Understanding audit logs

Logs are written to their corresponding log files.

Audit logs are WELF-compatible UTF-8 text files. The WELF format is a sequence of items, written as field=value and separated by spaces. Values may be framed by double quotes.

A single log corresponds to a line ending with a return carriage (CRLF).


id=firewall time="1/27/2019 13:24:28" fw="V50XXA0G0000002" tz=+0000 startime="2011-01-27 13:24:28" pri=4 srcif="Ethernet0" srcifname="out" ipproto=tcp proto=ssh src= srcport=54937 srcportname=ephemeral_fw dst= dstport=22 dstportname=ssh dstname=Firewall_out action=pass msg="Interactive connection detected" class=protocol classification=0 alarmid=85

In the sections Common fields in all logs and Specific fields, logs are described as follows:

Field name Description of the field
Format of the field. Example: "raw value"

Value if different from the raw value.

The logs l_server, l_auth, l_vpn and l_system contain fields that are specific to Stormshield Network firewalls. These particular fields, which do not belong to the WELF format, will be described in the section Specific fields.

Some log files, such as l_filterstat and l_count, which are used to calculate statistics, contain many specific fields.

They are therefore similar to snapshots of the state of the firewall. They are calculated and written at regular intervals.