Fields specific to the “l_alarm” log
The fields described below appear in the web administration interface of the firewall under the Monitoring > Logs - Audit logs module, in the views: All logs, Alarms, Filtering and System events.
action |
Behavior associated with the filter rule. Value: “pass” or “block” |
Action |
|
msg |
Text message explaining the alarm. String of characters in UTF-8 format. Example: “Port probe” |
Message |
|
class |
Information about the alarm’s category. String of characters in UTF-8 format. Example: “protocol”, “system”, “filter”… |
Context |
|
classification |
Code number indicating alarm category. Example: "0" |
Classification Example: "Application" |
|
pktlen |
Size of the network packet that activated the alarm (in bytes). Example: "133" |
Packet size | |
pktdumplen |
Size of the packet captured for deeper analysis by a third-party tool. This value may differ from the value of the “pktlen” field. Example: "133" |
Size of the packet captured | |
pktdump |
Network packet captured and encoded in hexadecimal for deeper analysis by a third-party tool. Example: “450000321fd240008011c2f50a00007b0a3c033d0035c” |
Captured packet |
|
alarmid |
Stormshield Network alarm ID Decimal format. Example: "85" |
Alarm ID |
|
repeat |
Number of occurrences of the alarm over a given period. Decimal format. Example: "4" Available from: SNS v1.0.0. |
Repeat |
|
icmpcode |
Code number of the icmp message. Example: “1” (meaning “Destination host unreachable”). Available from: SNS v1.0.0. |
ICMP code | |
icmptype |
Number of the type of icmp message. Example: “3” (meaning “Destination unreachable”). Available from: SNS v1.0.0. |
ICMP type | |
domain |
Authentication method used or LDAP directory of the user authenticated by the firewall. String of characters in UTF-8 format. Example: domain="documentation.stormshield.eu" Available from: SNS v3.0.0. |
Method or directory | |
risk |
Risk relating to the connection. This value contributes to the reputation score of the connection's source host. Value: between 1 (low risk) and 100 (very high risk). Example: risk=20 Available from: SNS v3.0.0. |
Risk | |
target |
Shows whether the src or dst fields correspond to the target of the packet that had raised the alarm. Values: "src" or "dst" Available from: SNS v3.0.0. |
Target |