface="portg.5" out_interface="portb" src_mac=00: 0:00: 0:00: 0 src_ip= src_country_code= dst_ip= dst_country_code=usa protocol="udp" src_port=20796 dst_port=40025 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connevent="start" connid=" " vconnid="" Event: Firewall Traffic Denied Component: Firewall Rule date= time=13:25:27 timezone="ist" device_name="cr500ia" device_id= C ABCDEF log_id= log_type="firewall" log_component="firewall Rule" log_subtype="denied" status="deny" priority=information duration=0 fw_rule_id=3 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="portg.16" out_interface="portb" src_mac=00:0d:48:0a:05:45 src_ip= src_country_code= dst_ip= dst_country_code= protocol="udp" src_port=42288 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connid="" vconnid="" Event: Local ACL traffic allowed Component: Local ACL date= time=13:24:57 timezone="ist" device_name="cr500ia" device_id= C ABCDEF log_id= log_type="firewall" log_component="appliance Access" log_subtype="allowed" status="allow" priority=information duration=30 fw_rule_id=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="portg.2" out_interface="" src_mac=00: 0:00: 0:00: 0 src_ip= src_country_code= dst_ip= dst_country_code= protocol="icmp" icmp_type=8 icmp_code=0 sent_pkts=1 recv_pkts=1 sent_bytes=212 recv_bytes=212 tran_src_ip=

5 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connevent="stop" connid=" " vconnid="" Event: Local ACL traffic denied Component: Local ACL date= time=13:25:27 timezone="ist" device_name="cr500ia" device_id=c vw717u log_id= log_type="firewall" log_component="appliance Access" log_subtype="denied" status="deny" priority=information duration=0 fw_rule_id=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="portg.4" out_interface="" src_mac=d0:27:88:d6:4c:b0 src_ip= src_country_code= dst_ip= dst_country_code= protocol="udp" src_port=47779 dst_port=8167 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connid="" vconnid="" Event: IP Spoof denied Component: IP Spoof date= time=13:25:27 timezone="ist" device_name="cr500ia" device_id=c vw717u log_id= log_type="firewall" log_component="ip Spoof" log_subtype="denied" status="deny" priority=information duration=0 fw_rule_id=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="" out_interface="" src_mac= src_ip= src_country_code= dst_ip= dst_country_code= protocol="icmp" icmp_type=0 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype="" dir_disp="" connid="" vconnid="" Log Fields and Description DATA FIELDS TYPE DESCRIPTION date date Date (yyyy-mm-dd) when the event occurred time time Time (hh:mm:ss) when the event occurred timezone string Time zone set on the appliance e.g. IST device_name string Model Number of the Appliance device_id string Unique Identifier of the Appliance log_id string Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11) e.g , c1c2 - Log Type e.g. 01 for firewall log c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack etc. c5c6 - Log Sub Type i.e. allow/violation c7 - Priority e.g. 0 for Emergency c8c9c10c11 - Message ID e.g for traffic allowed by firewall log_type string Type of event e.g. firewall event log_component string Component responsible for logging e.g. Firewall rule log_subtype string Sub type of event status string Ultimate status of traffic allowed or denied

6 priority string Severity level of traffic duration integer Durability of traffic (seconds) firewall_rule_id integer Firewall rule id i.e. firewall rule id which is applied on the traffic user_name string User name user_group string Group Id of user iap integer Internet Access policy Id applied on the traffic ips_policy_id integer IPS policy ID applied on the traffic appfilter_policy_id Integer Application Filter Policy applied on the traffic application string Application name in_interface string Interface for incoming traffic e.g. Port A Blank for outgoing traffic out_interface string Interface for outgoing traffic e.g. Port B Blank for incoming traffic src_ip string Original Source IP address of traffic src_mac string Original source MAC address of traffic src_country_code string Code of the country to which the source IP belongs dst_ip string Original Destination IP address of traffic dst_country_code string Code of the country to which the destination IP belongs protocol integer Protocol number of traffic src_port integer Original Source Port of TCP and UDP traffic dst_port integer Original Destination Port of TCP and UDP traffic icmp_type integer ICMP type of ICMP traffic icmp_code integer ICMP code of ICMP traffic sent_pkts integer Total number of packets sent received_pkts integer Total number of packets received sent_bytes integer Total number of bytes sent recv_bytes integer Total number of bytes received trans_src_ ip integer Translated source IP address for outgoing traffic. It is applicable only in route mode. "" When appliance is deployed in Bridge mode or source IP address translation is not done IP Address IP Address with which the original source IP address is translated trans_src_port integer Translated source port for outgoing traffic. It is applicable only in route mode. "" When appliance is deployed in Bridge mode or source port translation is not done Port Port with which the original port is translated trans_dst_ip integer Translated Destination IP address for outgoing traffic. It is applicable only in route mode. "" When appliance is deployed in Bridge mode or destination IP address translation is not done IP Address IP Address with which the original destination IP address is translated trans_dst_port integer Translated Destination port for outgoing traffic. It is applicable only in route mode.

7 "N/A" When appliance is deployed in Bridge mode or destination port translation is not done Port Port with which the original port is translated srczonetype string Type of source zone e.g. LAN dstzonetype string Type of destination zone e.g. WAN dir_disp string Packet direction org, reply, connection_event Event on which this log is generated conn_id integer Unique identifier of connection vconn_id integer Connection ID of the master connection Document Version: /08/2013