Understanding audit logs
Logs are written to their corresponding log files.
Audit logs are WELF-compatible UTF-8 text files. The WELF format is a sequence of items, written as field=value and separated by spaces. Values may be framed by double quotes.
A single log corresponds to a line ending with a return carriage (CRLF).
Example
id=firewall time="1/27/2019 13:24:28" fw="V50XXA0G0000002" tz=+0000 startime="2011-01-27 13:24:28" pri=4 srcif="Ethernet0" srcifname="out" ipproto=tcp proto=ssh src=192.168.0.1 srcport=54937 srcportname=ephemeral_fw dst=192.168.1.1 dstport=22 dstportname=ssh dstname=Firewall_out action=pass msg="Interactive connection detected" class=protocol classification=0 alarmid=85
In the sections Common fields in all logs and Specific fields, logs are described as follows:
Field name | Description of the field Format of the field. Example: "raw value" |
Value if different from the raw value. |
The logs l_server, l_auth, l_vpn and l_system contain fields that are specific to Stormshield Network firewalls. These particular fields, which do not belong to the WELF format, will be described in the section Specific fields.
Some log files, such as l_filterstat , l_routerstat and l_count, which are used to calculate statistics, contain many specific fields.
They are therefore similar to snapshots of the state of the firewall. They are calculated and written at regular intervals.
When the time on the firewall is changed, a specific line will be written in all the logs.
This line contains the fields datechange and duration. The datechange value in this case will be "1" to reflect the time change. As for the duration field, it will indicate the difference (in seconds) between the time on the firewall before and after this change.
The other fields of this log are common to all logs (described in the following section).
Example
id=firewall time="1/1/2019 01:00:00" fw="U800SXXXXXXXXXX" tz=+0100 startime="1/1/2019 01:00:17" datechange=1 duration=-18
In the Audit logs menu in the web administration interface, this log will appear in all modules highlighted in yellow.