Syslog descriptions
Sophos Firewall generates event logs for traffic, system activity, and network protection to support monitoring, troubleshooting, and security investigations.
You can store the logs locally in the firewall and view them in the Log viewer, or forward them to Sophos Central and external syslog servers.
This guide covers the syslog configuration, syslog IDs, supported log types, and message formats to help with reporting, analyzing, and log archiving.
Common fields' values and format
log_id consists of the following components in the following order:
log type | log component | log subtype | severity | message ID |
|---|---|---|---|---|
2 digits | 2 digits | 2 digits | 1 digit | 5 digits |
Severity/Priority: 0=Emergency 1=Alert 2=Critical 3=Error 4=Warning 5=Notice 6=Information 7=Debug
Status: 0="", 1="Allow", 2="Deny", 3="Allow Session", 4="Deny Session", 5="Successful", 6="Failed", 7="Established", 8="Terminated", 9="Renew", 10="Release", 11="Expire", 12="Would deny", 13="Connected", 14="Disconnected", 15="Interim"
In syslog configuration, you can configure the following under Antivirus, they have log_type="Anti-Virus"
In the log viewer these appear under Malware. There are several components within the firewall that log virus events.
Web Filter:
HTTP
HTTPS
Ftp
FTP
IMAP
IMAPS
POP3
POPS
SMTPS
Antivirus (HTTP / HTTPS)
Antivirus (Web) Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_http_av_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Anti-Virus | |||
log_component | N/A | log_component | String | HTTP/HTTPS | |||
log_subtype | Log Subtype | log_subtype | String | Virus PUA Clean | |||
severity | N/A | N/A | String | Critical | |||
fw_rule_id | N/A | fw_rule_id | Number | int32 | |||
user_name | Username | user | String | 384 | |||
web_policy_id | N/A | web_policy_id | Number | int16 | The web policy that applies to this HTTP transaction | ||
malware | Detection | virus | String | 256 | The name of the malware identified by the scan engine. 0If the malware was detected by Sandstorm, this will say Sandstorm. | ||
url | N/A | url | String | 1024 | URL from which the malware was downloaded | ||
domain | N/A | domain | String | 512 | The FQDN part of the URL | ||
src_ip | Source IP | src_ip | The IP address from which the connection originated (client-side) | ||||
src_country | N/A | src_country | String | 64 | Source country code of the source IP address based on GeoIP. | eg. "IND" | |
dst_ip | Destination IP | dst_ip | The IP address to which the connection is directed (server-side) | ||||
dst_country | N/A | dst_country | String | 64 | Destination country code of the destination IP address based on GeoIP. | eg. "USA" | |
src_port | N/A | src_port | The port from which the connection originated (client-side) | ||||
dst_port | N/A | dst_port | The port to which the connection is directed (server-side) | ||||
bytes_sent | N/A | bytes_sent | Number | int32 | The amount of data in bytes sent by the firewall to the destination | ||
bytes_received | N/A | bytes_received | Number | int32 | The amount of data in bytes received | ||
http_user_agent | N/A | user_agent | String | 256 | |||
log_id | N/A | String | eg. "010101600001" | ||||
device_name | N/A | String | eg "SFW" | ||||
device_model | N/A | String | eg "SF01V" | ||||
device_serial_id | N/A | String | eg "SFDemo-ff94e90" | ||||
message | message | String | eg "Malware 'EICAR-AV-Test' was detected and blocked in a download from www.eicar.org" | ||||
protocol | protocol | String | eg. "TCP" | ||||
src_zone_type | N/A | String | eg "LAN" | ||||
src_zone | N/A | String | eg. "LAN" | ||||
dst_zone_type | N/A | String | eg. "WAN" | ||||
dst_zone | N/A | String | eg. "WAN" | ||||
user_group | N/A | String | eg. "student" |
Antivirus (Web) Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is http_av_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Anti-Virus | |||
log_component | N/A | log_component | String | HTTP/HTTPS | |||
log_subtype | Log Subtype | log_subtype | String | Virus PUA Clean | |||
priority | N/A | N/A | String | Critical | |||
fw_rule_id | N/A | fw_rule_id | Number | int32 | |||
user_name | Username | user | String | 384 | |||
iap | N/A | web_policy_id | Number | int16 | The web policy that applies to this HTTP transaction | ||
virus | Detection | virus | String | 256 | The name of the malware identified by the scan engine. 0If the malware was detected by Sandstorm, this will say Sandstorm. | ||
url | N/A | url | String | 1024 | URL from which the malware was downloaded | ||
domainname | N/A | domain | String | 512 | The FQDN part of the URL | ||
src_ip | Source IP | src_ip | The IP address from which the connection originated (client-side) | ||||
src_country_code | N/A | src_country | String | 64 | Source country code of the source IP address based on GeoIP. | eg. "IND" | |
dst_ip | Destination IP | dst_ip | The IP address to which the connection is directed (server-side) | ||||
dst_country_code | N/A | dst_country | String | 64 | Destination country code of the destination IP address based on GeoIP. | eg. "USA" | |
src_port | N/A | src_port | The port from which the connection originated (client-side) | ||||
dst_port | N/A | dst_port | The port to which the connection is directed (server-side) | ||||
sent_bytes | N/A | bytes_sent | Number | int32 | The amount of data in bytes sent by the firewall to the destination | ||
recv_bytes | N/A | bytes_received | Number | int32 | The amount of data in bytes received | ||
user_agent | N/A | user_agent | String | 256 | |||
log_id | N/A | String | eg. "010101600001" | ||||
device | N/A | String | eg "SFW" | ||||
device_name | N/A | String | eg "SF01V" | ||||
device_id | N/A | String | eg "SFDemo-ff94e90" | ||||
message | message | String | eg "Malware 'EICAR-AV-Test' was detected and blocked in a download from www.eicar.org" | ||||
protocol | protocol | String | eg. "TCP" |
Sample logs
Message ID | Log |
|---|---|
8001 |
|
8003 | Not currently logged in syslog |
Antivirus (FTP)
Antivirus (FTP) Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is ftp_av_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Max length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Anti-Virus | |||
log_component | N/A | log_component | String | FTP | |||
log_subtype | Log Subtype | log_subtype | String | Virus Clean | |||
priority | N/A | N/A | String | ||||
fw_rule_id | N/A | fw_rule_id | Number | int32 | |||
user_name | Username | user | String | 384 | |||
virus | Detection | virus | String | 256 | Name of detected virus | ||
FTP_url | N/A | url | String | 1024 | URL of download/upload | ||
FTP_direction | N/A | direction | Download/Upload | Download Upload | |||
filename | N/A | file_name | String | 64 | Downloaded/uploaded filename | ||
file_size | N/A | file_size | Number | 32 | Size of the downloaded/uploaded file | ||
file_path | N/A | file_path | String | 1024 | Path the file was uploaded/downloaded to/from | ||
ftpcommand | N/A | cmd | String | 64 | FTP command | RETR STOR | |
src_ip | Source IP | src_ip | Source IP address | ||||
src_country_code | N/A | src_country | String | 64 | Source country code of the source IP address | eg. "IND" "USA" | |
dst_ip | Destination IP | dst_ip | The destination IP address. | ||||
dst_country_code | N/A | dst_country | String | 64 | Destination country code of the destination IP address | eg. "IND" "USA" | |
src_port | N/A | src_port | |||||
dst_port | N/A | dst_port | |||||
dstdomain | N/A | domain | String | 512 | |||
sent_bytes | N/A | bytes_sent | Number | int32 | |||
recv_bytes | N/A | bytes_received | Number | int32 | |||
log_id | N/A | String | eg. "010101600001" | ||||
device | N/A | String | eg "SFW" | ||||
device_name | N/A | String | eg "SF01V" | ||||
device_id | N/A | String | eg "SFDemo-ff94e90" | ||||
message | message | String | eg "Malware 'EICAR-AV-Test' was detected and blocked in a download from www.eicar.org" | ||||
protocol | protocol | String | eg. "TCP" |
Sample logs
Message ID | Log |
|---|---|
9001 |
|
9002 |
|
Antivirus (FTP) Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_ftp_av_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Max length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Anti-Virus | |||
log_component | N/A | log_component | String | FTP | |||
log_subtype | Log Subtype | log_subtype | String | Virus Clean | |||
severity | N/A | String | |||||
fw_rule_id | N/A | fw_rule_id | Number | int32 | |||
user_name | Username | user | String | 384 | |||
malware | Detection | virus | String | 256 | Name of detected virus | ||
url | N/A | url | String | 1024 | URL of download/upload | ||
con_direction | N/A | direction | Download/Upload | Download Upload | |||
file_name | N/A | file_name | String | 64 | Downloaded/uploaded filename | ||
file_size | N/A | file_size | Number | 32 | Size of the downloaded/uploaded file | ||
file_path | N/A | file_path | String | 1024 | Path the file was uploaded/downloaded to/from | ||
ftpcommand | N/A | cmd | String | 64 | FTP command | RETR STOR | |
src_ip | Source IP | src_ip | Source IP address | ||||
src_country | N/A | src_country | String | 64 | Source country code of the source IP address | eg. "IND" "USA" | |
dst_ip | Destination IP | dst_ip | The destination IP address. | ||||
dst_country | N/A | dst_country | String | 64 | Destination country code of the destination IP address | eg. "IND" "USA" | |
src_port | N/A | src_port | |||||
dst_port | N/A | dst_port | |||||
dstdomain | N/A | domain | String | 512 | |||
sent_bytes | N/A | bytes_sent | Number | int32 | |||
recv_bytes | N/A | bytes_received | Number | int32 | |||
log_id | String | eg. "010101600001" | |||||
device_name | String | eg "SFW" | |||||
device_model | String | eg "SF01V" | |||||
device_serial_id | String | eg "SFDemo-ff94e90" | |||||
message | String | eg "Malware 'EICAR-AV-Test' was detected and blocked in a download from www.eicar.org" | |||||
protocol | String | eg. "TCP" | |||||
log_version | Number | 1 | eg. log_version=1 | ||||
src_zone_type | String | eg. src_zone_type="LAN" | |||||
src_zone | String | eg. src_zone="LAN" | |||||
dst_zone_type | String | eg. dst_zone_type="WAN" | |||||
dst_zone | String | eg. dst_zone="WAN" | |||||
user_group | String | eg. user_group="student" |
Antivirus (Mail)
See section Email (antivirus)
Reporting
Reports under
Web Virus: Reports > Applications & Web > Blocked Web Attempts
FTP Clean: Reports > Applications & Web > FTP Usage
FTP Virus: Reports > Applications & Web > FTP Protection
Log identifier for reports
Web Virus: Log Component = (HTTP or HTTPS) & Log Subtype = Virus
FTP Clean: Log Component = FTP & Log Subtype = (Allowed or Clean)
FTP Virus: Log Component = FTP & Log Subtype = Virus
Appliance
Reporting
CFR Reports under
Log Viewer & Search
SF On Box Reports under
Appliance: Reports > Compliance > Events > System Events
Log identifier for reports
Appliance: Log Type = Event & Log Subtype = System & Log Component = Appliance
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_appliance_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | 2018-12-07T10:03:48+0000 | ||
device_name | String | ||||
device_model | String | ||||
device_serial_id | String | ||||
log_id | String | ||||
log_type | String | Event | |||
log_component | String | Appliance Guest User Appliance Access | |||
log_subtype | String | System | |||
log_version | |||||
severity | String | Warning Information Notification | |||
message | String | 1024 |
Sample logs
Message ID | Log |
|---|---|
17807 | |
17808 | |
17809 | |
17810 | |
17811 | |
17812 | |
17816 | |
17923 | |
17924 | |
17925 | |
17926 | |
17927 | |
17928 | |
17929 | |
17930 | |
17931 | |
17932 | |
17933 | |
17934 | |
17913 | |
17941 |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is appliance_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | Event | ||||
log_component | log_component | String | Appliance Guest User Appliance Access | ||||
log_subtype | log_subtype | String | System | ||||
priority | String | Warning Information Notification | |||||
message | message | String | 1024 |
Sample logs
Message ID | Log |
|---|---|
17807 | |
17808 | |
17809 | |
17810 | |
17811 | |
17812 | |
17816 | |
17923 | |
17924 | |
17925 | |
17926 | |
17927 | |
17928 | |
17929 | |
17930 | |
17931 | |
17932 | |
17933 | |
17934 | |
17913 | |
17941 |
Application filter
Reporting
CFR Reports under:
Bandwidth usage
Log viewer & search
SF on-box reports under:
Application denied: Reports > Application & Web > Blocked User Apps
Also use to report:
Synchronised Application (Where appresolvedby = EAC ) : Reports > Application & Web > Synchronised Application
Log identifier for reports:
Application denied: Log type = Content filtering & Log component = Application & Log subtype = denied
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_appflt_deny_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | eg. 2018-12-07T10:03:48+0000 | ||
device_model | String | eg. XG135 | |||
device_name | String | SFW | |||
device_serial_id | String | eg. C44313350024-P29PUA | |||
log_id | String | eg. 010101600001 | |||
log_type | String | Content Filtering | |||
log_subtype | String | Denied | |||
log_version | Number | eg. log_version=1 | |||
severity | String | Information | |||
fw_rule_id | Number | int32 | Firewall rule id | e.g. fw_rule_id=1 | |
user_name | String | 384 | "" or "<username>" | ||
user_group | String | 1024 | "" or "<groupname>" | ||
app_filter_policy_id | Number | int16 | Id of application filter policy | ||
category | String | 64 | Category in which application is categorized | Categories present in IPS signature set | |
app_name | String | 64 | Application Name | Applications present in IPS signature set | |
app_risk | Number | 8 | Risk in which application is categorized | Risks present in IPS signature set | |
app_technology | String | 32 | Technology in which application is categorized | Technologies present in IPS signature set | |
app_category | String | 64 | Category in which application is categorized | Categories present in IPS signature set | |
src_ip | <Src IP address> | ||||
src_country | String | 64 | ISO 3166 (A 3) Code | ||
dst_ip | <Dst IP address> | ||||
dst_country | String | 64 | ISO 3166 (A 3) Code | ||
src_port | |||||
dst_port | |||||
bytes_sent | Number | int32 | |||
bytes_received | Number | int32 | |||
message | String | 1024 | |||
app_is_cloud | Boolean | true false | |||
parent_app | String | eg. parent_app="Skype" | |||
parent_app_category | String | eg. parent_app_category="Instant Messaging" | |||
parent_app_risk | Number | eg. parent_app_risk=1 | |||
classification | String | "" Sanctioned Unsanctioned New Tolerated | eg. classification="Sanctioned" | ||
app_resolved_by | String | The module that identified the application (IPS, Micro app or SAC) | Signature Proxy EAC | ||
qualifier | String | eg. qualifier="Mapped" | |||
status | String | Deny |
Sample logs
Message ID | Logs |
|---|---|
17051 |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is appflt_deny_log_fmt.
Syslog field name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|
log_type | log_type | String | Content Filtering | |||
log_component | log_component | String | Application | |||
log_subtype | log_subtype | String | Denied | |||
priority | String | Information | ||||
fw_rule_id | fw_rule_id | Number | int32 | Firewall rule id | e.g. fw_rule_id=1 | |
user_name | user | String | 384 | "" or "<username>" | ||
user_gp | user_group | String | 1024 | "" or "<groupname>" | ||
application_filter_policy | appfilter_policy_id | Number | int16 | Id of application filter policy | ||
category | category | String | 64 | Category in which application is categorized | Categories present in IPS signature set | |
application_name | app_name | String | 64 | Application Name | Applications present in IPS signature set | |
application_risk | app_risk | Number | 8 | Risk in which application is categorized | Risks present in IPS signature set | |
application_technology | app_technology | String | 32 | Technology in which application is categorized | Technologies present in IPS signature set | |
application_category | app_category | String | 64 | Category in which application is categorized | Categories present in IPS signature set | |
src_ip | src_ip | <Src IP address> | ||||
src_country_code | src_country | String | 64 | |||
dst_ip | dst_ip | <Dst IP address> | ||||
dst_country_code | dst_country | String | 64 | |||
src_port | src_port | |||||
dst_port | dst_port | |||||
sent_bytes | bytes_sent | Number | int32 | |||
recv_bytes | bytes_received | Number | int32 | |||
status | status | String | Deny | |||
message | message | String | 1024 | |||
appresolvedby | appresolvedby | String | Module that identified the application (IPS, Microapp or SAC) | Signature Proxy EAC |
Sample logs
Message ID | Logs |
|---|---|
17051 |
|
ATP
Reporting
CFR Reports under
ATP
Log Viewer & Search
SF On Box Reports under
ATP: Reports > Network & Threats > Advance Threat Protection
Log identifier for reports
ATP: Log Type = ATP & Log Component = ( Firewall or DNS or IPS or Web ) & Log Subtype = ( Alert or Drop )
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_atp_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | String | eg. device_name="SFW" | |||
device_model | String | eg. device_model="XG135" | |||
device_serial_id | String | eg. device_serial_id="C44313350024-P29PUA" | |||
log_id | String | eg. log_id="086320518009" | |||
log_type | String | 8 | Log Type | ATP | |
log_component | String | 8 | Log Component | Firewall DNS IPS Web | |
log_subtype | String | 8 | Status of log | Alert Drop | |
log_version | Number | eg. log_version=1 | |||
severity | String | 8 | severity of log | Warning Notification Information | |
user_name | String | 384 | Appliance User Name | e.g. user_name="gaurav" | |
user_group | String | ||||
src_port | Number | Source port number | |||
dst_port | Number | Destination port number | |||
src_ip | INET | Client source ip address | |||
dst_ip | INET | Destination IP address | |||
protocol | String | eg. protocol="TCP" | |||
src_country | String | ||||
dst_country | String | ||||
src_zone_type | String | eg. src_zone_type="LAN" | |||
src_zone | String | eg. src_zone="LAN" | |||
dst_zone_type | String | eg. dst_zone_type="WAN" | |||
dst_zone | String | ||||
url | String | 2048 | Destination IP Address in string format Or Domain Or URL | ||
malware | String | 128 | Threat Name | eg. malware=C2/Generic-A | |
event_id | String | 64 | Event id | eg. event_id=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 | |
event_type | String | Event Type | Standard Extended | ||
reported_user | String | 256 | Logged user of Host | ||
proc_user | String | 256 | Host process user | ||
reported_id | String | 40 | Endpoint ID | ||
file_path | String | 16384 | Execution path | ||
Threatfeed | String | 64 | Threat feed name | “MDR threat feeds” "SophosLabs ML threat feeds“ | eg. threatfeed="MDR threat feeds" |
Sample logs
Message ID | Log |
|---|---|
18009 | Oct 18 04:46:59 172.16.131.1 device_name="SFW" timestamp="2023-10-18T04:46:59-0400" device_model="SF01V" device_serial_id="SFDemo-c07-gl-vm-01" log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" log_version=1 severity="Notice" protocol="ICMP" src_ip="172.16.131.3" dst_ip="100.0.80.3" url="100.0.80.3" malware="C2/MDR-A" threatfeed="MDR threat feeds" event_id="09B9517E-AE79-48C1-89CE-ABA7D799113B" event_type="Standard" src_country="R1" dst_country="USA" |
18010 | Oct 18 04:49:30 172.16.131.1 device_name="SFW" timestamp="2023-10-18T04:49:30-0400" device_model="SF01V" device_serial_id="SFDemo-c07-gl-vm-01" log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" log_version=1 severity="Warning" protocol="ICMP" src_ip="172.16.131.3" dst_ip="100.0.80.3" url="100.0.80.3" malware="C2/MDR-A" threatfeed="MDR threat feeds" event_id="FF2E604F-D94C-4713-A7C6-8ACB65CEE293" event_type="Standard" src_country="R1" dst_country="USA" |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is atp_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | 8 | Log Type | ATP | ||
log_component | log_component | String | 8 | Log Component | Firewall DNS IPS Web | ||
log_subtype | log_subtype | String | 8 | Status of log | Alert Drop | ||
priority | String | 8 | Priority of log | Warning Notification Information | |||
user_name | user | String | 384 | Appliance User Name | e.g. user_name="gaurav" | ||
src_port | Source Port | src_port | Number | Source port number | |||
dst_port | Destination Port | dst_port | Number | Destination port number | |||
sourceip | Source IP | src_ip | ipaddr_t | Client source ip address | |||
destinationip | Destination IP | dst_ip | ipaddr_t | Destination IP address | |||
url | url | String | 2048 | Destination IP Address in string format Or Domain Or URL | |||
threatname | threat | String | 128 | Threat Name | eg. threatname=C2/Generic-A | ||
eventid | event_id | String | 64 | Event id | eg. eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 | ||
eventtype | type | String | Event Type | Standard Extended | |||
login_user | host_login_user | String | 256 | Logged user of Host | |||
process_user | host_process_user | String | 256 | Host process user | |||
ep_uuid | endpoint_id | String | 40 | Endpoint ID | |||
execution_path | execution_path | String | 16384 | Execution path | |||
Threatfeed | threatfeed | threatfeed | String | 64 | Threatfeed Name | "MDR threat feeds"/ "SophosLabs ML threat feeds" | eg. threatfeed="MDR threat feeds" |
Sample logs
Message ID | Log |
|---|---|
18009 |
|
18010 |
|
Authentication (access gateway)
Reporting
CFR Reports under:
Log Viewer & Search
SF On Box Reports under:
Access Gateway: Reports > Applications & Web > User Data Transfer Report
Also use to report:
Reports > Compliance > Events > Authentication Events
Log identifier for reports:
Access Gateway: Log Type = Event & Log Subtype = Authentication & Log Component = Firewall Authentication
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_internet_usage_log_fmt.
Syslog field name | Data type | Max length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | String | eg. device_name="SFW" | |||
device_model | String | eg. device_model="XG135" | |||
device_serial_id | String | eg. device_serial_id="C44313350024-P29PUA" | |||
log_id | String | eg. log_id="010101600001" | |||
log_type | String | Event | |||
log_component | String | Firewall Authentication | |||
log_subtype | String | Authentication | |||
log_version | Number | eg. log_version=1 | |||
severity | String | Information | |||
status | String | eg. status="Successful" | |||
user_name | String | 384 | "JohnDoe" | ||
user_group | String | 1024 | "Sales" | ||
client_used | String | 32 | refer to Authentication (Events) | ||
auth_mechanism | String | 128 | "N/A" | ||
reason | String | 128 | "" | ||
src_ip | "2.2.2.2" | ||||
src_mac | String | 32 | "44:85:00:81:8a:8f" | ||
src_country | String | ISO 3166 (A 3) Code | eg. src_country="IND" | ||
src_port | Number | eg. src_port=59859 | |||
protocol | String | eg. protocol="TCP" | |||
dst_ip | INET | IPv4,IPv6 | eg. dst_ip="20.20.20.20" | ||
dst_country | String | ISO 3166 (A 3) Code | eg. dst_country="USA" | ||
dst_port | Number | eg. dst_port=53 | |||
start | Timestamp | ISO 8601 | eg. start="2018-12-07T10:03:48+0000" | ||
end | Timestamp | ISO 8601 | eg. end="2018-12-07T10:03:50+0000" | ||
bytes_sent | Number | 64 | see below | ||
bytes_received | Number | 64 | see below | ||
message | String | 1024 | "User JohnDoe was logged out of firewall" | ||
user_full_name | String | 384 | "Butter vom Brot" |
Sample logs
Message ID | Log |
|---|---|
17703 |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is internet_usage_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Max length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | Event | ||||
log_component | log_component | String | Firewall Authentication | ||||
log_subtype | log_subtype | String | Authentication | ||||
priority | String | Information | |||||
user_name | user | String | 384 | "JohnDoe" | |||
usergroupname | user_group | String | 1024 | "Sales" | |||
auth_client | client_used | String | 32 | refer to Authentication (Events) | |||
auth_mechanism | auth_mechanism | String | 128 | "N/A" | |||
reason | reason | String | 128 | "" | |||
src_ip | src_ip | "2.2.2.2" | |||||
src_mac | src_mac | String | 32 | "44:85:00:81:8a:8f" | |||
start_time | start_time | see below | |||||
sent_bytes | bytes_sent | Number | 64 | see below | |||
recv_bytes | bytes_received | Number | 64 | see below | |||
message | message | String | 1024 | "User JohnDoe was logged out of firewall" | |||
name | name | String | 384 | "Butter vom Brot" | |||
timestamp | event_timestamp | see below |
Sample logs
Message ID | Log |
|---|---|
17703 |
|
Authentication (events)
Reporting
CFR Reports under:
Log Viewer & Search
SF On Box Reports under:
Web Virus: Reports > Compliance > Events
Log identifier for reports:
Web Virus: Log Type = Event & Log Subtype = Authentication
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_auth_log_fmt.
Syslog field name | Data type | Max length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | String | eg. device_name="SFW" | |||
device_model | String | eg. device_model="XG135" | |||
device_serial_id | String | eg. device_serial_id="C44313350024-P29PUA" | |||
log_id | String | eg. log_id="010101600001" | |||
log_type | String | Event | Event | ||
log_component | String | Firewall Authentication My Account Authentication Dial-In Authentication VPN Authentication SSL VPN Authentication GUI Web Application Firewall CTA Appliance External Authentication VPN Portal Authentication | Firewall Authentication | ||
log_subtype | String | Authentication Admin System | Authentication | ||
log_version | Number | eg. log_version=1 | |||
severity | String | Information Notice | Information | ||
status | String | eg. status="Successful" | |||
user_name | String | 384 | "JohnDoe" | ||
user_group | String | 1024 | "Sales" | ||
client_used | String | 32 | "" Authentication Agent Web Client SSO Clientless L2TP IPSec PPTP CTA MyAccount Thin Client Admin Client SSLVPN NTLM Client 24online Android Client iOS Client iOS Web Client SSLVPN Portal Android Web Client Radius SSO API Client WiFi SSO API iOS Client API Android Client WAF eDirectory SSO Heartbeat | ||
auth_mechanism | String | 128 | Local "" LDAP AD RADIUS TACACS+ EDIR Azure AD SSO | ||
reason | String | 128 | Login failed wrong credentials access not allowed IP restriction MAC restriction max login limit reached multiple login not allowed Already login as clientless user Maximum allowed users limit reached LDAP account expired Clientless user is not required to login user validity expired ip lease failed no remote access VPN policy no access rights | ||
src_ip | 1.1.1.1 | ||||
src_country | String | ISO 3166 (A 3) Code | eg. src_country="IND" | ||
message | String | 1024 | "Clientless user Nyarlathotep from 1.1.1.1 failed to log in to Firewall" | ||
user_full_name | String | 384 | "Nyarlathotep S. exited" | ||
src_mac | String | 32 | "44:85:00:81:8a:8f |
Sample logs
Message ID | Log |
|---|---|
17701 | messageid="17701" log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" user="test1" user_group="Open Group" client_used="Web Client" auth_mechanism="Local" reason="" src_ip="55.55.55.56" message="User test1 of group Open Group logged in successfully to Firewall through Local authentication mechanism from 55.55.55.56" name="test1" src_mac="" |
17702 | messageid="17702" log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Failed" user="test1" user_group="" client_used="Web Client" auth_mechanism="Local,LDAP,LDAP" reason="wrong credentials" src_ip="55.55.55.56" message="User test1 failed to login to Firewall through Local,LDAP,LDAP authentication mechanism from 55.55.55.56 because of wrong credentials" name="" src_mac="" |
17703 | messageid="17703" log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" user="test1" user_group="Open Group" client_used="Web Client" auth_mechanism="N/A" reason="" src_ip="55.55.55.56" src_mac="" start_time="1715012699" bytes_sent="7093" bytes_received="5829" message="User test1 was logged out of firewall" name="test1" event_timestamp="1715012800" |
17704 | messageid="17704" log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" user="test1" user_group="" client_used="N/A" auth_mechanism="Local" reason="" src_ip="10.166.71.2" message="User test1 logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac="" |
17705 | messageid="17705" log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Failed" user="chai" user_group="" client_used="N/A" auth_mechanism="Local,LDAP,LDAP" reason="wrong credentials" src_ip="10.166.71.2" message="User chai failed to login to MyAccount through Local,LDAP,LDAP authentication mechanism because of wrong credentials" name="" src_mac="" |
17706 | messageid="17706" log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" user="test1" user_group="" client_used="" auth_mechanism="" reason="" src_ip="10.166.71.2" message="User test1 logged out from MyAccount" name="" src_mac="" |
17707 | messageid="17707" log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Successful" user="u1" user_group="" client_used="L2TP" auth_mechanism="Local" reason="" src_ip="10.171.81.64" message="User u1 logged in successfully to L2TP through Local authentication mechanism" name="" src_mac="" |
17708 | messageid="17708" log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" user="u1" user_group="" client_used="L2TP" auth_mechanism="Local" reason="wrong credentials" src_ip="10.171.81.64" message="User u1 failed to login to L2TP through Local authentication mechanism because of wrong credentials" name="" src_mac="" |
17709 | |
17710 | messageid="17710" log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" user="test1" user_group="" client_used="SSLVPN" auth_mechanism="Local" reason="" src_ip="55.55.55.56" message="User test1 authenticated successfully to login to SSLVPN through Local authentication mechanism" name="" src_mac="" |
17711 | messageid="17711" log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Failed" user="test1" user_group="" client_used="SSLVPN" auth_mechanism="Local,LDAP,LDAP" reason="wrong credentials" src_ip="55.55.55.56" message="User test1 failed to login to SSLVPN through Local,LDAP,LDAP authentication mechanism because of wrong credentials" name="" src_mac="" |
17712 | |
17713 | |
17714 | |
17715 | |
17718 | messageid="17718" log_type="Event" log_component="VPN Portal Authentication" log_subtype="Authentication" status="Successful" user="test1" user_group="" client_used="N/A" auth_mechanism="Local" reason="" src_ip="55.55.55.56" message="User test1 logged in successfully to VPN portal through Local authentication mechanism" name="" src_mac="" |
17720 | messageid="17720" log_type="Event" log_component="VPN Portal Authentication" log_subtype="Authentication" status="Successful" user="test1" user_group="" client_used="" auth_mechanism="" reason="" src_ip="55.55.55.56" message="User test1 logged out of VPN portal" name="" src_mac="" |
17824 | messageid="17824" log_type="Event" log_component="SSL VPN" log_subtype="System" access_type="Remote Access" session_id="" additional_information="" start_time="0" user="test1" src_ip="10.81.0.1" bytes_sent="0" bytes_received="0" status="Established" message="SSL VPN User 'test1' connected " event_timestamp="1715013334" con_name="" dst_ip="10.81.0.2" |
17825 | messageid="17825" log_type="Event" log_component="SSL VPN" log_subtype="System" access_type="Remote Access" session_id="" additional_information="Reason="Logout"" start_time="1715013332" user="test1" src_ip="10.81.0.1" bytes_sent="246793" bytes_received="102177" status="Terminated" message="SSL VPN User 'test1' disconnected" event_timestamp="1715014257" con_name="" dst_ip="10.81.0.2" |
17936 | messageid="17936" log_type="Event" log_component="SSL VPN" log_subtype="System" session_id="ICATE_NAME='test1_6AA0CA35AA2D'" additional_information="" start_time="1414677827" user="" src_ip="" bytes_sent="0" bytes_received="0" status="Successful" message="User Certificate 'test1_6AA0CA35AA2D' was created for user 'test1'" event_timestamp="1715013162" con_name="" dst_ip="" |
17945 | |
17946 | |
17947 | |
17968 | |
17718 |
|
17719 |
|
17720 |
|
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is auth_log_fmt.
Syslog field name | Log viewer - | Data type | Max length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|
log_type | log_type | String | Event | Event | ||
log_component | log_component | String | Firewall Authentication My Account Authentication Dial-In Authentication VPN Authentication SSL VPN Authentication GUI Web Application Firewall CTA Appliance External Authentication VPN Portal Authentication | Firewall Authentication | ||
log_subtype | log_subtype | String | Authentication Admin System | Authentication | ||
priority | String | Information Notice | Information | |||
user_name | user | String | 384 | "JohnDoe" | ||
usergroupname | user_group | String | 1024 | "Sales" | ||
auth_client | client_used | String | 32 | "" Authentication Agent Web Client SSO Clientless L2TP IPSec PPTP CTA MyAccount Thin Client Admin Client SSLVPN NTLM Client 24online Android Client iOS Client iOS Web Client SSLVPN Portal Android Web Client Radius SSO API Client WiFi SSO API iOS Client API Android Client WAF eDirectory SSO Heartbeat | ||
auth_mechanism | auth_mechanism | String | 128 | Local "" LDAP AD RADIUS TACACS+ EDIR | ||
reason | reason | String | 128 | Login failed wrong credentials access not allowed IP restriction MAC restriction max login limit reached multiple login not allowed Already login as clientless user Maximum allowed users limit reached LDAP account expired Clientless user is not required to login user validity expired ip lease failed no remote access VPN policy no access rights | ||
src_ip | src_ip | 1.1.1.1 | ||||
message | message | String | 1024 | "Clientless user Nyarlathotep from 1.1.1.1 failed to log in to Firewall" | ||
name | name | String | 384 | "Nyarlathotep S. exited" | ||
src_mac | src_mac | String | 32 | "44:85:00:81:8a:8f |
Sample logs
Message ID | Log |
|---|---|
17701 |
|
17702 | |
17704 | |
17705 | |
17706 | |
17707 |
|
17708 | |
17709 | |
17710 |
|
17711 | |
17712 | |
17713 | |
17714 | |
17715 | |
17945 | |
17946 | |
17947 | |
17968 | |
17718 |
|
17719 |
|
17720 |
|
DDNS
Reporting
CFR Reports under:
Log Viewer & Search
SF On Box Reports under:
DDNS: Reports > Compliance > Events > System Events
Log identifier for reports:
DDNS: Log Type = Event & Log Subtype = System & Log Component = DDNS
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_ddns_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
Timestamp | Timestamp | ISO 8601 | eg. Timestamp="2018-12-07T10:03:48+0000" | ||
device_name | String | SFW | eg. device_name="SFW" | ||
device_model | String | eg. device_model="XG135" | |||
device_serial_id | String | eg. device_serial_id="C44313350024-P29PUA" | |||
log_id | String | eg. log_id="063711517815" | |||
log_component | String | component of log | DDNS | e.g. log_component=DDNS | |
log_type | String | Event | eg. log_type="Event" | ||
log_subtype | String | subtype of log | System | e.g. log_subtype=System | |
log_version | Number | 1 | eg. log_version=1 | ||
severity | String | severity of event | Notification | e.g. severity="Notification" | |
status | String | eg. status="Successful" | |||
src_host | String | 256 | hostname for ddns | e.g. src_host="xyz.firewall.co" | |
reported_ip | |||||
reason | String | 128 | reason of event failure | Invalid Response Invalid IP Invalid Configuration or bad authorization Unknown Error DNS Error Reported Abuse Invalid Response Connect Failed | |
message | String | 1024 | e.g. message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." message="DDNS update for host test1.customtest.dyndns.org was Failed. Last Updated with IP:10.198.232.86 |
Sample logs
Message ID | Log |
|---|---|
17815 |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is ddns_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | log_type | u_int8_t | 8 | log type | Event | e.g. log_type=Event |
log_component | log_component | log_component | u_int8_t | 8 | component of log | DDNS | e.g. log_component=DDNS |
log_subtype | log_subtype | log_subtype | u_int8_t | 8 | subtype of log | System | e.g. log_subtype=System |
priority | severity | u_int8_t | 8 | severity of event | Notification | e.g. severity="Notification" | |
host | hostname | host | String | 256 | hostname for ddns | e.g. hostname="xyz.firewall.co" | |
updatedip | updated_ip | ||||||
reason | failure_reason | reason | String | 128 | reason of event failure | Invalid Response Invalid IP Invalid Configuration or bad authorization Unknown Error DNS Error Reported Abuse Invalid Response Connect Failed | |
message | message | String | 1024 | e.g. message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." message="DDNS update for host test1.customtest.dyndns.org was Failed. Last Updated with IP:10.198.232.86 |
Sample logs
Message ID | Log |
|---|---|
17815 |
|
DHCP server
Reporting
CFR Reports under:
Log Viewer & Search
SF On Box Reports under:
DHCP Server: Reports > Compliance > Events > System Events
Log identifier for reports:
DHCP Server: Log Type = Event & Log Subtype = System & Log Component = DHCP Server
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_dhcp_svr_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | String | SFW | eg. device_name="SFW" | ||
device_model | String | eg. device_model="XG135" | |||
device_serial_id | String | eg. device_serial_id="C44313350024-P29PUA" | |||
log_id | String | eg. log_id="010101600001" | |||
log_type | String | Log Type | Event | ||
log_component | String | Log Component | DHCP Server | e.g. log_component="DHCP Server" | |
log_subtype | String | Log subtype | System | e.g. log_subtype="System" | |
status | String | DHCP lease status | Renew Release Expire | e.g. status="Renew" | |
log_version | Number | 1 | eg. log_version=1 | ||
Severity | String | Severity of log | Information | ||
reported_ip | IPv4 or IPv6 address leased to DHCP client | e.g. reported_ip="55.1.1.2" | |||
src_mac | String | 32 | MAC address of the DHCP client | e.g. src_mac="1a:74:ed:3c:74:ce" | |
reported_host | String | 384 | Hostname of the DHCP client | e.g. reported_host="AH-MM-33445.green.sophos" | |
message | String | 1024 | Message about DHCP lease | e.g. message="Lease IP 55.1.1.2 renewed for MAC 1a:74:ed:3c:74:ce" | |
lease_time | Number | eg. lease_time=86400 |
Sample logs
Message ID | Log |
|---|---|
60020 | |
60021 | |
60022 |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is dhcp_svr_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | Log Type | Event | |||
log_component | log_component | String | Log Component | DHCP Server | e.g. log_component="DHCP Server" | ||
log_subtype | log_subtype | String | Log subtype | System | e.g. log_subtype="System" | ||
status | status | String | DHCP lease status | Renew Release Expire | e.g. status="Renew" | ||
priority | String | Priority of log | INFORMATION | ||||
ipaddress | leased_ip | IPv4 or IPv6 address leased to DHCP client | e.g. leased_ip="55.1.1.2" | ||||
client_physical_address | src_mac | String | 32 | MAC address of the DHCP client | e.g. src_mac="1a:74:ed:3c:74:ce" | ||
client_host_name | client_host_name | String | 384 | Hostname of the DHCP client | e.g. client_host_name="AH-MM-33445.green.sophos" | ||
message | message | String | 1024 | Message about DHCP lease | e.g. message="Lease IP 55.1.1.2 renewed for MAC 1a:74:ed:3c:74:ce" | ||
raw_data | raw_data | 8192 | DHCP lease details | e.g. raw_data="55.1.1.2 Tue 05 Jun 00:51:06 2018 Wed 06 Jun 00:51:06 2018 1a:74:ed:3c:74:ce - |
Sample logs
Message ID | Log |
|---|---|
60020 |
|
60021 |
|
60022 |
|
Email (antispam)
Reporting
CFR Reports under:
Log Viewer & Search
SF On Box Reports under:
Email Usage: Reports > Email > Email Usage
Email Spam: Reports > Email > Email Protection
Log identifier for reports:
Email Usage: Log Component = (SMTP or POP3 or IMAP4 or SMTPS or POPS or IMAPS) & Log Subtype = (Allowed or Clean or Outbound Clean or DLP or SPX)
Email Spam: Log Component = (SMTP or POP3 or IMAP4 or SMTPS or POPS or IMAPS) & Log Subtype = (Spam or Probable Spam or Outbound Spam or Outbound Probable Spam)
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_mail_as_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | String | eg. device_name="SFW" | |||
device_model | String | eg. device_model="XG135" | |||
device_serial_id | String | eg. device_serial_id="C44313350024-P29PUA" | |||
log_id | String | eg. log_id="041107413001" | |||
log_type | Log type | Anti-Spam | |||
log_component | Component of log | SMTP SMTPS | |||
log_subtype | Type of spam | Spam Probable Spam Clean Outbound Spam Outbound Probable Spam Outbound Clean DLP SPX Dos Allowed Denied | |||
log_version | Number | 1 | eg. log_version=1 | ||
severity | Severity of mail spam | Information Warning Notification Error | |||
fw_rule_id | Number | int32 | |||
user_name | String | 384 | |||
user_group | String | eg. user_group="student" | |||
policy_name | String | 32 | Policy name | ||
sender | String | 1024 | Email address of sender | e.g. sender="test@test.local" | |
recipient | String | 1024 | Email address of recipient | eg. recipient="test1@test.local" | |
subject | String | 1024 | Subject of mail | eg. subject="test" | |
message_id | String | 64 | Message id | eg. message_id="10001" | |
email_size | u_int32_t | int32 | Message size | eg. email_size="1111" | |
action | String | 32 | Drop Quarantine Reject Tmpreject Accept | ||
reason | String | 256 | Mail detected as SPAM Mail detected as PROBABLE SPAM Mail is Clean Sender IP address is blacklisted Mail detected as OUTBOUND SPAM Mail detected as OUTBOUND PROBABLE SPAM Email containing confidential data detected. Relevant Data Protection Policy applied. SMTP DoS | ||
src_host | String | 64 | |||
dst_host | String | 64 | |||
src_ip | ipaddr_t | 32 | Source IP address | eg. src_ip="1.1.1.1" src_ip="345::12" | |
src_country | String | 64 | ISO 3166 (A 3) Code | eg. "IND" "USA" | |
dst_ip | ipaddr_t | 32 | Destination IP address | eg. dst_ip="1.1.1.2" dst_ip="345::11" | |
dst_country | String | 64 | ISO 3166 (A 3) Code | eg. "IND" "USA" | |
src_port | u_int16_t | 16 | Source port | eg. src_port="1234" | |
dst_port | u_int16_t | 16 | Destination port | eg. dst_port="12345" | |
protocol | String | eg. protocol="POP" | |||
src_zone_type | String | eg. src_zone_type="LAN" | |||
src_zone | String | eg. src_zone="LAN" | |||
dst_zone_type | String | eg. dst_zone_type="WAN" | |||
dst_zone | String | eg. dst_zone="WAN" | |||
bytes_sent | Number | int32 | |||
bytes_received | Number | int32 | |||
quarantine_reason | u_int32_t | 32 | Reason for mail quarantine | eg. quarantine_reason="Infected" | |
app_name | String |
Sample logs
Message ID | Log |
|---|---|
13001 | |
13002 | |
13003 | |
13004 | |
13005 | |
13006 | |
13007 | obsolete |
13008 | obsolete |
13009 | |
13010 | |
13011 | |
13012 | |
13013 | |
13014 | |
14001 | |
14002 | |
14003 | |
15001 | |
15002 | |
15003 | |
18035 |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is mail_as_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | log_type | u_int8_t | Log type | Anti-Spam | ||
log_component | log_component | log_component | u_int8_t | Component of log | SMTP SMTPS | ||
log_subtype | log_subtype | log_subtype | u_int8_t | Type of spam | Spam Probable Spam Clean Outbound Spam Outbound Probable Spam Outbound Clean DLP SPX Dos Allowed Denied | ||
priority | severity | u_int8_t | Severity of mail spam | Information Warning Notification Error | |||
fw_rule_id | fw_rule_id | Number | int32 | ||||
user_name | user | String | 384 | ||||
av_policy_name | avaspolicy | policy_name | String | 32 | Policy name | ||
from_email_address | sender | sender | String | 1024 | Email address of sender | e.g. sender="test@test.local" | |
to_email_address | rcpts | recipient | String | 1024 | Email address of recipient | eg. rcpts="test1@test.local" | |
email_subject | subject | subject | String | 1024 | Subject of mail | eg. subject="test" | |
mailid | messageid | message_id | String | 64 | Message id | eg. messageid="10001" | |
mailsize | mail_size | email_size | u_int32_t | int32 | Message size | eg. mail_size="1111" | |
spamaction | action | String | 32 | Drop Quarantine Reject Tmpreject Accept | |||
reason | reason | String | 256 | Mail detected as SPAM Mail detected as PROBABLE SPAM Mail is Clean Sender IP address is blacklisted Mail detected as OUTBOUND SPAM Mail detected as OUTBOUND PROBABLE SPAM Email containing confidential data detected. Relevant Data Protection Policy applied. SMTP DoS | |||
src_domainname | host | String | 64 | ||||
dst_domainname | domain | String | 64 | ||||
src_ip | src_ip | src_ip | ipaddr_t | 32 | Source IP address | eg. src_ip="1.1.1.1" src_ip="345::12" | |
src_country_code | src_country | String | 64 | Source country code | eg. "IND" "USA" | ||
dst_ip | dst_ip | dst_ip | ipaddr_t | 32 | Destination IP address | eg. dst_ip="1.1.1.2" dst_ip="345::11" | |
dst_country_code | dst_country | String | 64 | Destination country code | eg. "IND" "USA" | ||
src_port | src_port | src_port | u_int16_t | 16 | Source port | eg. src_port="1234" | |
dst_port | dst_port | dst_port | u_int16_t | 16 | Destination port | eg. dst_port="12345" | |
sent_bytes | bytes_sent | Number | int32 | ||||
recv_bytes | bytes_received | Number | int32 | ||||
quarantine_reason | reason | quarantine_reason | u_int32_t | 32 | Reason for mail quarantine | eg. quarantine_reason="Infected" |
Sample logs
Message ID | Log |
|---|---|
13001 |
|
13002 |
|
13003 |
|
13004 |
|
13005 |
|
13006 |
|
13007 | obsolete |
13008 | obsolete |
13009 |
|
13010 |
|
13011 |
|
13012 |
|
13013 |
|
13014 |
|
14001 |
|
14002 |
|
14003 |
|
15001 |
|
15002 |
|
15003 |
|
18035 |
|
Email (antivirus)
Log format name under crformatter.conf is mail_av_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | log_type | u_int8_t | 8 | log type | Anti-virus | |
log_component | log_component | log_component | u_int8_t | 8 | component of log | SMTP SMTPS | |
log_subtype | log_subtype | log_subtype | u_int8_t | 8 | subtype of log | Virus | |
priority | severity | u_int8_t | severity of mail virus | Critical | |||
fw_rule_id | fw_rule_id | fw_rule_id | Number | int32 | |||
user_name | user | ||||||
av_policy_name | avaspolicy | policy_name | String | 32 | policy name | eg. avaspolicy="policy1" | |
from_email_address | sender | sender | String | 1024 | email address of sender | eg. sender="test@test.local" | |
to_email_address | rcpts | recipient | String | 1024 | email address of recipient | eg. rcpts="test1@test.local" | |
subject | subject | subject | String | 1024 | subject of mail | eg. subject="test" | |
mailid | messageid | message_id | String | 64 | message id | eg. messageid="10001" | |
mailsize | mail_size | email_size | u_int32_t | int32 | mail size | eg. mail_size="1111" | |
virus | virusname | virus | String | 32 | virus name | eg. virusname="eicar" | |
filename | qname | file_name | String | 64 | file name | eg. qname="QBin.2/1960x2000000c.eml_0_1524566566" | |
quarantine | qname | quarantine | String | 64 | quarantine file name | eg. qname="QBin.2/1960x2000000c.eml_0_1524566566" | |
src_domainname | host | ||||||
dst_domainname | domain | ||||||
src_ip | src_ip | src_ip | ipaddr_t | 32 | source ip address | eg. src_ip="1.1.1.1",src_ip="345::12" | |
src_country_code | src_country | ||||||
dst_ip | dst_ip | dst_ip | ipaddr_t | 32 | destination ip address | eg. dst_ip="1.1.1.2",dst_ip="345::11" | |
dst_country_code | dst_country | ||||||
src_port | src_port | src_port | u_int16_t | 16 | source port | eg. src_port="12345" | |
dst_port | dst_port | dst_port | u_int16_t | 16 | destination port | eg. dst_port="12345" | |
sent_bytes | bytes_sent | ||||||
recv_bytes | bytes_received | ||||||
quarantine_reason | reason | quarantine_reason | u_int32_t | 32 | reason for mail quarantine | eg. quarantine_reason="Infected" quarantine_reason="Mail Unscannable" |
Reporting
Reports under>
Email Usage: Reports > Email > Email Usage
Email Virus: Reports > Email > Email Protection
Log identifier for reports>
Email Usage: Log Component = (SMTP or POP3 or IMAP4 or SMTPS or POPS or IMAPS) & Log Subtype = ( Allowed or Clean or Outbound Clean or DLP or SPX)
Email Virus: Log Component = (SMTP or POP3 or IMAP4 or SMTPS or POPS or IMAPS) & Log Subtype = Virus
Sample logs
Message ID | Log |
|---|---|
10001 |
|
| Not found in the code. |
11001 |
|
| Not found in the code. |
12001 |
|
| Not found in the code. |
Email quarantine
Log format name under crformatter.conf is quarantine_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | log_type | u_int8_t | 8 | Event | ||
log_component | log_component | u_int8_t | 8 | Quarantine | |||
log_subtype | log_subtype | u_int8_t | 8 | System | |||
priority | severity | u_int8_t | 8 | Severity of mail | |||
subject | subject | subject | String | 1024 | subject of mail | e.g. subject="test" | |
from | sender | sender | String | 1024 | email address of sender | e.g. sender="test@test.local" | |
to | rcpts | recipient | String | 1024 | email address of recipient | e.g. rcpts="test1@test.local" | |
message | message | String | 1024 |
Reporting
Reports under:
Quarantine Event: Reports > Compliance > Events > System Events
Log identifier for reports:
Quarantine Event: Log Type = Event & Log Subtype = System
Sample logs
Message ID | Log |
|---|---|
17823 | Obsolete |
Firewall
Log format name under crformatter.conf is firewall_log_fmt.
Field descriptions
Syslog field name | Log viewer - | Data type | Length | Format/Description | Possible values | Examples/Notes |
|---|---|---|---|---|---|---|
log_type | log_type | String | 8 | Log Type | Firewall | |
log_component | log_component | String | 8 | Log Component | Firewall Rule Heartbeat ICMP ERROR MESSAGE Invalid Traffic Fragmented Traffic Invalid Fragmented Traffic Local ACL DoS Attack ICMP Redirection Source Routed MAC Filter IPMAC Filter IP Spoof SSL VPN Virtual Host | |
log_subtype | log_subtype | String | 8 | Log sub type | Allowed Denied Drop | |
status | status | String | 8 | Status of log | Allow Deny | |
priority | String | 8 | Priority of log | Warning Notification Information | ||
duration | con_duration | Number | int32 | Time between the start and close of connection | ||
fw_rule_id | fw_rule_id | Number | int32 | Firewall rule ID used for particular request | ||
fw_rule_name | fw_rule_name | String | Firewall rule name used for particular request | |||
policy_type | policy_type | Number | int8 | Firewall template (network / user / business policy ) | ||
user_name | user | String | 384 | Client login username | ||
user_gp | user_group | String | 1024 | User group detail | ||
iap | web_policy_id | Number | int16 | Id of Web policy applied | ||
ips_policy_id | ips_policy_id | Number | int16 | Id of IPS policy applied | ||
appfilter_policy_id | appfilter_policy_id | Number | int16 | Id of application filter applied | ||
application | app_name | String | 64 | Application name at client machine | ||
application_risk | app_risk | Number | 8 | Defined risk level (1-5) | ||
application_technology | app_technology | String | 32 | Technology of application | eg. "Browser Based" "P2P" "Client Server" "Network Protocol" | |
application_category | app_category | String | 64 | Category in which application belong | eg. "Streaming Media" "Web Mail" "Social Networking" "File Transfer" "Network Services" | |
in_interface | in_interface | String | 64 | In interface name of traffic of firewall | eg. PortA | |
out_interface | out_interface | String | 64 | Out interface name of traffic of firewall | eg. PortB | |
src_mac | src_mac | String | 32 | Client source mac address | ||
dst_mac | dst_mac | String | 32 | Destination mac address | ||
vlan_id | vlan_id | Number | 16 | Vlan id | ||
src_ip | src_ip | ipaddr_t | Client source ip address | |||
src_country_code | src_country | String | 64 | Client source country code | eg. "IND","USA" etc | |
dst_ip | dst_ip | ipaddr_t | Destination IP address | |||
dst_country_code | dst_country | String | 64 | Destination country code | eg. "IND","USA" etc | |
src_port | src_port | Number | Source port number | |||
dst_port | dst_port | Number | Destination port number | |||
icmp_type | icmp_type | String | ICMP Type | Refer to ICMP protocol details for possible values | eg. 8 - Echo 0 - Echo Reply, etc | |
icmp_code | icmp_code | String | ICMP Code | Refer to ICMP protocol details for possible values | ||
sent_pkts | packets_sent | Number | int32 | Number of packets sent | ||
recv_pkts | packets_received | Number | int32 | Number of packets received | ||
sent_bytes | bytes_sent | Number | int32 | Number of bytes sent | ||
recv_bytes | bytes_received | Number | int32 | Number of bytes received | ||
tran_src_ip | src_trans_ip | ipaddr_t | Translated source IP (Nat source IP) | |||
tran_src_port | src_trans_port | Translated source port (Nat source port) | ||||
tran_dst_ip | dst_trans_ip | ipaddr_t | Translated destination IP (Nat destination IP) | |||
tran_dst_port | dst_trans_port | Translated destination Port (Nat destination Port) | ||||
srczonetype | src_zone_type | String | int32 | Type of custom zone (LAN or DMZ) | ||
srczone | src_zone | String | 64 bits | SFOS Source Zone | LAN WAN DMZ VPN WiFi Custom | |
dstzonetype | dst_zone_type | String | int32 | Type of custom zone (LAN or DMZ) | ||
dstzone | dst_zone | String | 64 bits | SFOS Destination Zone | ||
dir_disp | con_direction | String | Direction of connection | |||
connevent | con_event | String | Connection Event | Start Interim Stop | ||
connid | con_id | Number | int32 | Connection ID | ||
vconnid | virt_con_id | Number | int32 | Master connection ID (in case of related connections) | ||
hb_health | hb_status | Number | int16 | Endpoint Heartbeat status | No Heartbeat Green Yellow Red Missing | |
message | message | String | 1024 | Message about particular packet | eg. message="Invalid UDP destination." | |
appresolvedby | appresolvedby | String | Module via which client application name is resolved | Signature EAC Proxy | EAC = Enhanced App Control ( Synchronised Application ) | |
app_is_cloud | app_is_cloud | Number | int16 | Set if application is web/cloud based | 0 1 | |
ether_type | ether_type | Number | int16 | Specifies the ethernet frame type | {0x0000, "Unknown"}, | |
sdwan_profile_id_request | sdwan_profile_id_request | Number | uint16 | SD-WAN profile id for request direction | ||
sdwan_profile_name_request | sdwan_profile_name_request | String | SD-WAN profile name for request direction. | |||
sdwan_profile_id_reply | sdwan_profile_id_reply | Number | uint16 | SD-WAN profile id for reply direction | ||
sdwan_profile_name_reply | sdwan_profile_name_reply | String | SD-WAN profile name for reply direction | |||
gw_id_request | gw_id_request | Number | uint16 | ID of gateway used for request direction | ||
gw_name_request | gw_name_request | String | Name of gateway used for request direction | |||
gw_id_reply | gw_id_reply | Number | uint16 | ID of gateway used for reply direction | ||
gw_name_reply | gw_name_reply | String | Name of gateway used for reply direction | |||
sdwan_route_id_request | sdwan_route_id_request | Number | uint32 | SD-WAN route id used in request direction | ||
sdwan_route_name_request | sdwan_route_name_request | String | SD-WAN route name used in request direction | |||
sdwan_route_id_reply | sdwan_route_id_reply | Number | uint32 | SD-WAN route id used in reply direction | ||
sdwan_route_name_reply | sdwan_route_name_reply | String | SD-WAN route name used in reply direction | |||
nat_rule_id | nat_rule_id | Number | int32 | NAT rule ID used for particular request | ||
nat_rule_name | nat_rule_name | String | NAT rule name used for particular request |
Reporting
Reports under:
Application Allowed: Reports > Application & Web > User App Risks & Usage
Also use to report:
CASB (With combination of Web Logs ): Reports > Application & Web > Cloud Application Usage
Synchronised Application (Where appresolvedby = EAC) : Reports > Application & Web > Synchronized Application
Security Heartbeat ( When Log Component = Heartbeat ) : Reports > Network & Threats > Security Heartbeat
Log identifier for reports:
Application Allowed: Log Type = Firewall & Log Component = Firewall Rule & Log Subtype = Allowed
Sample logs
Message ID | Log |
|---|---|
00001 |
|
2 |
|
00003 |
|
00004 |
|
00005 |
|
00006 |
|
| Not found in code. |
01001 |
|
1301 |
|
| Not found in code. |
| Not found in code. |
02002 |
|
03001 |
|
4001 |
|
05001 |
|
05051 |
|
05101 |
|
05151 |
|
| Not found in code. |
| Not found in code. |
Gateway
Log format name under crformatter.conf is gateway_log_fmt.
Field descriptions
Syslog Field Name | LogViewer Detail-View Field Name | Data Type | Length | Format/Description | Possible Values | Examples/Notes |
|---|---|---|---|---|---|---|
log_type | log_type | String | Log Type | Event | ||
log_component | log_component | String | Log Component | Gateway | ||
log_subtype | log_subtype | String | Log sub type | System | ||
priority | String | Priority of log | Notice | |||
gatewayname | gw_name | 8192 | Gateway Name | e.g. gw_name="DHCP_Port2_GW" | ||
message | message | String | 1024 | Event Message | e.g. message="Gateway DHCP_Port2_GW is Up" |
Reporting
Reports under:
Gateway: Reports > Compliance > Events > System Events
Log identifier for reports:
Gateway: Log Type = Event & Log Subtype = System & Log Component = Gateway
Sample logs
Message ID | Log |
|---|---|
17814 |
|
HA - High availability
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
device | N/A | N/A | SFW | Not exposed in log viewer | |||
date | Time | date and time are | YYYY-MM-DD The system-local date/time at | ||||
time | Time | hh:mm:ss 24-hour format | "09:48:48" | ||||
timezone | N/A | N/A | e.g. timezone="CET" Not exposed in log viewer | ||||
device_name | N/A | N/A | String | 16 | Appliance model name | e.g. device_name="XG125w" Not exposed in log viewer | |
device_id | N/A | N/A | String | 32 | Appliance's serial ID | e.g. device_id=C44313350024-P29PUA Not exposed in log viewer | |
log_type | log_type | log_type | String | Event | |||
log_component | log_component | String | HA | ||||
log_subtype | log_subtype | String | System | ||||
priority | String | Notice | |||||
status | N/A | status | String |
Reporting
Reports under:
HA: Reports > Compliance > Events > System Events
Log identifier for reports:
HA: Log Type = Event & Log Subtype = System & Log Component = HA
HA message logs
Message ID | Log | Log Type | Log Component | Log Subtype | Severity |
|---|---|---|---|---|---|
60012 | Appliance becomes standalone | Event | HA | System | Notification |
60013 | Appliance goes in fault | Event | HA | System | Notification |
60014 | Appliance becomes auxiliary | Event | HA | System | Notification |
60015 | Appliance becomes primary | Event | HA | System | Notification |
60016 | Appliance becomes standalone at appliance start up | Event | HA | System | Notification |
60017 | Appliance goes in fault at appliance start up | Event | HA | System | Notification |
60018 | Appliance becomes auxiliary at appliance start up | Event | HA | System | Notification |
60019 | Appliance becomes primary at appliance start up | Event | HA | System | Notification |
60023 | HA System: Dedicated interface is unplugged, please check your HA System | Event | HA | System | Warning |
60024 | HA System: Monitor interface/s is/are unplugged, please check your HA System | Event | HA | System | Warning |
17838 | HA was disabled | Event | HA | System | Notification |
Sample logs
Message ID | Log message |
|---|---|
60012 |
|
60013 |
|
60014 |
|
60015 |
|
60016 |
|
60017 |
|
60018 |
|
60019 |
|
60023 |
|
60024 |
|
17838 |
|
Heartbeat
Log format name under crformatter.conf is hb_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | log_type | String | Heartbeat | |||
log_component | log_component | String | Heartbeat | ||||
log_subtype | log_subtype | String | Information | ||||
priority | String | Information | |||||
RED | red | Number | int32 | total number of endpoints in state RED | 2 | ||
YELLOW | yellow | Number | int32 | total number of endpoints in state YELLOW | 3 | ||
GREEN | green | Number | int32 | total number of endpoints in state GREEN | 4 | ||
TOTAL | total | Number | int32 | total number of endpoints in total | 500 |
Reporting
Not capture for reporting
Log identifier for reports:
Heartbeat Endpoint: Log Type = Heartbeat & Log Component = Heartbeat
Sample logs
Message ID | Log |
|---|---|
18012 |
Heartbeat endpoint
Log format name under crformatter.conf is ep_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | log_type | String | Heartbeat | Heartbeat | ||
log_component | log_component | String | Endpoint | Endpoint | |||
log_subtype | log_subtype | String | Information | Information | |||
priority | String | Notice | Notice | ||||
ep_name | Endpoint Name | Endpoint Name | String | 1028 | Netbios Name of the endpoint | Whatever microsoft allows FIM-WIN7-PC3 |
|
ep_uuid | endpoint_id | endpoint_id | String | 40 | UUID of this endpoint - created on Sophos Central |
| |
ep_ip | endpoint_ip | endpoint_ip | String | 15 | IP address of the endpoint | 172.16.10.33 | |
ep_health | Endpoint Health | Endpoint Health | String | 12 | Health state of the endpoint |
| |
ep_event_time | ep_event_time | unix time stamp | Time when this event was triggered from EP |
|
Reporting
Reports under:
Heartbeat Endpoint: Reports > Network & Threats > Security Heartbeat
Log identifier for reports:
Heartbeat Endpoint: Log Type = Heartbeat & Log Component = Endpoint
Sample logs
Message ID | Log |
|---|---|
18013 |
|
Interface
Log format name under crformatter.conf is interface_log_fmt.
Field descriptions
Syslog Field Name | Name | LogViewer Detail-View Field Name | Data Type | Length | Format/Description | Possible Values | Examples/Notes |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | Log Type | Event | |||
log_component | log_component | String | Log Component | Interface | |||
log_subtype | log_subtype | String | Log sub type | System | |||
priority | String | Log priority | Information, Notice | ||||
interface | interface | String | 32 | Interface Name | e.g. interface="PortA" | ||
message | message | String | 1024 | Event message | e.g. message="Interface Port1 is Up" message="Interface Port1 is Down" |
Reporting
Reports under:
Interface: Reports > Compliance > Events > System Events
Log identifier for reports:
Interface: Log Type = Event & Log Subtype = System & Log Component = Interface
Sample logs
Message ID | Log |
|---|---|
17813 |
|
17820 |
|
19030 | messageid="19030" log_type="Event" log_component="Interface" log_subtype="System" interface="" display_interface="" message="IPv6 prefix 2a01:db8:3::/56 delegated by ISP to Port2." messageid="19030" log_type="Event" log_component="Interface" log_subtype="System" interface="" display_interface="" message="Lease expired for delegated IPv6 prefix 2a01:db8:3::/56 assigned to Port2." |
17502 | messageid="17502" log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" user="admin" src_ip="10.198.39.254" additional_information="" message="PortF13 set to no breakout by 'admin' from '10.198.39.254' using 'GUI'" messageid="17502" log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" user="admin" src_ip="10.198.39.254" additional_information="" message="PortF13 set to 2-port breakout by 'admin' from '10.198.39.254' using 'GUI'" messageid="17502" log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" user="admin" src_ip="10.198.39.254" additional_information="" message="PortF13 set to 4-port breakout by 'admin' from '10.198.39.254' using 'GUI'" |
17504 | messageid="17504" log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" user="admin" src_ip="10.166.71.1" additional_information="" message="Interface 'Port4' was turned on by 'admin' from '10.166.71.1' using 'GUI'" messageid="17504" log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" user="admin" src_ip="10.166.71.1" additional_information="" message="Interface 'Port4' was turned off by 'admin' from '10.166.71.1' using 'GUI'" |
IPS
Log format name under crformatter.conf is idp_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | IDP | ||||
log_component | log_component | String | Anomaly Signatures | ||||
log_subtype | log_subtype | String | Detect Drop | ||||
priority | String | Warning | |||||
idp_policy_id | ips_policy_id | Number | int16 | Id of the IPS Policy configured | |||
fw_rule_id | fw_rule_id | Number | int32 | Firewall rule id | |||
user_name | user | String | 384 | ||||
signature_id | sig_id | Number | int32 | sid of the IPS signature triggered | |||
signature_msg | message | String | 128 | msg of the IPS signature triggered | |||
classification | classification | String | 64 | classification based on the classtype of the IPS signature triggered | |||
rule_priority | rule_priority | Number | int8 | Priority of the rule within the Policy | |||
src_ip | src_ip | ||||||
src_country_code | src_country | String | 64 | Source country code | eg. "IND" "USA" etc | ||
dst_ip | dst_ip | ||||||
dst_country_code | dst_country | String | 64 | Destination country code | eg. "IND" "USA" etc | ||
src_port | src_port | ||||||
dst_port | dst_port | ||||||
icmp_type | icmp_type | ||||||
icmp_code | icmp_code | ||||||
platform | OS | String | 512 | Platform in which Signature is classified | Platforms present in IPS signature set | ||
category | category | String | 1024 | Category in which signature is classfied | Categories present in IPS signature set | ||
target | victim | String | 128 | Target in which signature is classified | Targets present in IPS signature set |
Reporting
Reports under:
IPS : Reports > Network & Threats > Intrusion Attacks
Log identifier for reports:
IPS : Log Type = IDP & Log Component = ( Anomaly or Signatures )
Sample logs
Message ID | Log |
|---|---|
6001 |
|
6002 |
|
7001 |
|
7002 |
|
IPsec
Log format name under crformatter.conf is ipsec_log_fmt.
Field descriptions
Syslog field name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|
log_type | log_type | String | Event | |||
log_component | log_component | String | IPSec | |||
log_subtype | log_subtype | String | System | |||
priority | priority | String | Alert Critical Error Warning Notice Information Debug | "Alert" | ||
user_name | user_name | String | 384 | xauth username | ||
connectionname | connectionname | String | 32 | If the connectionname is longer, it will be trunacted to 32 characters. | ||
connectiontype | connectiontype | Number | int8 | 0 | unused | |
localinterfaceip | localinterfaceip | "153.25.15.25" | ||||
localgateway | gw_ip | Next hop of the localinterfaceip | ||||
localnetwork | local_network | String | 32 | "10.8.48.0/24" | ||
remoteinterfaceip | dst_ip | "153.25.15.25" | ||||
remotenetwork | remote_network | String | 32 | "10.8.49.0/24" | ||
message | message | String | 1024 |
Reporting
Reports under:
IPsec: Reports > VPN > VPN
Also use to report:
Reports > Compliance > Events > System Events
Log identifier for reports:
IPsec: Log Type = Event & Log Subtype = System & Log Component = IPSec
Sample logs
Message ID | Log |
|---|---|
17801 |
|
17802 |
|
18044 |
|
18045 |
|
18046 |
|
18047 |
|
18048 |
|
18049 |
|
18050 |
|
18051 |
|
18052 |
|
18053 | severity is DEBUG so it will not be seen in the garner |
18054 | severity is DEBUG so it will not be seen in the garner |
18055 |
|
18056 | GARNER doesn't handle this ALERT |
18057 |
|
18058 |
|
18059 |
|
18060 |
|
18061 | GARNER doesn't handle this ALERT |
18062 |
|
18063 |
|
18064 |
|
18065 |
|
18066 | GARNER doesn't handle this ALERT |
18067 |
|
18068 |
|
18069 |
|
18070 |
|
18071 | GARNER doesn't handle this ALERT |
18072 |
|
18073 | GARNER doesn't handle this ALERT |
18074 | GARNER doesn't handle this ALERT |
18075 | GARNER doesn't handle this ALERT |
18076 | These are not ALERTS. These are submodules |
18077 | These are not ALERTS. These are submodules |
18078 | These are not ALERTS. These are submodules |
18079 | These are not ALERTS. These are submodules |
18080 | These are not ALERTS. These are submodules |
18081 | These are not ALERTS. These are submodules |
18082 | These are not ALERTS. These are submodules |
18083 | These are not ALERTS. These are submodules |
18084 | These are not ALERTS. These are submodules |
18085 | These are not ALERTS. These are submodules |
18086 | These are not ALERTS. These are submodules |
18087 | These are not ALERTS. These are submodules |
18088 | These are not ALERTS. These are submodules |
18089 | These are not ALERTS. These are submodules |
18090 | These are not ALERTS. These are submodules |
18091 | These are not ALERTS. These are submodules |
18092 | These are not ALERTS. These are submodules |
18093 | These are not ALERTS. These are submodules |
18094 | These are not ALERTS. These are submodules |
IPsec failover
Log format name under crformatter.conf is ipsec_failover_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | Event | ||||
log_component | log_component | String | IPSec | ||||
log_subtype | log_subtype | String | System | ||||
priority | String | ||||||
message | message | String | 1024 |
Reporting
Reports under:
IPSec: Reports > VPN > VPN
Also use to report:
Reports > Compliance > Events > System Events
Log identifier for reports:
IPSec: Log Type = Event & Log Subtype = System & Log Component = IPSec
Sample logs
Message ID | Log |
|---|---|
17832 | |
17833 | |
17834 | |
17835 | |
17836 | |
17837 |
L2TP PPTP VPN
Log format name under crformatter.conf is l2tp_pptp_log_fmt (this is used by OPCODE updown_vpn_event).
Field descriptions
Syslog field name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|
log_type | log_type | String | Event | |||
log_component | log_component | String | L2TP PPTP | |||
log_subtype | log_subtype | String | System | |||
priority | String | Notice Information | see below | |||
user_name | user | String | 384 | see below | ||
localip | src_ip | see below | ||||
remotepeer | dst_ip | see below | ||||
ipleased | leased_ip | see below | ||||
reason | reason | String | 64 | "" | see below | |
bytes_sent | bytes_sent | Number | int32 | see below | ||
bytes_recv | bytes_received | Number | int32 | see below | ||
message | message | String | 1024 | "User $username was $state successfully through $vpncomp using leased IP $leasediphb" $state : terminated, established $vpncomp: pptp, l2tp | see below |
Reporting
Reports under:
L2TP PPTP VPN: Reports > VPN > VPN
Also use to report:
Reports > Compliance > Events > System Events
Log identifier for reports:
Access Gateway: Log Type = Event & Log Subtype = System & Log Component = ( L2TP or PPTP )
Sample logs
Message ID | Log |
|---|---|
17803 |
|
17804 |
|
17805 |
|
17806 |
|
RED
Reporting
Reports under:
RED: Reports > VPN > VPN
Log identifier for reports:
RED: Log Type = Event & Log Component = RED & Log Subtype = System
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_red_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp |
| ISO 8601 |
| eg. timestamp="2018-12-07T10:03:48+0000" |
device_name | String |
|
|
| eg. device_name="SFW" |
device_model | String |
|
|
| eg. device_model="XG135" |
device_serial_id | String |
|
|
| eg. device_serial_id="C44313350024-P29PUA" |
log_id | String |
|
|
| eg. log_id="086320518009" |
log_type | String | 8 | Log Type | Event |
|
log_component | String | 8 | Log Component | RED |
|
log_subtype | String | 8 | Status of log | System |
|
log_version | Number |
|
| 1 | log version |
severity | String | 8 | severity of log | Information |
|
reported_id | String | RED10: A32XXXXXXXXXXXX RED15: A35XXXXXXXXXXXX RED15W: A36XXXXXXXXXXXX RED50: A34XXXXXXXXXXXX Server: XXXXXXXXXXXXXXX | This is the ID of the RED. The first 3 digits describes the type of the RED, and the last 12 digits are alphanumeric digits. For red server there are 15 alphanumeric digits. | ||
con_name | String | branch name of red device in the redconfig. | |||
bytes_received | Number | int32 | received Bytes | Bytes recevied by the device | |
duration | Number | int32 | Describes the time in ms between a disconnect and a reconnect of the machine. Only for connect messages else zero. | ||
bytes_sent | Number | int32 | sent Bytes | Bytes send from the device | |
start | Timestamp | ||||
message | String | String | Message from the device with either the RX/TX or the a connect/disconnect message |
Sample logs
Message ID | Log |
|---|---|
18106 | 'device_name="SFW" timestamp="2023-12-15T15:46:29+0530" device_model="XGS126w" device_serial_id="X12206492TP4V78" log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" log_version=1 severity="Information" reported_id="R60002B3H4M3V8E" status="Interim" start="2023-12-15T15:46:29+0530" con_name="R60002B3H4M3V8E" bytes_received=67248 bytes_sent=74828 message="R60002B3H4M3V8E/R60002B3H4M3V8E transfered bytes TX: 67248 RX: 74828"' |
18107 | 'device_name="SFW" timestamp="2023-12-15T14:51:18+0530" device_model="XGS126w" device_serial_id="X12206492TP4V78" log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" log_version=1 severity="Information" reported_id="R60002B3H4M3V8E" status="Interim" start="2023-12-15T14:51:18+0530" con_name="R60002B3H4M3V8E" bytes_received=10256 bytes_sent=10724 message="R60002B3H4M3V8E/R60002B3H4M3V8E transfered bytes TX: 10256 RX: 10724"' |
Log format name under crformatter.conf is CR_red_status_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp |
| ISO 8601 |
| eg. timestamp="2018-12-07T10:03:48+0000" |
device_name | String |
|
|
| eg. device_name="SFW" |
device_model | String |
|
|
| eg. device_model="XG135" |
device_serial_id | String |
|
|
| eg. device_serial_id="C44313350024-P29PUA" |
log_id | String |
|
|
| eg. log_id="086320518009" |
log_type | String | 8 | Log Type | Event |
|
log_component | String | 8 | Log Component | RED |
|
log_subtype | String | 8 | Status of log | System |
|
log_version | Number |
|
| 1 | log version |
severity | String | 8 | severity of log | Information |
|
disable_count | Number | Number of red disabled | |||
enable_count | Number | Number of red Enabled | |||
disconnect_count | Number | Number of red disconnected | |||
con_count | Number | Number of red connected |
Sample logs
Message ID | Log |
|---|---|
18032 | 'device_name="SFW" timestamp="2023-12-15T16:36:39+0530" device_model="XGS126w" device_serial_id="X12206492TP4V78" log_id=066811618032 log_type="Event" log_component="RED" log_subtype="System" log_version=1 severity="Information" disable_count=1 disconnect_count=1' |
18032 | 'device_name="SFW" timestamp="2023-12-15T16:16:35+0530" device_model="XGS126w" device_serial_id="X12206492TP4V78" log_id=066811618032 log_type="Event" log_component="RED" log_subtype="System" log_version=1 severity="Information" enable_count=1 con_count=1' |
Log format name under crformatter.conf is red_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | It is a log type. | Event | log_type="Event" | ||
log_component | log_component | String | It is a log component. | RED | log_component="RED" | ||
log_subtype | log_subtype | String | It is a sub type. | System | log_subtype="System" | ||
priority | String | ||||||
red_id | red_id | String | 64 | RED10: A32XXXXXXXXXXXX RED15: A35XXXXXXXXXXXX RED15W: A36XXXXXXXXXXXX RED50: A34XXXXXXXXXXXX Server: XXXXXXXXXXXXXXX | This is the ID of the RED. The first 3 digits describes the type of the RED, and the last 12 digits are alphanumeric digits. For red server there are 15 alphanumeric digits. | ||
status | status | String | Connected Disconnected Interim | ||||
eventtime | Event Time | event_time | |||||
duration | duration | Number | int32 | Describes the time in ms between a disconnect and a reconnect of the machine. Only for connect messages else zero. | |||
branch_name | branch_name | String | 64 | Name of the red device in the redconfig. | |||
recv_bytes | bytes_received | Number | int32 | Bytes recevied by the device | |||
sent_bytes | bytes_sent | Number | int32 | Bytes send from the device | |||
message | message | String | 1024 | <RED_ID>/<branch name> message | Message from the device with either the RX/TX or the a connect/disconnect message |
Sample logs
Message ID | Log |
|---|---|
18014 |
|
18015 |
|
18016 |
|
Zero Day Protection events
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_sandbox_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Sandbox | |||
log_component | Log Comp | log_component | String | Web | |||
log_subtype | N/A | log_subtype | String | Allowed Denied Pending | |||
severity | N/A | N/A | String | ||||
user_name | Username | user | String | 384 | The end-user associated with the item being analysed | Web: End-user associated with the item being analysed Email: Recipient email address | |
src_ip | N/A | src_ip | |||||
filename | File Name | file_name | String | 1024 | The original filename of the item being analysed | Web: This is the filename reported by the server in the Email: This is the file attachment with email (extracted from email MIME) | |
filetype | File Type | file_type | String | 32 | The MIME type of the file being analysed | Web: (? this is as reported by the source server in the Email: File type of file attachment | |
filesize | N/A | file_size | Number | int32 | The size in bytes of the file being analysed | Web: This will usually differ from the bytes transferred in the corresponding HTTP transaction because it excludes HTTP headers and any compression used in transit. | |
file_hash | File Hash / Checksum | file_hash | String | 64 | In 17.5 and earlier the sha1sum contained the sha1 checksum of the file being analyzed. In 18.0 and later the sha1sum contains the sha256 checksum of the file. In Central Reporting format this is called file_hash. The checksum is used to identify individual files and as the key when caching results. Although the checksum is not considered secure for data encryption purposes due to the risk of collision, it is sufficiently hard to deliberately generate files with checksum collisions that its use here is considered safe. | ||
source | Source | host | String | 256 | The origin of the item being analysed | Web: FQDN part of the URL (e.g. for content downloaded from http://fs1.cdn.example.com/files/example.exe, this will say "fs1.cdn.example.com") Email: Sender email address | |
reason | Reason | reason | String | 256 | A text description of the reason or event that triggered the log line | eligible pending cached clean cached malicious cloud clean cloud malicious error |
|
virus | virus | virus | String | Name of the virus | |||
destination | domain | domain | String | 256 | The destination domain of the email | Only applies to emails scanned by Sandstorm. | |
subject | subject | subject | String | 64 | The subject of the email | Only applies to emails scanned by Sandstorm. | |
log_id | N/A | String | eg. "010101600001" | ||||
device_name | N/A | String | eg "SFW" | ||||
device_model | N/A | String | eg "SF01V" | ||||
device_serial_id | N/A | String | eg "SFDemo-ff94e90" | ||||
user_group | N/A | String | eg. "student" | ||||
src_country | N/A | String | ISO 3166 (A 3) Code | eg. "IND" | |||
dst_country | N/A | String | ISO 3166 (A 3) Code | eg. "USA" | |||
src_port | N/A | Number | eg. 57067 | ||||
dst_port | N/A | Number | eg. 20480 | ||||
dst_ip | N/A | INET | IPv4,IPv6 | eg. "20.20.20.20" | |||
application | app_name | String | Application name |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is sandbox_log_fmt.
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Sandbox | |||
log_component | Log Comp | log_component | String | Web | |||
log_subtype | N/A | log_subtype | String | Allowed Denied Pending | |||
priority | N/A | N/A | String | ||||
user_name | Username | user | String | 384 | The end-user associated with the item being analysed | Web: End-user associated with the item being analysed Email: Recipient email address | |
src_ip | N/A | src_ip | |||||
filename | File Name | file_name | String | 1024 | The original filename of the item being analysed | Web: This is the filename reported by the server in the Email: This is the file attachment with email (extracted from email MIME) | |
filetype | File Type | file_type | String | 32 | The MIME type of the file being analysed | Web: (? this is as reported by the source server in the Email: File type of file attachment | |
filesize | N/A | file_size | Number | int32 | The size in bytes of the file being analysed | Web: This will usually differ from the bytes transferred in the corresponding HTTP transaction because it excludes HTTP headers and any compression used in transit. | |
sha1sum | File Hash / Checksum | sha1sum | String | 64 | In 17.5 and earlier the sha1sum contained the sha1 checksum of the file being analyzed. In 18.0 and later the sha1sum contains the sha256 checksum of the file. The checksum is used to identify individual files and as the key when caching results. Although the checksum is not considered secure for data encryption purposes due to the risk of collision, it is sufficiently hard to deliberately generate files with checksum collisions that its use here is considered safe. | ||
source | Source | host | String | 256 | The origin of the item being analysed | Web: FQDN part of the URL (e.g. for content downloaded from http://fs1.cdn.example.com/files/example.exe, this will say "fs1.cdn.example.com") Email: Sender email address | |
reason | Reason | reason | String | 256 | A text description of the reason or event that triggered the log line | eligible pending cached clean cached malicious cloud clean cloud malicious error |
|
destination | domain | domain | String | 256 | The destination domain of the email | Only applies to emails scanned by Sandstorm. | |
subject | subject | subject | String | 64 | The subject of the email | Only applies to emails scanned by Sandstorm. | |
log_id | N/A | String | eg. "010101600001" | ||||
device | N/A | String | eg "SFW" | ||||
device_name | N/A | String | eg "SF01V" | ||||
device_id | N/A | String | eg "SFDemo-ff94e90" |
Sample logs
Message ID | Log |
|---|---|
18041 |
|
18042 |
|
18043 |
|
Reporting
Reports under:
Zero Day Protection: Reports > Network & Threats > Zero Day Protection
Log identifier for reports:
Zero Day Protection: Log Type = Zero Day Protection & Log Component = ( Web or Mail ) & Log Subtype = ( Allowed or Denied or Pending )
SD-WAN
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_sdwan_GWnRT_log_fmt.
Syslog Field Name | Log Viewer | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|---|
timestamp | N/A | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | N/A | String | SFW | |||
device_model | N/A | String | SF01V | |||
device_serial_id | N/A | String | SFDemo-ff87495 | |||
log_id | N/A | String | eg. log_id="010101600001" | |||
log_type | log_type | String | SD-WAN | eg. log_type="SD-WAN" | ||
log_component | log_component | String | Profile | eg. log_component="Profile" | ||
log_subtype | log_subtype | String | Health check Route change | eg. log_subtype="Health check" | ||
log_version | N/A | Number | 1 | eg. log_version=1 | ||
severity | severity | String | Notice | eg. severity="Notice" | ||
status | status | String | Available Unavailable | eg. status="Available" | ||
profile_id | profile_id | Number | eg. profile_id=123 | |||
profile_name | profile_name | String | eg. profile_name="test_profile" | |||
gw_id | gw_id | Number | eg. gw_id=2 | |||
gw_name | gw_name | String | eg. gw_name="gw1" | |||
message | message | String |
| eg. message="Gateway gw1 (10.20.30.40) available. probe protocol TCP probe to 10.20.30.50 successful." | ||
probe_target | probe_target | String | <IP Address> | probe_target="1.2.3.4, 5.6.7.8" | ||
protocol | protocol | String | PING/TCP | protocol="PING" |
Sample logs
Message ID | Logs |
|---|---|
19021 |
|
19022 |
|
19026 |
|
Log format name under crformatter.conf is CR_sdwan_SLA_met_log_fmt.
Syslog Field Name | Log Viewer | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|---|
timestamp | N/A | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | N/A | String | SFW | |||
device_model | N/A | String | SF01V | |||
device_serial_id | N/A | String | SFDemo-ff87495 | |||
log_id | N/A | String | eg. log_id="010101600001" | |||
log_type | log_type | String | SD-WAN | eg. log_type="SD-WAN" | ||
log_component | log_component | String | Profile | eg. log_component="Profile" | ||
log_subtype | log_subtype | String | Health check | eg. log_subtype="Health check" | ||
log_version | N/A | Number | 1 | eg. log_version=1 | ||
severity | severity | String | Notice | eg. severity="Notice" | ||
status | status | String | SLA met SLA not met | eg. status="SLA met" | ||
profile_id | profile_id | Number | eg. profile_id=123 | |||
profile_name | profile_name | String | eg. profile_name="test_profile" | |||
gw_id | gw_id | Number | eg. gw_id=2 | |||
gw_name | gw_name | String | eg. gw_name="gw1" | |||
latency | latency | Number | -1 if packet_loss is 100% | eg. latency=123 | ||
jitter | jitter | Number | -1 if packet_loss is 100% | eg. jitter=123 | ||
packet_loss | packet_loss | Number | eg. packet_loss=123 | |||
message | message | String |
| eg. message="SLA met for gateway gw1 (10.20.30.40) using probe target 10.20.30.50" | ||
probe_target | probe_target | String | <IP Address> | probe_target="1.2.3.4, 5.6.7.8" | ||
protocol | protocol | String | PING/TCP | protocol="PING" |
Sample logs
Message ID | Logs |
|---|---|
19023 |
|
19024 |
|
Log format name under crformatter.conf is CR_sdwan_SLA_data_log_fmt.
Syslog Field Name | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|
timestamp | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | String | SFW | |||
device_model | String | SF01V | |||
device_serial_id | String | SFDemo-ff87495 | |||
log_id | String | eg. log_id="010101600001" | |||
log_type | String | SD-WAN | eg. log_type="SD-WAN" | ||
log_component | String | SLA | eg. log_component="SLA" | ||
log_subtype | String | Information | eg. log_subtype="Information" | ||
log_version | Number | 1 | eg. log_version=1 | ||
severity | String | Information | eg. severity="Information" | ||
profile_id | Number | eg. profile_id=123 | |||
profile_name | String | eg. profile_name="test_profile" | |||
gw_id | Number | eg. gw_id=2 | |||
gw_name | String | eg. gw_name="gw1" | |||
latency | Number | -1 if packet_loss is 100% | eg. latency=123 | ||
jitter | Number | -1 if packet_loss is 100% | eg. jitter=123 | ||
packet_loss | Number | eg. packet_loss=123 | |||
start | Timestamp | ISO 8601 | eg. start="2018-12-07T10:03:48+0000" | ||
end | Timestamp | ISO 8601 | eg. end="2018-12-07T10:03:48+0000" | ||
gw_status | String | up/down | eg. gw_status="up" | ||
sla_status | String | "SLA met"/"SLA not met" | eg. sla_status="SLA met" |
Sample logs
Message ID | Logs |
|---|---|
19025 |
|
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is sdwan_GWnRT_log_fmt.
Syslog Field Name | Log Viewer | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|---|
device | N/A | String | SFW | |||
device_name | N/A | String | SF01V | |||
device_id | N/A | String | SFDemo-ff87495 | |||
log_id | N/A | String | eg. log_id="010101600001" | |||
log_type | log_type | String | SD-WAN | eg. log_type="SD-WAN" | ||
log_component | log_component | String | Profile | eg. log_component="Profile" | ||
log_subtype | log_subtype | String | Health check Route change | eg. log_subtype="Health check" | ||
priority | priority | String | Notice | eg. priority="Notice" | ||
status | status | String | Available Unavailable | eg. status="Available" | ||
profile_id | profile_id | Number | eg. profile_id=123 | |||
profile_name | profile_name | String | eg. profile_name="test_profile" | |||
gw_id | gw_id | Number | eg. gw_id=2 | |||
gw_name | gw_name | String | eg. gw_name="gw1" | |||
message | message | String |
| eg. message="Gateway gw1 (10.20.30.40) available. probe protocol TCP probe to 10.20.30.50 successful." | ||
probe_target | probe_target | String | <IP Address> | probe_target="1.2.3.4, 5.6.7.8" | ||
protocol | protocol | String | PING/TCP | protocol="PING" |
Sample logs
Message ID | Logs |
|---|---|
19021 |
|
19022 |
|
19026 |
|
Log format name under crformatter.conf is sdwan_SLA_met_log_fmt.
Syslog Field Name | Log Viewer | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|---|
device | N/A | String | SFW | |||
device_name | N/A | String | SF01V | |||
device_id | N/A | String | SFDemo-ff87495 | |||
log_id | N/A | String | eg. log_id="010101600001" | |||
log_type | log_type | String | SD-WAN | eg. log_type="SD-WAN" | ||
log_component | log_component | String | Profile | eg. log_component="Profile" | ||
log_subtype | log_subtype | String | Health check | eg. log_subtype="Health check" | ||
priority | priority | String | Notice | eg. priority="Notice" | ||
status | status | String | SLA met SLA not met | eg. status="SLA met" | ||
profile_id | profile_id | Number | eg. profile_id=123 | |||
profile_name | profile_name | String | eg. profile_name="test_profile" | |||
gw_id | gw_id | Number | eg. gw_id=2 | |||
gw_name | gw_name | String | eg. gw_name="gw1" | |||
latency | latency | Number | -1 if packet_loss is 100% | eg. latency=123 | ||
jitter | jitter | Number | -1 if packet_loss is 100% | eg. jitter=123 | ||
packet_loss | packet_loss | Number | eg. packet_loss=123 | |||
message | message | String |
| eg. message="SLA met for gateway gw1 (10.20.30.40) using probe target 10.20.30.50" | ||
probe_target | probe_target | String | <IP Address> | probe_target="1.2.3.4, 5.6.7.8" | ||
protocol | protocol | String | PING/TCP | protocol="PING" |
Sample logs
Message ID | Logs |
|---|---|
19023 |
|
19024 |
|
Log format name under crformatter.conf is sdwan_SLA_data_log_fmt.
Syslog Field Name | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|
device | String | SFW | |||
device_name | String | SF01V | |||
device_id | String | SFDemo-ff87495 | |||
log_id | String | eg. log_id="010101600001" | |||
log_type | String | SD-WAN | eg. log_type="SD-WAN" | ||
log_component | String | SLA | eg. log_component="SLA" | ||
log_subtype | String | Information | eg. log_subtype="Information" | ||
priority | String | Information | eg. priority="Information" | ||
profile_id | Number | eg. profile_id=123 | |||
profile_name | String | eg. profile_name="test_profile" | |||
gw_id | Number | eg. gw_id=2 | |||
gw_name | String | eg. gw_name="gw1" | |||
latency | Number | -1 if packet_loss is 100% | eg. latency=123 | ||
jitter | Number | -1 if packet_loss is 100% | eg. jitter=123 | ||
packet_loss | Number | eg. packet_loss=123 | |||
starttime | Timestamp | eg. starttime=12345 | |||
timestamp | Timestamp | eg. timestamp=1234567 | |||
gw_status | String | up/down | eg. gw_status="up" | ||
sla_status | String | "SLA met"/"SLA not met" | eg. sla_status="SLA met" |
Sample logs
Message ID | Logs |
|---|---|
19025 |
|
SSL/TLS Filter (Inspection)
Reporting
CFR Reports under:
Log Viewer & Search
SF On Box Reports under:
N/A
Control Center:
SSL/TLS
Log identifier for reports:
Log Type = SSL
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_tls_log_fmt.
Syslog Field Name | Log Viewer | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|---|
timestamp | N/A | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device_name | N/A | String | SFW | |||
device_model | N/A | String | SF01V | |||
device_serial_id | N/A | String | SFDemo-ff87495 | |||
log_id | N/A | String | eg. log_id="010101600001" | |||
log_type | log_type | String | SSL | eg. log_type="SSL" | ||
log_component | log_component | String | SSL | eg. log_component="SSL" | ||
log_subtype | log_subtype | String | Decrypt Reject Reject and notify Do not decrypt Error | eg. log_subtype="Decrypt" | ||
log_version | N/A | Number | 1 | eg. log_version=1 | ||
severity | severity | String | Information | eg. severity="Information" | ||
user_name | user | String | eg. user_name="gaurav" | |||
user_group | user_group | String | eg. user_group="student" | |||
src_ip | src_ip | INET | IPv4,IPv6 | eg. src_ip="10.10.10.10" | ||
src_country | src_country | String | ISO 3166 (A 3) Code | eg. src_country="IND" | ||
src_port | src_port | Number | eg. src_port=514 | |||
dst_ip | dst_ip | INET | IPv4,IPv6 | eg. dst_ip="20.20.20.20" | ||
dst_country | dst_country | String | ISO 3166 (A 3) Code | eg. dst_country="USA" | ||
dst_port | dst_port | Number | eg. dst_port=514 | |||
src_zone_type | N/A | String | eg. src_zone_type="LAN" | |||
src_zone | N/A | String | eg. src_zone="LAN" | |||
dst_zone_type | N/A | String | eg. dst_zone_type="WAN" | |||
dst_zone | N/A | String | eg. dst_zone="WAN" | |||
app_name | app_name | String | eg. app_name="Skype" | |||
con_id | con_id | String | eg. con_id=1084482152 | |||
rule_id | rule_id | Number | eg. rule_id=11 | |||
profile_id | profile_id | Number | eg. profile_id=8448215 | |||
bitmask | bitmask | String | Server certificate validity bit-mask | eg. bitmask="xxx" | ||
key_type | key_type | String | eg. key_type="RSA" | |||
resumed | resumed | Number | Is TLS resumed flag value | |||
cert_chain_served | cert_chain_served | String | eg. cert_chain_served="xxx" | |||
key_param | key_param | String | eg. key_param="xxx" | |||
fingerprint | fingerprint | String | eg. fingerprint="d4:1d:8c:d9:8f:00:b2:04:e9:80:09:98:ec:f8:42:7e" | |||
cipher_suite | cipher_suite | String | eg. cipher_suite="TLS" | |||
sni | sni | String | eg. sni="HTTPS" | |||
rule_name | rule_name | String | eg. rule_name="Network" | |||
profile_name | profile_name | String | eg. profile_name="xxx" | |||
tls_version | tls_version | String | eg. tls_version="xxx" | |||
reason | reason | String | eg. reason="eligible" | |||
exceptions | exception | String | eg. exceptions="av" | |||
category | category | String | e.g. "Information Technology" | |||
con_name | con_name | String | connection name | |||
message | message | String |
Sample logs
Message ID | Logs |
|---|---|
19004 |
|
19005 |
|
19006 |
|
19007 | |
19008 | |
19009 | |
19011 | |
19012 |
|
19013 | |
19014 | |
19015 | |
19016 |
|
19017 | |
19018 |
|
19019 | |
19020 |
Device Standard Format (Legacy)
Field descriptions
Log format name under crformatter.conf is tls_log_fmt.
Syslog Field Name | Log Viewer | Data Type | Length | Format/Description | Possible Values | Notes / Example |
|---|---|---|---|---|---|---|
timestamp | N/A | Timestamp | ISO 8601 | eg. timestamp="2018-12-07T10:03:48+0000" | ||
device | N/A | String | SFW | |||
device_name | N/A | String | SF01V | |||
device_id | N/A | String | SFDemo-ff87495 | |||
log_id | N/A | String | eg. log_id="010101600001" | |||
log_type | log_type | String | SSL | eg. log_type="SSL" | ||
log_component | log_component | String | SSL | eg. log_component="SSL" | ||
log_subtype | log_subtype | String | Decrypt Reject Reject and notify Do not decrypt Error | eg. log_subtype="Decrypt" | ||
severity | severity | String | Information | eg. severity="Information" | ||
user_name | user | String | eg. user_name="gaurav" | |||
user_gp | user_group | String | eg. user_gp="student" | |||
src_ip | src_ip | INET | IPv4,IPv6 | eg. src_ip="10.10.10.10" | ||
src_country | src_country | String | ISO 3166 (A 3) Code | eg. src_country="IND" | ||
src_port | src_port | Number | eg. src_port=514 | |||
dst_ip | dst_ip | INET | IPv4,IPv6 | eg. dst_ip="20.20.20.20" | ||
dst_country | dst_country | String | ISO 3166 (A 3) Code | eg. dst_country="USA" | ||
dst_port | dst_port | Number | eg. dst_port=514 | |||
app_name | app_name | String | eg. app_name="Skype" | |||
con_id | con_id | String | eg. con_id=1084482152 | |||
rule_id | rule_id | Number | eg. rule_id=11 | |||
profile_id | profile_id | Number | eg. profile_id=8448215 | |||
bitmask | bitmask | String | Server certificate validity bit-mask | eg. bitmask="xxx" | ||
key_type | key_type | String | eg. key_type="RSA" | |||
resumed | resumed | Number | Is TLS resumed flag value | |||
cert_chain_served | cert_chain_served | String | eg. cert_chain_served="xxx" | |||
key_param | key_param | String | eg. key_param="xxx" | |||
fingerprint | fingerprint | String | eg. fingerprint="d4:1d:8c:d9:8f:00:b2:04:e9:80:09:98:ec:f8:42:7e" | |||
cipher_suite | cipher_suite | String | eg. cipher_suite="TLS" | |||
sni | sni | String | eg. sni="HTTPS" | |||
rule_name | rule_name | String | eg. rule_name="Network" | |||
profile_name | profile_name | String | eg. profile_name="xxx" | |||
tls_version | tls_version | String | eg. tls_version="xxx" | |||
reason | reason | String | eg. reason="eligible" | |||
exceptions | exception | String | eg. exceptions="av" | |||
category | category | String | e.g. "Information Technology" | |||
con_name | con_name | String | connectionname | |||
message | message | String |
SSL VPN
Log format name under crformatter.conf is sslvpn_log_fmt.
Field descriptions
Syslog field name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|
log_type | log_type | String | Event | |||
log_component | log_component | String | SSL VPN | |||
log_subtype | log_subtype | String | System | |||
priority | String | Information | ||||
mode | access_type | String | The type of connection. | "Site to Site" "Remote Access" | ||
starttime | start_time | Time of the beginning of the connection | 1489578289 | |||
user_name | user | String | 384 | "-" in case of mode "Site to Site" "someusername" else | ||
ipaddress | src_ip | ip address of our side | e.g. "10.81.234.5" | |||
sent_bytes | bytes_sent | Number | int32 | Number of bytes sent | ||
recv_bytes | bytes_received | Number | int32 | Number of bytes received | ||
status | status | String | "Established" "Terminated" | |||
message | message | String | 1024 | Message describing the current event | ""SSL VPN Site to site connection '%s' established" "SSL VPN User '%s' connected " "SSL VPN Site to site connection '%s' disconnected" "SSL VPN User '%s' disconnected" | |
timestamp | event_timestamp | |||||
connectionname | con_name | String | 384 | |||
remote_ip | dst_ip | ip address of other side | e.g. "10.81.234.5" |
Reporting
Reports under:
SSL VPN: Reports > VPN > SSL VPN
Also use to report:
Reports > Compliance > Events > System Events
Log identifier for reports:
SSL VPN: Log Type = Event & Log Subtype = System & Log Component = SSL VPN
Sample logs
Message ID | Log |
|---|---|
17824 |
|
17825 |
|
SSL VPN (resource)
Log format name under crformatter.conf is sslvpn_tr_log_fmt.
Field descriptions
Syslog field name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|
log_type | log_type | String | Event | |||
log_component | log_component | String | SSL VPN | |||
log_subtype | log_subtype | String | System | |||
priority | String | |||||
Mode | access_type | String | ||||
sessionid | session_id | String | 64 | |||
resource_type | protocol | String | ||||
resource | url | String | 256 | |||
user_name | user | String | 384 | |||
ipaddress | src_ip | |||||
message | message | String | 1024 |
Reporting
Reports under:
SSL VPN: Reports > VPN > SSL VPN
Also use to report:
Reports > Compliance > Events > System Events
Log identifier for reports:
SSL VPN: Log Type = Event & Log Subtype = System & Log Component = SSL VPN
Sample logs
Message ID | Log |
|---|---|
17830 |
|
17831 |
System health (events)
Log format name under crformatter.conf is sysh_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | System Health | ||||
log_component | log_component | String | CPU Memory Disk Live User Interface | ||||
log_subtype | log_subtype | String | Usage | ||||
priority | String | ||||||
raw_data | This is not the field but combination of multiple fields. |
Reporting
Not capture for Reporting ( Logs use to report SF Resource Usage on Sophos iView )
Log identifier for reports:
System Health (Events): Log Type = System Health & Log Component = ( CPU or Memory or Disk or Live User or Interface ) & Log Subtype = Usage
Sample logs
Message ID | Log |
|---|---|
18031 |
|
Version upgrade (events)
Log format name under crformatter.conf is ver_update_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | String | Event | ||||
log_component | log_component | String | eDial-In Anti-Virus IPS WEBCAT HA ATP SSLVPN clients IPSEC clients Authentication clients RED Firmware AP Firmware Up2Date Web Application Firewall | ||||
log_subtype | log_subtype | String | System | ||||
priority | String | Notice Information | |||||
message | message | String | 1024 |
Reporting
Reports under:
Version Upgrade Event: Reports > Compliance > Events > System Events
Log identifier for reports:
Version Upgrade Event: Log Type = Event & Log Subtype = System
Sample logs
Message ID | Log |
|---|---|
17821 |
|
17822 |
|
17819 |
|
17818 |
|
17817 |
|
17920 |
|
17921 |
|
17922 |
|
17923 |
|
60012 |
|
60013 |
|
60014 |
|
60015 |
|
60016 |
|
60017 |
|
60018 |
|
60019 |
|
17838 |
|
18017 |
|
18018 |
|
18019 |
|
18020 |
|
18021 |
|
18022 |
|
18023 |
|
18024 |
|
18025 |
|
18026 |
|
18027 |
|
18028 |
|
18029 |
|
18030 |
|
18033 |
|
18034 |
|
WAF
Log format name under crformatter.conf is waf_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | log_type | log_type | String | Log type | WAF | ||
log_component | log_component | log_component | String | Log component | Web Application Firewall | ||
priority | priority | String | Message priority | ||||
user_name | user_name | user | String | 384 | the userid of the person requesting the document as determined by HTTP authentication. | If the status code for the request (see below) is 401, then this value should not be trusted because the user is not yet authenticated. If the document is not password protected, this part will be "-" | |
server | server | server | String | 256 | first domain name of the virtual server serving the request | ||
sourceip | Source IP | src_ip | IP address of client (or proxy) that initiates the request | ||||
localip | Local IP | local_ip | IP address of used backend server. Might be "-" in case the request didn't cause a backend connection. | ||||
ws_protocol | Websocket Protocol | protocol | String | 16 | marks the usage of Websocket protocol. | ||
url | url | url | String | 1024 | URL path requested, not including any query string | ||
queryString | Query String | query_string | String | 1024 | the query string (prepended with a ? if a query string exists, otherwise an empty string) | ||
cookie | cookie | cookie | String | 4096 | contents of Cookie: header line in the request sent by the reverse proxy to the server | ||
referer | referer | referer | String | 1024 | contents of Referer: header line in the request sent to the server | ||
method | method | method | String | 16 | the request method | GET, POST, etc. any request method allowed by the standard | |
httpstatus | HTTP status code | Status Code | Number | int16 | HTTP status code | standard HTTP status codes | |
reason | reason | Reason | String | 32 | reverse proxy feature that intercepted a request. | "waf" "cookie" "url hardening" "av" "geoip" "dnsrbl" "-" | If the request was intercepted this field will contain the WAF feature that intercepted the request. reason="waf" reason="cookie" reason="url hardening" reason="form hardening" reason="av" reason="geoip" or reason="dnsrbl" The reason="geoip" indicates that this request was blocked due to the client's IP address being listed in the GeoIP database. The reason="dnsrbl" indicates that this request was blocked due to the client's IP address being listed in a DNS realtime blocking list (RBL). In case the request was not intercepted, this field contains the value "-". |
extra | extra | Message | String | 256 | additional information on why a request was intercepted. | In case the request was not intercepted, this field contains the value "-". | |
contenttype | Content type | content_type | String | 64 | contents of Content-type: header line in the request sent to the server | ||
useragent | User agent | user_agent | String | 256 | contents of User-Agent: header line in the request sent to the server | ||
responsetime | Response time | response_time | Number | int32 | time taken to serve the request, in microseconds | ||
bytessent | Bytes sent | bytes_sent | Number | int32 | amount of bytes sent while serving the request | ||
bytesrcv | Bytes received | bytes_received | Number | int32 | amount of bytes received while serving the request | ||
fw_rule_id | Firewall rule ID | fw_rule_id | Number | int32 | The firewall ruleid the WAF rule is connected to. |
Reporting
Reports under:
WAF Allowed: Reports > Applications & Web > Web Server Usage
WAF Denied: Reports > Applications & Web > Web Server Protection
Log identifier for reports:
WAF Allowed: Log Type = WAF & Log Component = Web Application Firewall & Log Subtype = Allowed
WAF Denied: Log Type = WAF & Log Component = Web Application Firewall & Log Subtype = Denied
Sample logs
Message ID | Log |
|---|---|
17071 |
|
Web (System HTTPS Deny events)
There are two log messages that can be triggered by the web proxy that appear in syslog under "System events" and in Log viewer under "System". In DPI mode the equivalent logs are part of SSL/TLS filter.
Central Reporting Format
Log format name under crformatter.conf is CR_https_deny_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Event | |||
log_component | Log Comp | log_component | String | HTTPS | |||
log_subtype | N/A | log_subtype | String | System | |||
priority | N/A | N/A | String | ||||
destination | N/A | dst_ip | |||||
message | Message | message | String | 1024 |
| ||
user_agent | N/A | user_agent | String | 256 | |||
http_status | N/A | status_code | Number | int16 | |||
log_id | N/A | String | eg. "010101600001" | ||||
device_name | N/A | String | eg "SFW" | ||||
device_model | N/A | String | eg "SF01V" | ||||
device_serial_id | N/A | String | eg "SFDemo-ff94e90" | ||||
log_version | N/A | Number | 1 | eg. log_version=1 | |||
protocol | N/A | N/A | String | IP protocol used fro the connection | "TCP" | ||
src_ip | Source IP | N/A | The IP address from which the HTTP/HTTPS connection originated | ||||
src_port | N/A | N/A | The port from which the HTTP/HTTPS connection originated | ||||
src_country | source country | N/A | 64 | ISO 3166 (A 3) Code | e.g. "IND" "CAN" "USA" "GBR" | ||
src_zone_type | N/A | String | eg. src_zone_type="LAN" | ||||
src_zone | N/A | String | eg. src_zone="LAN" | ||||
dst_port | N/A | N/A | The port to which the HTTP/HTTPS connection was made | ||||
dst_country | destination country | N/A | 64 | ISO 3166 (A 3) Code | e.g. "IND" "CAN" "USA" "GBR" | ||
dst_zone_type | N/A | String | eg. dst_zone_type="WAN" | ||||
dst_zone | N/A | String | eg. dst_zone="WAN" | ||||
app_name | String | application name | |||||
bytes_received | Int64 | bytes received (content length) |
Device Standard Format
Log format name under crformatter.conf is https_deny_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Event | |||
log_component | Log Comp | log_component | String | HTTPS | |||
log_subtype | N/A | log_subtype | String | System | |||
priority | N/A | N/A | String | ||||
destination | N/A | dst_ip | |||||
message | Message | message | String | 1024 |
| ||
user_agent | N/A | user_agent | String | 256 | |||
status_code | N/A | status_code | Number | int16 | |||
log_id | N/A | String | eg. "010101600001" | ||||
device | N/A | String | eg "SFW" | ||||
device_name | N/A | String | eg "SF01V" | ||||
device_id | N/A | String | eg "SFDemo-ff94e90" |
Sample logs
Message ID | Log |
|---|---|
17916 |
|
17917 |
|
Reporting
Reports under:
HTTPS Deny Events: Reports > Compliance > Events > System Events
Log identifier for reports:
HTTPS Deny Events: Log Type = Event & Log Subtype = System & Log Component = HTTPS
Web content policy
Web content policy transactions are generally logged with log_type="Content Filtering" and log_component="Web Content Policy" and appear in the "Web content policy" module of the Log viewer.
The transactions that appear in this Log have either been blocked or logged due to content that matches a content filter in the corresponding rule. If the content has been scanned but doesn't match any content filter, it does not appear in this log and only appears in the Web Filter Logs.
Central Reporting Format
Log format name under crformatter.conf is CR_wcp_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Content Filtering | |||
log_component | N/A | log_component | String | Web Content Policy | |||
log_subtype | N/A | log_subtype | String | The action taken for the logged transaction | Alert | ||
severity | N/A | N/A | String | ||||
user_name | Username | user | String | 384 | The end-user associated with the item being scanned | ||
userid | String | ||||||
user_group | User group | String | |||||
src_ip | N/A | src_ip | The IP address of the user trying to download/upload content | ||||
transaction_id | Transaction ID | transaction_id | String | 64 | Indicates the transaction_id of the AV scan. The same transaction_id appears in the Web Filter logs allowing the admin to view the Web policy decision associated with a particular transaction | eg. transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" | |
content_filter_key | Content Filter | content_filter_key | String | 128 | The name of the custom/ predefined content filter matched during content scanning | eg. EthnicitytermsCA | |
http_category | Site Category | site_category | String | 64 | The web category of the website accessed | ||
domain | Website | website | String | 512 | The domainname of location where content is being downloaded from or uploaded to | ||
con_direction | Direction | direction | String | 64 | The direction of the content being scanned | in out |
|
action | Action | action | String | 64 | The web policy action taken on the content ,based on the web policy rule | Deny Log |
|
file_name | Filename | file_name | String | 1024 | name of the file being downloaded or uploaded | ||
context_match | Context | context_match | String | 128 | The string(context) of the file that matches the exact word/words defined in the content Filter | eg. context_match="far" | |
context_prefix | Context | context_prefix | String | 64 | The string (context) of the file that precedes the matched content | eg. context_prefix="This place is " | |
context_suffix | Context | context_suffix | String | 64 | The string (context) of the file that succeeds the matched content | eg. context_suffix=" from home! " | |
app_name | Application name | app_name | String | ||||
log_id | N/A | String | eg. "010101600001" | ||||
device_name | N/A | String | eg "SFW" | ||||
device_model | N/A | String | eg "SF01V" | ||||
device_serial_id | N/A | String | eg "SFDemo-ff94e90" | ||||
log_version | N/A | Number | 1 | eg. log_version=1 | |||
user_group | N/A | ||||||
dst_country | destination country | N/A | string | 64 | ISO 3166 (A 3) Code | e.g. "IND" "CAN" "USA" "GBR" | |
dst_zone | destination zone | N/A | destination zone | e.g. "WAN" | |||
dst_zone_type | destination zone type | N/A | string | destination zone type (for custom zones) | e.g. "WAN" | ||
src_country | source country | N/A | string | 64 | ISO 3166 (A 3) Code | e.g. "IND" "CAN" "USA" "GBR" | |
src_zone | source zone | N/A | source zone | e.g. "LAN" | |||
src_zone_type | source zone type | N/A | source zone type (for custom zones) | e.g. "LAN" | |||
dst_ip | Destination IP | N/A | The IP address to which the HTTP/HTTPS connection was made | ||||
src_port | N/A | N/A | The port from which the HTTP/HTTPS connection originated | ||||
dst_port | N/A | N/A | The port to which the HTTP/HTTPS connection was made |
Device Standard Format (legacy)
Log format name under crformatter.conf is wcp_log_fmt.
Field descriptions
Syslog field name | Name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Content Filtering | |||
log_component | N/A | log_component | String | Web Content Policy | |||
log_subtype | N/A | log_subtype | String | The action taken for the logged transaction | Alert | ||
priority | N/A | N/A | String | ||||
user_name | Username | user | String | 384 | The end-user associated with the item being scanned | ||
userid | String | ||||||
src_ip | N/A | src_ip | The IP address of the user trying to download/upload content | ||||
transactionid | Transaction ID | transaction_id | String | 64 | Indicates the transaction_id of the AV scan. The same transaction_id appears in the Web Filter logs allowing the admin to view the Web policy decision associated with a particular transaction | eg. transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" | |
dictionaryname | Content Filter | content_filter_key | String | 128 | The name of the custom/ predefined content filter matched during content scanning | eg. EthnicitytermsCA | |
sitecategory | Site Category | site_category | String | 64 | The web category of the website accessed | ||
website | Website | website | String | 512 | The domainname of location where content is being downloaded from or uploaded to | ||
direction | Direction | direction | String | 64 | The direction of the content being scanned | in out |
|
action | Action | action | String | 64 | The web policy action taken on the content ,based on the web policy rule | Deny Log |
|
filename | Filename | file_name | String | 1024 | name of the file being downloaded or uploaded | ||
contextmatch | Context | context_match | String | 128 | The string(context) of the file that matches the exact word/words defined in the content Filter | eg. context_match="far" | |
contextprefix | Context | context_prefix | String | 64 | The string (context) of the file that precedes the matched content | eg. context_prefix="This place is " | |
contextsuffix | Context | context_suffix | String | 64 | The string (context) of the file that succeeds the matched content | eg. context_suffix=" from home! " | |
log_id | N/A | String | eg. "010101600001" | ||||
device | N/A | String | eg "SFW" | ||||
device_name | N/A | String | eg "SF01V" | ||||
device_id | N/A | String | eg "SFDemo-ff94e90" |
Sample logs
Message ID | Log |
|---|---|
16010 |
|
Reporting
Reports under:
Web Content: Reports > Applications & Web > Web Content
Log identifier for reports:
Web Content: Log Type = Content Filtering & Log Component = Web Content Policy
Web filter
Web transactions are generally logged with log_type="Content Filtering" and appear in the "Web filter" log viewer.
The exception to this is when a transaction is blocked because it contains malware. These transactions are logged using log_type="Anti-Virus and log_subtype="Virus".
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_contflt_log_fmt.
Syslog | Name | Log viewer - | Data | Max | Format/Description | Possible | Notes/Examples |
|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Content Filtering | |||
log_component | N/A | log_component | String | HTTP | |||
log_subtype | Action | log_subtype | String | The action taken for the logged HTTP/HTTPS transaction | Allowed Denied Override Warned Quota | ||
log_id | N/A | N/A | String | see "Common fields' values and format" | |||
severity | Severity | N/A | String | Severity of the event | Information | ||
fw_rule_id | Firewall rule ID | fw_rule_id | Number | int32 | Indicates the ID number of the Firewall policy rule that applies to this transaction | ||
fw_rule_name | Firewall rule name | fw_rule_name | String | Indicates the name of the Firewall policy rule that applies to this transaction | |||
fw_rule_section | Firewall rule section name | fw_rule_section | String | Indicates the section of the Firewall policy rule that applies to this transaction | |||
user_name | User name | user | String | 384 | The end-user associated with the item being scanned | ||
user_group | User group | user_group | String | 1024 | The group to which the user belongs | ||
web_policy_id | Web policy ID | web_policy_id | Number | int16 | The numerical ID of the Web Policy applied to this transaction | ||
Web policy | web_policy | String | 1024 | The name of the Web Policy applied to this transaction. | |||
http_category | Web category | category | String | 64 | The category of the URL being requested | e.g. "Information Technology" | |
http_category_type | Web category type | category_type | String | 64 | The classification associated with the category | e.g. "Acceptable", "Unproductive", "Objectionable" | |
url | URL | url | String | 1024 | The URL being requested | ||
content_type | Content type | content_type | String | 64 | The MIME-type of the downloaded content | e.g. "text/plain" | |
override_token | Override token | override_token | String | 64 | The token generated for an override session:<user ID>-<connecting IP address>_<override session ID> | This field existed before 17.5 but will only get populated starting with 17.5 | |
override_name | Override name | override_name | String | 100 | Name of the override session | ||
override_authorizer | Override authorizer | override_authorizer | String | 256 | Authorizer (creator) of the override session | ||
src_ip | Source IP | src_ip | The IP address from which the HTTP/HTTPS connection originated | ||||
dst_ip | Destination IP | dst_ip | The IP address to which the HTTP/HTTPS connection was made | ||||
protocol | N/A | protocol | String | IP protocol used fro the connection | "TCP" | ||
src_port | N/A | src_port | The port from which the HTTP/HTTPS connection originated | ||||
dst_port | N/A | dst_port | The port to which the HTTP/HTTPS connection was made | ||||
bytes_sent | Bytes sent | bytes_sent | Number | int32 | Bytes sent upstream to the web server by the firewall | ||
bytes_received | N/A | bytes_received | Number | int32 | Bytes received from the upstream web server by the firewall | This will not necessarily be identical to the bytes sent to the client by the firewall, especially if the content was retrieved from the local web cache. | |
domain | N/A | domain | String | 512 | The FQDN part of the URL, representing the hostname/domain of the web site | e.g. "www.google.com" | |
exceptions | Web exceptions | exception | String | Comma separated list of the checks excluded by Web Exceptions |
| ||
activity_name | N/A | activity_name | String | 64 | The name of a Web policy Activity that matched and caused the policy result | If the transaction matches multiple activities then only the first one that causes the policy decision will be recorded | |
reason | N/A | reason | String | 256 | For transactions that require Sandstorm analysis, records the Sandstorm status |
Note that for all items sent to the Sandstorm cloud for analysis, there will be two entries in the "Content Filter" logone with | |
http_user_agent | N/A | user_agent | String | 256 | The user-agent string for the client. | e.g. "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" | |
http_status | N/A | status_code | Number | int16 | The numeric HTTP response code | e.g. "200" | |
transaction_id | Transaction ID | transaction_id | String | 64 | Indicates the AV scan's transaction_id. This will only appear when malware/ content scanning has been performed in that transaction | Corresponds to the av_transaction_id in the awarrenhttp_access logs | |
http_referer | Referrer | referer | String | 512 | The HTTP referer header value | ||
download_file_name | N/A | download_file_name | String | 256 | The name of the file that was downloaded. | e.g. "foo.js" | |
download_file_type | N/A | download_file_type | String | 128 | The filetype of the file that was downloaded. | e.g. "text/javascript" | |
upload_file_name | N/A | upload_file_name | String | 256 | The name of the file that was uploaded. | e.g. "rem.exe" | |
upload_file_type | N/A | upload_file_type | String | 128 | The filetype of the file that was uploaded. | e.g. "application/x-msdos-program" | |
con_id | N/A | con_id | Number | int32 | Connection identifier. Used to tie firewall log entries to web filter log entries. | ||
app_name | N/A | app_name | String | 64 | Name of application | e.g. "Youtube Website" | |
app_is_cloud | N/A | app_is_cloud | Number | int16 | |||
used_quota | N/A | used_quota | Number | int16 | Used quota time in minutes. | ||
device_name | device_name | N/A | String | e.g. "SFW" | |||
device_model | device_model | N/A | String | e.g. "SF01V" | |||
device_serial_id | N/A | String | e.g. "S4000806149EE49" | ||||
log_version | log version | N/A | NUMBER | int16 | e.g. log_version=1 | ||
timestamp | timestamp | N/A | TIMESTAMP | ISO 8601 | eg timestamp=2018-12-07T10:03:48+0000 | ||
dst_country | destination country | N/A | string | 64 | ISO 3166 (A 3) Code | e.g. "IND" "CAN" "USA" "GBR" | |
dst_zone | destination zone | N/A | destination zone | e.g. "WAN" | |||
dst_zone_type | destination zone type | N/A | string | destination zone type (for custom zones) | e.g. "WAN" | ||
src_country | source country | N/A | string | 64 | ISO 3166 (A 3) Code | e.g. "IND" "CAN" "USA" "GBR" | |
src_zone | source zone | N/A | source zone | e.g. "LAN" | |||
src_zone_type | source zone type | N/A | source zone type (for custom zones) | e.g. "LAN" | |||
app_risk | Application risk | String | |||||
app_category | Application category | String | |||||
parent_app | Parent application | String | |||||
parent_app_category | Parent application category | String | |||||
parent_app_risk | Parent application risk | String | |||||
Device Standard Format
Field descriptions
Log format name under crformatter.conf is CR_contflt_log_fmt.
Syslog | Name | Log viewer - | Data | Max | Format/Description | Possible | Notes/Examples | |
|---|---|---|---|---|---|---|---|---|
log_type | N/A | log_type | String | Content Filtering | ||||
log_component | N/A | log_component | String | HTTP | ||||
log_subtype | Action | log_subtype | String | The action taken for the logged HTTP/HTTPS transaction | Allowed Denied Override Warned Quota | |||
log_id | N/A | String | see "Common fields' values and format" | |||||
priority | Priority | N/A | String | Information | ||||
fw_rule_id | Firewall rule ID | fw_rule_id | Number | int32 | Indicates the ID number of the Firewall policy rule that applies to this transaction | |||
fw_rule_name | Firewall rule name | fw_rule_name | String |
| Indicates the name of the Firewall policy rule that applies to this transaction |
|
| |
fw_rule_section | Firewall rule section name | fw_rule_section | String |
| Indicates the section of the Firewall policy rule that applies to this transaction |
| ||
user_name | User name | user | String | 384 | The end-user associated with the item being scanned | |||
user_gp | User group | user_group | String | 1024 | The group to which the user belongs | |||
iap | Web policy ID | web_policy_id | Number | int16 | The numerical ID of the Web Policy applied to this transaction | |||
Web policy namw | web_policy | String | The name of the Web Policy applied to this transaction | |||||
category | Web category | category | String | 64 | The category of the URL being requested | e.g. "Information Technology" | ||
category_type | Web category type | category_type | String | 64 | The classification associated with the category | e.g. "Acceptable", "Unproductive", "Objectionable" | ||
url | URL | url | String | 1024 | The URL being requested | |||
contenttype | Content type | content_type | String | 64 | The MIME-type of the downloaded content | e.g. "text/plain" | ||
override_token | Override token | override_token | String | 64 | The token generated for an override session:<user ID>-<connecting IP address>_<override session ID> | This field existed before 17.5 but will only get populated starting with 17.5 | ||
override_name | Override name | override_name | String | 100 | Name of the override session | |||
override_authorizer | Override authorizer | override_authorizer | String | 256 | Authorizer (creator) of the override session | |||
src_ip | Source IP | src_ip | The IP address from which the HTTP/HTTPS connection originated | |||||
dst_ip | Destination IP | dst_ip | The IP address to which the HTTP/HTTPS connection was made | |||||
protocol | N/A | protocol | String | IP protocol used fro the connection | "TCP" | |||
src_port | N/A | src_port | The port from which the HTTP/HTTPS connection originated | |||||
dst_port | N/A | dst_port | The port to which the HTTP/HTTPS connection was made | |||||
sent_bytes | Bytes sent | bytes_sent | Number | int32 | Bytes sent upstream to the web server by the firewall | |||
recv_bytes | N/A | bytes_received | Number | int32 | Bytes received from the upstream web server by the firewall | This will not necessarily be identical to the bytes sent to the client by the firewall, especially if the content was retrieved from the local web cache. | ||
domain | N/A | domain | String | 512 | The FQDN part of the URL, representing the hostname/domain of the web site | e.g. "www.google.com" | ||
exceptions | Web exceptions | exception | String | 64 | Comma separated list of the checks excluded by Web Exceptions |
| ||
activityname | N/A | activity_name | String | 64 | The name of a Web policy Activity that matched and caused the policy result | If the transaction matches multiple activities then only the first one that causes the policy decision will be recorded | ||
reason | N/A | reason | String | 256 | For transactions that require Sandstorm analysis, records the Sandstorm status |
Note that for all items sent to the Sandstorm cloud for analysis, there will be two entries in the "Content Filter" logone with | ||
user_agent | N/A | user_agent | String | 256 | The user-agent string for the client. | e.g. "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" | ||
status_code | N/A | status_code | Number | int16 | The numeric HTTP response code | e.g. "200" | ||
transactionid | Transaction ID | transaction_id | String | 64 | Indicates the AV scan's transaction_id. This will only appear when malware/ content scanning has been performed in that transaction | Corresponds to the av_transaction_id in the awarrenhttp_access logs | ||
referer | Referrer | referer | String | 512 | The HTTP referer header value | |||
download_file_name | N/A | download_file_name | String | 256 | The name of the file that was downloaded. | e.g. "foo.js" | ||
download_file_type | N/A | download_file_type | String | 128 | The filetype of the file that was downloaded. | e.g. "text/javascript" | ||
upload_file_name | N/A | upload_file_name | String | 256 | The name of the file that was uploaded. | e.g. "rem.exe" | ||
upload_file_type | N/A | upload_file_type | String | 128 | The filetype of the file that was uploaded. | e.g. "application/x-msdos-program" | ||
con_id | N/A | con_id | Number | int32 | Connection identifier. Used to tie firewall log entries to web filter log entries. | |||
application | N/A | app_name | String | 64 | Name of application | e.g. "Youtube Website" | ||
app_is_cloud | N/A | app_is_cloud | Number | int16 | ||||
used_quota | N/A | used_quota | Number | int16 | Used quota time in minutes. | |||
device | N/A | String | e.g. "SFW" | |||||
device_name | N/A | String | e.g. "SF01V" | |||||
device_id | N/A | String | e.g. "S4000806149EE49" | |||||
Sample logs
Message ID | Logs |
|---|---|
16001 |
|
16002 |
|
16003 | |
16005 |
|
16006 |
|
Reporting
Reports under:
Web Allowed: Reports > Application & Web > Web Risks & Usage
Web Denied: Reports > Application & Web > Blocked Web Attempts
Also use to report:
CASB (With combination of Application Logs ): Reports > Application & Web > Cloud Application Usage
Search Engine ( Where URL has search pattern ): Reports > Application & Web > Search Engine
Log identifier for reports:
Web Allowed: Log Component = HTTP & ( Log Subtype = Allowed or Clean or Warned )
Web Denied: Log Component = HTTP & Log Subtype = Denied
Wireless
Reporting
Reports under:
Wireless: Reports > Network & Threats > Wireless
Log identifier for reports:
Wireless: Log Type = Wireless Protection & Log Component = Wireless Protection
Central Reporting Format
Field descriptions
Log format name under crformatter.conf is CR_wc_log_fmt.
Syslog field name | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|
timestamp | Timestamp |
| ISO 8601 |
| eg. timestamp="2018-12-07T10:03:48+0000" |
device_name | String |
|
|
| eg. device_name="SFW" |
device_model | String |
|
|
| eg. device_model="XG135" |
device_serial_id | String |
|
|
| eg. device_serial_id="C44313350024-P29PUA" |
log_id | String |
|
|
| eg. log_id="086320518009" |
log_type | String | 8 | Log Type | Wireless Protection |
|
log_component | String | 8 | Log Component | Wireless Protection |
|
log_subtype | String | 8 | Status of log | Information |
|
log_version | Number |
|
|
| eg. log_version=1 |
severity | String | 8 | severity of log | Information |
|
reported_id | String | It is Access Point serial ID or LocalWifi0 or LocalWifi1 | Access Point Serial ID or LocalWifi0 or LocalWifi1 | ||
ssid | String | It is SSID name. | configured SSID name | ||
con_count | Number | Number of client connected for that SSID. | con_count= (No. of connected client count) |
Sample logs
Message ID | Log |
|---|---|
18011 | device_name="SFW" timestamp="2023-12-12T00:16:21+0530" device_model="XGS126w" device_serial_id="X12206492TP4V78" log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" log_version=1 severity="Information" reported_id="P3300128BX87392" ssid="SophosGuest202" con_count=2 |
18012 | device_name="SFW" timestamp="2023-12-12T00:14:08+0530" device_model="XGS126w" device_serial_id="X12206492TP4V78" log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" log_version=1 severity="Information" reported_id="P3300128BX87392" ssid="SophosGuest202" con_count=1 |
Sample logs
Device Standard Format (Legacy)
Log format name under crformatter.conf is wc_log_fmt.
Field descriptions
Syslog field name | Log viewer - | Data type | Length | Format/Description | Possible values | Notes/Examples |
|---|---|---|---|---|---|---|
log_type | log_type | String | It is a log type. | Wireless Protection | ||
log_component | log_component | String | It is a log component. | Wireless Protection | ||
log_subtype | log_subtype | String | It is a sub type. | Information | ||
priority | String | It is a priority of the message content. | Information | |||
ap | AP_SN | String | 64 | It is Access Point serial ID or LocalWifi0 or LocalWifi1 | Access Point Serial ID or LocalWifi0 or LocalWifi1 | |
ssid | SSID | String | 64 | It is SSID name. | configured SSID name | |
clients_conn_SSID | connected_client_count | Number | int32 | Number of client connected for that SSID. | clients_conn_SSID= (No. of connected client count) |
Sample logs
Message ID | Log |
|---|---|
18011 |
|