Structure

Contents of log files

Logs are written in the file relating to the type of log.

Audit logs are text files in UTF-8 format and following the WELF standard. The WELF format is a sequence of elements, written in the form of field=value and separated by spaces. Values may be framed by double quotes.

A log corresponds to a line ending with a return carriage (CRLF).

Example

id=firewall time="2011-01-27 13:24:28" fw="V50XXA0G0000002" tz=+0000 startime="2011-01-27 13:24:28" pri=4 srcif="Ethernet0" srcifname="out" ipproto=tcp proto=ssh src=192.168.0.1 srcport=54937 srcportname=ephemeral_fw dst=192.168.1.1 dstport=22 dstportname=ssh dstname=Firewall_out action=pass msg="Interactive connection detected" class=protocol classification=0 alarmid=85

 

In the next two sections, the description of logs will be presented as follows:

Field name

Description of the field

Format of the field. Example: “raw value

Position in the Audit logs menu in the web administration interface in the following form: (menu > module ) column /sub-column

Value if different from the raw value.

The logs “l_server”, “l_auth”, “l_vpn” and “l_system” contain fields that are specific to the Stormshield Network firewalls. These particular fields, which do not belong to the WELF format, will be described in the section Specific fields.

Some log files, such as “l_filterstat” and “l_count”, which are used for the calculation of statistics, contain a very large number of specific fields.

They therefore correspond to a snapshot of the state of the Firewall. They are calculated and written at regular intervals.

Changing the time

When the time on the Firewall is changed, a specific line will be written in all the logs.

This line will contain in particular the fields “datechange” and “duration”. The “datechange” value in this case will be “1” to reflect the time change. As for the “duration” field, it will indicate the difference (in seconds) between the time on the Firewall before and after this change.

The other fields of this particular log are common to all logs (described in the following section).

Example

id=firewall time="2012-01-01 01:00:00" fw="U800SXXXXXXXXXX" tz=+0100 startime="2012-01-01 01:00:17" datechange=1 duration=-18

In the Audit logs menu in the web administration interface, this log will appear in all modules highlighted in yellow.