Firewall Log Format

Firewall Log Format

Applicable Version: 10.00 onwards

Overview
Cyberoam provides extensive logging capabilities for traffic, system and network protection functions.
Detailed log information and reports provide historical as well as current analysis of network activity to
help identify security issues and reduce network misuse and abuse.
Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards
Firewall logs to syslog server in the below given format.
To know how to configure Cyberoam to send logs to external syslog server, refer to the article How
To Configure Syslog Server.
To know how to configure Cyberoam to forward logs, refer to the article How To Enable Logging
and Forward Logs to Syslog.

Log Structure
Log ID
Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g. 0101011, 0102011
Where:
c1c2 - Log Type ID
c3c4 - Log Component ID
c5c6 - Log Sub Type ID
c7 - Priority
c8c9c10c11c12 - Message ID

Log Type
Log Type ID
01
02
03
04
05
06
07

Log Type
Firewall
IPS
Anti Virus
Anti Spam
Content Filtering
Event
WAF

Log Component
Log Component ID
01
02
03

Log Component
Firewall Rule
Invalid Traffic
Appliance Access

Firewall Log Format

04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

DoS Attack
ICMP Redirection
Source Routed
Anomaly
Signatures
HTTP
FTP
SMTP
POP3
IMAP4
Fragmented Traffic
Invalid Fragmented Traffic
HA
Foreign Host
IPMAC Filter
IP Spoof
GUI
CLI
LCD
CCC
IM
IPSec
L2TP
PPTP
SSLVPN
Firewall Authentication
VPN Authentication
SSL VPN Authentication
My AccountAuthentication
Appliance
DHCP server
Interface
Gateway
DDNS
WebCat
IPS
AV
Dial-In Authentication
Dial-In
Quarantine
Application filter
Landing Page
WLAN
ARP Flood
HTTPS
Guest User
WAF
Virtual Host

Firewall Log Format

52
53

CTA
NTLM

Log Subtype
Log Subtype ID
01
02
03
04
05
06
07
08
09
10
11

Sub Type
Allowed
Denied
Detect
Drop
Clean
Virus
Spam
Probable Spam
Admin
Authentication
System

Priority
Priority
0
1
2
3
4
5
6
7

Description
Emergency
Alert
Critical
Error
Warning
Notification
Information
Debug

Message ID
Message ID

Message

Log Component

00001

Firewall Traffic Allowed

Firewall Rule

00002

Firewall Traffic Denied

Firewall Rule

01001

Invalid traffic dropped

Invalid Traffic

01301

Fragmented traffic denied

Fragmented Traffic

01601

Invalid fragmented traffic denied

Invalid Fragmented Traffic

02001

Local ACL traffic allowed

Local ACL

02002

Local ACL traffic denied

Local ACL

03001

DoS attack dropped

DoS Attack

04001

ICMP Redirected packet dropped

ICMP Redirection

05001
05051

Source Routed packet dropped

Foreign Host denied

Source Routed
Foreign Host

05101

IPMAC pair denied

IPMAC Filter

Firewall Log Format

05151

IP Spoof denied

IP Spoof

05201

SSL VPN Resource Access Denied

SSL VPN

05301

ARP Flood traffic denied

Traffic for Virtual Host <virtualhostname> is
denied, No Internal server is available to process
the traffic.

ARP Flood

05401

Virtual Host

Sample Logs
Event: Firewall Traffic Allowed
Component: Firewall Rule
Sample Log:
date=2013-08-07 time=15:00:38 timezone="IST" device_name="CR500ia"
device_id=C070123456-ABCDEF log_id=010101600001 log_type="Firewall"
log_component="Firewall Rule" log_subtype="Allowed" status="Allow"
priority=Information duration=0 fw_rule_id=4 user_name="john.smith"
user_gp="Cyberoam General Department_grp" iap=7 ips_policy_id=0
appfilter_policy_id=16 application="Skype Services" in_interface="PortG.5"
out_interface="PortB" src_mac=00: 0:00: 0:00: 0 src_ip=172.16.16.79
src_country_code= dst_ip=192.168.2.4 dst_country_code=USA protocol="UDP"
src_port=20796 dst_port=40025 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0
tran_src_ip=203.88.165.23 tran_src_port=0 tran_dst_ip= tran_dst_port=0
srczonetype="" dstzonetype="" dir_disp="" connevent="Start" connid="2254113600"
vconnid=""
Event: Firewall Traffic Denied
Component: Firewall Rule
Sample Log:
date=2013-08-07 time=13:25:27 timezone="IST" device_name="CR500ia" device_id=
C070123456-ABCDEF log_id=010102600002 log_type="Firewall"
log_component="Firewall Rule" log_subtype="Denied" status="Deny"
priority=Information duration=0 fw_rule_id=3 user_name="" user_gp="" iap=2
ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="PortG.16"
out_interface="PortB" src_mac=00:0d:48:0a:05:45 src_ip=172.16.16.95
src_country_code= dst_ip=192.168.5.2 dst_country_code= protocol="UDP"
src_port=42288 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0
tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=""
dstzonetype="" dir_disp="" connid="" vconnid=""
Event: Local ACL traffic allowed
Component: Local ACL
Sample Log:
date=2013-08-07 time=13:24:57 timezone="IST" device_name="CR500ia" device_id=
C070123456-ABCDEF log_id=010301602001 log_type="Firewall"
log_component="Appliance Access" log_subtype="Allowed" status="Allow"
priority=Information duration=30 fw_rule_id=0 user_name="" user_gp="" iap=0
ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="PortG.2"
out_interface="" src_mac=00: 0:00: 0:00: 0 src_ip=172.16.16.54 src_country_code=
dst_ip=192.168.52.31 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0
sent_pkts=1 recv_pkts=1 sent_bytes=212 recv_bytes=212 tran_src_ip=

Firewall Log Format

tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype=""

dir_disp="" connevent="Stop" connid="3153155488" vconnid=""
Event: Local ACL traffic denied
Component: Local ACL
Sample Log:
date=2013-08-07 time=13:25:27 timezone="IST" device_name="CR500ia"
device_id=C070100126-VW717U log_id=010302602002 log_type="Firewall"
log_component="Appliance Access" log_subtype="Denied" status="Deny"
priority=Information duration=0 fw_rule_id=0 user_name="" user_gp="" iap=0
ips_policy_id=0 appfilter_policy_id=0 application="" in_interface="PortG.4"
out_interface="" src_mac=d0:27:88:d6:4c:b0 src_ip=10.104.1.150 src_country_code=
dst_ip=255.255.255.255 dst_country_code= protocol="UDP" src_port=47779
dst_port=8167 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=
tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" dstzonetype=""
dir_disp="" connid="" vconnid=""
Event: IP Spoof denied
Component: IP Spoof
Sample Log:
date=2013-08-07 time=13:25:27 timezone="IST" device_name="CR500ia"
device_id=C070100126-VW717U log_id=011902605151 log_type="Firewall"
log_component="IP Spoof" log_subtype="Denied" status="Deny" priority=Information
duration=0 fw_rule_id=0 user_name="" user_gp="" iap=0 ips_policy_id=0
appfilter_policy_id=0 application="" in_interface="" out_interface="" src_mac=
src_ip=172.17.16.254 src_country_code= dst_ip=172.17.16.30 dst_country_code=
protocol="ICMP" icmp_type=0 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0
recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0
srczonetype="" dstzonetype="" dir_disp="" connid="" vconnid=""

Log Fields and Description

DATA FIELDS
date
time
timezone
device_name
device_id
log_id

TYPE
date
time
string
string
string
string

log_type
log_component
log_subtype
status

string
string
string
string

DESCRIPTION
Date (yyyy-mm-dd) when the event occurred
Time (hh:mm:ss) when the event occurred
Time zone set on the appliance e.g. IST
Model Number of the Appliance
Unique Identifier of the Appliance
Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11)
e.g. 0101011, 0102011
c1c2 - Log Type e.g. 01 for firewall log
c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack
etc.
c5c6 - Log Sub Type i.e. allow/violation
c7 - Priority e.g. 0 for Emergency
c8c9c10c11 - Message ID e.g. 00001 for traffic allowed by
firewall
Type of event e.g. firewall event
Component responsible for logging e.g. Firewall rule
Sub type of event
Ultimate status of traffic allowed or denied

Firewall Log Format

priority
duration
firewall_rule_id

string
integer
integer

user_name
user_group
iap
ips_policy_id
appfilter_policy_id
application
in_interface

string
string
integer
integer
Integer
string
string

out_interface

string

src_ip
src_mac
src_country_code
dst_ip
dst_country_code
protocol
src_port
dst_port
icmp_type
icmp_code
sent_pkts
received_pkts
sent_bytes
recv_bytes
trans_src_ ip

string
string
string
string
string
integer
integer
integer
integer
integer
integer
integer
integer
integer
integer

trans_src_port

trans_dst_ip

trans_dst_port

integer

integer

integer

Severity level of traffic

Durability of traffic (seconds)
Firewall rule id i.e. firewall rule id which is applied on the
traffic
User name
Group Id of user
Internet Access policy Id applied on the traffic
IPS policy ID applied on the traffic
Application Filter Policy applied on the traffic
Application name
Interface for incoming traffic e.g. Port A
Blank for outgoing traffic
Interface for outgoing traffic e.g. Port B
Blank for incoming traffic
Original Source IP address of traffic
Original source MAC address of traffic
Code of the country to which the source IP belongs
Original Destination IP address of traffic
Code of the country to which the destination IP belongs
Protocol number of traffic
Original Source Port of TCP and UDP traffic
Original Destination Port of TCP and UDP traffic
ICMP type of ICMP traffic
ICMP code of ICMP traffic
Total number of packets sent
Total number of packets received
Total number of bytes sent
Total number of bytes received
Translated source IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When appliance is deployed in Bridge mode or source IP
address translation is not done
IP Address IP Address with which the original source IP
address is translated
Translated source port for outgoing traffic. It is applicable
only in route mode.
Possible values:
"" When appliance is deployed in Bridge mode or source
port translation is not done
Port Port with which the original port is translated
Translated Destination IP address for outgoing traffic. It is
applicable only in route mode.
Possible values:
"" When appliance is deployed in Bridge mode or
destination IP address translation is not done
IP Address IP Address with which the original destination
IP address is translated
Translated Destination port for outgoing traffic. It is
applicable only in route mode.

Firewall Log Format

srczonetype
dstzonetype
dir_disp

connection_event
conn_id
vconn_id

string
string
string

Possible values:
"N/A" When appliance is deployed in Bridge mode or
destination port translation is not done
Port Port with which the original port is translated
Type of source zone e.g. LAN
Type of destination zone e.g. WAN
Packet direction

integer
integer

Possible values:
org, reply,
Event on which this log is generated
Unique identifier of connection
Connection ID of the master connection

Document Version: 1.0 16/08/2013