Activity log entries are written to the file /phion0/logs/box_Firewall_Activity.log
. The firewall writes output about its activity to the firewall activity log file, e.g.:
2018 01 30 13:12:21 Security +01:00 Block: type=FWD|proto=UDP|srcIF=eth0|srcIP=10.17.34.12|srcPort=54915|srcMAC=18:db:f2:13:ca:9c|dstIP=10.17.34.255|dstPort=54915|dstService=|dstIF=|rule=BLOCKALL|info=Block by Rule|srcNAT=0.0.0.0|dstNAT=0.0.0.0|duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=|protocol=|application=|target=|content=|urlcat=
Structure of Log Entry Components
A log entry of the firewall's activity log consists of several key-value pairs that are separated by a '|' character. A log entry starts with a timestamp followed by the following keys. As seen in the example above, the key-value pairs depend on the quality of information processed by the firewall:
Key | Sub-key | Description |
---|---|---|
Type | Information about the Type of log entry. E.g. Security or Info | |
Action | Information about the action taken according to the firewall ruleset configuration. | |
type can be any of... | ...these | Information about the origin type of traffic and ruleset used. Any value in the following rows with sub-key attribute can apply. |
LIN | Local In. The incoming traffic on the host firewall. | |
LOUT | Local Out. The outgoing traffic from the host firewall. | |
LB | Loopback. The traffic via the loopback interface. | |
FWD | Forwarding. The outbound traffic via the forwarding firewall. | |
IFWD | Inbound Forwarding. The inbound traffic to the firewall. | |
PRX | Proxy. The outbound traffic via the proxy. | |
IPRX | Inbound Proxy. The inbound traffic via the proxy. | |
TAP | Transparent Application Proxying. The traffic via stream forwarding. | |
LRD | Local Redirect. Redirected traffic configured in forwarding ruleset. | |
proto | The protocol that was used. For example, TCP, UDP, or ICMP. | |
srcIF | The source network interface of the session. | |
srcIP | The source IP address of the session. | |
srcPort | The source port of the session. | |
srcMAC | The MAC address of the session's source network interface. | |
dstIP | The destination IP address of the session. | |
dstPort | The destination port of the session. | |
dstService | The destination service of the session. | |
dstIF | The destination network interface of the session. | |
rule | The name of the firewall rule processing the session. | |
Info | Operational information for the session. | |
srcNAT | Source NAT address of the session. | |
dstNAT | Destination NAT address of the session. | |
duration | Duration of the session. | |
count | Number of sessions processed. | |
receivedBytes | Received traffic of a session in bytes. | |
sentBytes | Sent traffic of a session in bytes. | |
receivedPackets | Received traffic of a session in packets. | |
sentPackets | Received traffic of a session in packets. | |
user | The name of the user, if the session was handled by a firewall rule that requires authentication. | |
protocol | The protocol of a session. For example, TCP, UDP, or ICMP. | |
application | The application context of a session. | |
target | The application target. | |
content | The application content. | |
urlcat | The URL category the session belongs to. |
Data Types with Data Examples
The following tables show the Field identifier followed by the data Example. The row Format indicates the low-level data type used for processing the information. Note that in the final log entry, not all of the following keys have data assigned to them:
Field | type | proto | srcIF | srcIP | srcPort | srcMAC | dstIP |
---|---|---|---|---|---|---|---|
Format | String | String | String | IPv4/IPv6 address | Number | : separated bytes | IPv4/IPv6 |
Example | FWD | UDP | eth0 |
|
|
|
|
Field (cont.) | dstPort | dstService | dstIF | rule | info | srcNAT | datNAT |
---|---|---|---|---|---|---|---|
Format | Number | String | String | String | String | IPv4/IPv6 | IPv4/IPv6 |
Example |
| netbios-dgm | eth2 |
|
|
|
|
Field (cont.) | duration | count | receivedBytes | sentBytes | receivedPackets | sentPackets |
---|---|---|---|---|---|---|
Format | Number | Number | Number | Number | Number | Number |
Example | 0 | 0 | 0 | 0 | 0 | 0 |
Field (cont.) | user | protocol | application | target | content | urlcat |
---|---|---|---|---|---|---|
Format | String | String | String | String | String | String |
Example | user1234 | HTTP | Web Browsing | 10.17.18.19 | String | Uncategorized |