Fields specific to the “l_alarm” log

The fields described below appear in the web administration interface of the firewall under the Monitoring > Logs - Audit logs module, in the views: All logs, Alarms, Filtering and System events.

action

Behavior associated with the filter rule.

Value: “pass” or “block

Action

msg

Text message explaining the alarm.

String of characters in UTF-8 format. Example: “Port probe

Message

class

Information about the alarm’s category.

String of characters in UTF-8 format. Example: “protocol”, “system”, “filter”…

Context

classification

Code number indicating alarm category.

Example: "0"

Classification

Example: "Application"

pktlen

Size of the network packet that activated the alarm (in bytes).

Example: "133"

Packet size

pktdumplen

Size of the packet captured for deeper analysis by a third-party tool. This value may differ from the value of the “pktlen” field.

Example: "133"

Size of the packet captured

pktdump

Network packet captured and encoded in hexadecimal for deeper analysis by a third-party tool.

Example: “450000321fd240008011c2f50a00007b0a3c033d0035c

Captured packet

alarmid

Stormshield Network alarm ID

Decimal format. Example: "85"

Alarm ID

repeat

Number of occurrences of the alarm over a given period.

Decimal format. Example: "4"

Available from: SNS v1.0.0.

Repeat

icmpcode

Code number of the icmp message.

Example: “1” (meaning “Destination host unreachable”).

Available from: SNS v1.0.0.

ICMP code

icmptype

Number of the type of icmp message.

Example: “3” (meaning “Destination unreachable”).

Available from: SNS v1.0.0.

ICMP type
domain

Authentication method used or LDAP directory of the user authenticated by the firewall.

String of characters in UTF-8 format.

Example: domain="documentation.stormshield.eu"

Available from: SNS v3.0.0.

Method or directory
risk

Risk relating to the connection. This value contributes to the reputation score of the connection's source host.

Value: between 1 (low risk) and 100 (very high risk).

Example: risk=20

Available from: SNS v3.0.0.

Risk
target

Shows whether the src or dst fields correspond to the target of the packet that had raised the alarm.

Values: "src" or "dst"

Available from: SNS v3.0.0.