Logs are written in the file relating to the type of log.
Audit logs are text files in UTF-8 format and follow the WELF standard. The WELF format is a sequence of elements, written in the form of field=value and separated by spaces. Values may be framed by double quotes.
A log corresponds to a line ending with a return carriage (CRLF).
id=firewall time="2011-01-27 13:24:28" fw="V50XXA0G0000002" tz=+0000 startime="2011-01-27 13:24:28" pri=4 srcif="Ethernet0" srcifname="out" ipproto=tcp proto=ssh src=192.168.0.1 srcport=54937 srcportname=ephemeral_fw dst=192.168.1.1 dstport=22 dstportname=ssh dstname=Firewall_out action=pass msg="Interactive connection detected" class=protocol classification=0 alarmid=85
In the next two sections, the description of logs will be presented as follows:
Description of the field
Format of the field. Example: “raw value”
Position in the Audit logs menu in the web administration interface in the following form: (menu > module ) column /sub-column
Value if different from the raw value.
The logs “l_server”, “l_auth”, “l_vpn” and “l_system” contain fields that are specific to the Stormshield Network firewalls. These particular fields, which do not belong to the WELF format, will be described in the section Specific fields.
Some log files, such as “l_filterstat” and “l_count”, which are used for the calculation of statistics, contain a very large number of specific fields.
They therefore correspond to a snapshot of the state of the Firewall. They are calculated and written at regular intervals.
Changing the time
When the time on the Firewall is changed, a specific line will be written in all the logs.
This line will contain in particular the fields “datechange” and “duration”. The “datechange” value in this case will be “1” to reflect the time change. As for the “duration” field, it will indicate the difference (in seconds) between the time on the Firewall before and after this change.
The other fields of this particular log are common to all logs (described in the following section).
id=firewall time="2012-01-01 01:00:00" fw="U800SXXXXXXXXXX" tz=+0100 startime="2012-01-01 01:00:17" datechange=1 duration=-18
In the Audit logs menu in the web administration interface, this log will appear in all modules highlighted in yellow.