Understanding audit logs

Audit logs are WELF-compatible UTF-8 text files. The WELF format is a sequence of items, written as field=value and separated by spaces. Values may be framed by double quotes.

A single log corresponds to a line ending with a return carriage (CRLF).

Example

id=firewall time="2019-01-27 13:24:28" fw="V50XXA0G0000002" tz=+0000 startime="2011-01-27 13:24:28" pri=4 srcif="Ethernet0" srcifname="out" ipproto=tcp proto=ssh src=192.168.0.1 srcport=54937 srcportname=ephemeral_fw dst=192.168.1.1 dstport=22 dstportname=ssh dstname=Firewall_out action=pass msg="Interactive connection detected" class=protocol classification=0 alarmid=85

Log fields are classified in alphabetical order in the following sections. Their descriptions are presented in this format:

Field name	Description of the field Format of the field. Example: “raw value”. Example. SNS version number in which the field appeared.
	Name of the field in the administration interface, if different from the name that appears in log files.

The logs “l_server”, “l_auth”, “l_vpn” and “l_system” contain fields that are specific to Stormshield Network firewalls. These special fields, which are not in WELF format, are described in the section Specific fields.

Some log files, such as l_filterstat, l_routerstat and l_count, which are used for the calculation of statistics, contain a very large number of specific fields.

They are therefore similar to snapshots of the state of the firewall. They are calculated and written at regular intervals.