Describes the Syslog message format for Firewall logs with an example.
IETF Syslog Message Format (RFC 3164)
<%PRI%>%timegenerated% %HOSTNAME% %syslogtag%%msg
The following is a sample syslog message.
<158>Dec 17 07:21:16 b1-edge1 velocloud.sdwan: ACTION=VCF Open FW_POLICY_NAME=test SID=0000012278 SEGMENT_NAME=Global Segment IN="IFNAME" PROTO=ICMP SRC=x.x.x.x DST=x.x.x.x DEST_NAME=Internet-via-gateway-3
The message has the following parts:
- Priority - Facility * 8 + Severity (local3 & info) - 158
- Date - Dec 17
- Time - 07:21:16
- Host Name - b1-edge1
- Syslog Tag - velocloud.sdwan
- Message - ACTION=VCF Open FW_POLICY_NAME=test SID=0000012278 SEGMENT_NAME=Global Segment IN="IFNAME" PROTO=ICMP SRC=x.x.x.x DST=x.x.x.x DEST_NAME=Internet-via-gateway-3
VMware supports the following Firewall log messages:
- With Stateful Firewall enabled:
- Open - The traffic flow session has started.
- Close - The traffic flow session has ended due to session timeout or the session is flushed through the Orchestrator.
- Deny - If the session matches the Deny rule, the Deny log message will appear and the packet will be dropped. In the case TCP, Reset will be sent to the Source.
- Update - For all the ongoing sessions, the Update log message will appear if the firewall rule is either added or modified through Orchestrator.
- With Stateful Firewall deactivated:
|FW_POLICY_NAME||The name of the firewall policy applied to the session.|
|SID||The unique identification number applied to each session.|
|SVLAN||The VLAN ID of the Source device.|
|DVLAN||The VLAN ID of the Destination device.|
|SEGMENT_NAME||The name of the segment to which the session belongs to.|
|IN||The name of the interface on which the first packet of the session was received. In the case of overlay received packets, this field will contain VPN. For any other packets (received through underlay), this field will display the name of the interface in the edge.|
|PROTO||The type of IP protocol used by the session. The possible values are TCP, UDP, GRE, ESP, and ICMP.|
|SRC||The source IP address of the session in dotted decimal notation.|
|DST||The destination IP address of the session in dotted decimal notation.|
|SPT||The source port number of the session. This field is applicable only if the underlaying transport is UDP/TCP.|
|DPT||The destination port number of the session. This field is applicable only if the underlaying transport is UDP/TCP.|
|DEST_NAME||The name of the remote-end device of the session. The possible values are:
|NAT_SRC||The source IP address used for source natting the direct Internet traffic.|
|NAT_SPT||The source port used for patting the direct Internet traffic.|
|APPLICATION||The Application name to which the session was classified by DPI Engine. This field is available only for Close log messages.|
|BYTES_SENT||The amount of data sent in bytes in the session. This field is available only for Close log messages.|
|BYTES_RECEIVED||The amount of data received in bytes in the session. This field is available only for Close log messages.|
|DURATION_SECS||The duration for which the session has been active. This field is available only for Close log messages.|
|REASON||The reason for closure or denial of the session. The possible values are: