Syslog Message Format for Firewall Logs

Describes the Syslog message format for Firewall logs with an example.

IETF Syslog Message Format (RFC 3164)

<%PRI%>%timegenerated% %HOSTNAME% %syslogtag%%msg

The following is a sample syslog message.

<158>Dec 17 07:21:16 b1-edge1 velocloud.sdwan: VCF Open xR6FveSQT220kZiTmoYJHA SID=12278 SEGMENT=0 IN="IFNAME" PROTO=ICMP SRC=x.x.x.x DST=x.x.x.x DEST_NAME=Internet-via-gateway-3

The message has the following parts:

Priority - Facility * 8 + Severity (local3 & info) - 158
Date - Dec 17
Time - 07:21:16
Host Name - b1-edge1
Syslog Tag - velocloud.sdwan
Message - VCF Open xR6FveSQT220kZiTmoYJHA SID=12278 SEGMENT=0 IN="IFNAME" PROTO=ICMP SRC=x.x.x.x DST=x.x.x.x DEST_NAME=Internet-via-gateway-3

VMware supports the following Firewall log messages:

With Stateful Firewall enabled:
- Open - The traffic flow session has started.
- Close - The traffic flow session has ended due to session timeout or the session is flushed through the Orchestrator.
- Deny - If the session matches the Deny rule, the Deny log message will appear and the packet will be dropped. In the case TCP, Reset will be sent to the Source.
- Update - For all the ongoing sessions, the Update log message will appear if the firewall rule is either added or modified through Orchestrator.
With Stateful Firewall disabled:
- Allow
- Deny

Table 1. Firewall Log Message Fields
Field	Description
SID	The unique identification number applied to each session.
SVLAN	The VLAN ID of the Source device.
DVLAN	The VLAN ID of the Destination device.
SEGMENT	The segment to which the session belongs to. The allowable range is from 0 through 255.
IN	The name of the interface on which the first packet of the session was received. In the case of overlay received packets, this field will contain VPN. For any other packets (received through underlay), this field will display the name of the interface in the edge.
PROTO	The type of IP protocol used by the session. The possible values are TCP, UDP, GRE, ESP, and ICMP.
SRC	The source IP address of the session in dotted decimal notation.
DST	The destination IP address of the session in dotted decimal notation.
SPT	The source port number of the session. This field is applicable only if the underlaying transport is UDP/TCP.
DPT	The destination port number of the session. This field is applicable only if the underlaying transport is UDP/TCP.
DEST_NAME	The name of the remote-end device of the session. The possible values are: CSS-Backhaul - For traffic which is destined to Cloud Security Service from edge. Internet-via-<`egress-iface-name`> - For Cloud traffic going directly from edge using business policy. Internet-BH-via-<`backhaul hub name`> - For Cloud-bound traffic going to Internet through Backhaul hub using business policy. <`Remote edge name`>-via-Hub - For VPN traffic flowing through Hub. <`Remote edge name`>-via-DE2E - For VPN traffic flowing between the edges through direct VCMP tunnel. <`Remote edge name`>-via-Gateway - For VPN traffic flowing through Cloud gateway. NVS-via-<`gateway name`> - For Non VMware SD-WAN Site traffic flowing through Cloud gateway. Internet-via-<`gateway name`> - For Internet traffic flowing through Cloud gateway.
NAT_SRC	The source IP address used for source natting the direct Internet traffic.
NAT_SPT	The source port used for patting the direct Internet traffic.
APPLICATION	The Application name to which the session was classified by DPI Engine. This field is available only for Close log messages.
BYTES_SENT	The amount of data sent in bytes in the session. This field is available only for Close log messages.
BYTES_RECEIVED	The amount of data received in bytes in the session. This field is available only for Close log messages.
DURATION_SECS	The duration for which the session has been active. This field is available only for Close log messages.
REASON	The reason for closure or denial of the session. The possible values are: State Violation Reset Purged Aged-out Fin-Received RST-Received Error This field is available for Close and Deny log messages.