Appendix: Meanings of Log Fields
This section describes meanings of log fields of the FW.
This section describes meanings of fields in various types of logs based on FW patterns.
Fields in a Session Log in Syslog Format
IPv4 session logs in syslog format
A syslog contains two parts: Syslog header and Syslog content. Syslog header format can be { default [ timestamp { utc | local | none } ] | host-name | none }; Syslog content format can be default or mtn. Different combinations of Syslog header and Syslog content result in multiple syslogs. The syslog session log length is not fixed.
Log Format |
Corresponding Syslog |
|
|---|---|---|
Syslog header format |
Syslog content format |
|
default timestamp local |
Default |
<190>2016-01-08 10:21:48 USG6000E %%01SECLOG/6/SESSION_BUILT(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1,DestinationPort=1,BeginTime=1452219708,SourceVpnID=0,DestinationVpnID=0. |
default timestamp utc |
mtn |
<190> 2016-01-08 01:18:58 USG6000E %%01SECLOG/6/SESSION_BUILT(l): Built an udp session, 10.1.1.1:1 (trust) to 10.1.1.2:1 (trust). |
default timestamp utc |
Default |
<190> 2016-01-08 02:23:46 USG6000E0 %%01SECLOG/6/SESSION_BUILT(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1,DestinationPort=1,BeginTime=1452219827,SourceVpnID=0,DestinationVpnID=0. |
default timestamp none |
Default |
<190>USG6000E %%01SECLOG/6/SESSION_BUILT(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1,DestinationPort=1,BeginTime=1452219771,SourceVpnID=0,DestinationVpnID=0. |
host-name |
Default |
<190>USG6000E %%: %%01SECLOG/6/SESSION_BUILT(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1,DestinationPort=1,BeginTime=1452219583,SourceVpnID=0,DestinationVpnID=0. |
host-name |
mtn |
<190>USG6000E %%: Built an udp session, 10.1.1.1:1 (trust) to 10.1.1.2:1 (trust). |
none |
Default |
<190>%%: %%01SECLOG/6/SESSION_BUILT(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1,DestinationPort=1,BeginTime=1452219482,SourceVpnID=0,DestinationVpnID=0. |
none |
mtn |
<190>%%: Built an udp session, 10.1.1.1:1 (trust) to 10.1.1.2:1 (trust). |
Log Format |
Corresponding Syslog |
|
|---|---|---|
Syslog header format |
Syslog content format |
|
default timestamp local |
Default |
<190>2016-01-08 10:21:57 USG6000E %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1,DestinationPort=1,BeginTime=1452219708,EndTime=1452219717,SendPkts=20, SendBytes=1720,RcvPkts=0,RcvBytes=0,SourceVpnID=0,DestinationVpnID=0. |
default timestamp utc |
Default |
<190>2016-01-08 02:23:59 USG6000E %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1,DestinationPort=1,BeginTime=1452219827,EndTime=1452219840,SendPkts=20, SendBytes=1720,RcvPkts=0,RcvBytes=0,SourceVpnID=0,DestinationVpnID=0. |
default timestamp utc |
mtn |
<190>2016-01-08 01:11:22 USG6000E %%01SECLOG/6/SESSION_TEARDOWN(l): Teardown an udp session,192.168.20.254:138 (trust) to 192.168.20.255:138 (trust), duration 100, rcv 0 bytes via 0 packets, send 1 bytes via 239 packets. |
default timestamp none |
Default |
<190>USG6000E %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1,DestinationIP=10.1.1.2, SourcePort=1,DestinationPort=1,BeginTime=1452219771,EndTime=1452219782,SendPkts=20, SendBytes=1720,RcvPkts=0,RcvBytes=0,SourceVpnID=0,DestinationVpnID=0. |
host-name |
Default |
<190>USG6000E %%: %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1, DestinationIP=10.1.1.2,SourcePort=1, DestinationPort=1,BeginTime=1452219583,EndTime=1452219595,SendPkts=20, SendBytes=1720,RcvPkts=0,RcvBytes=0,SourceVpnID=0,DestinationVpnID=0. |
host-name |
mtn |
<190>USG6000E %%: Teardown an udp session, 10.1.1.1:1 (trust) to 10.1.1.2:1 (trust), duration 10, rcv 0 bytes via 0 packets, send 20 bytes via 1720 packets. |
none |
Default |
<190>%%: %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=10.1.1.1,DestinationIP=10.1.1.2, SourcePort=1,DestinationPort=1,BeginTime=1452219482,EndTime=1452219497,SendPkts=20, SendBytes=1720,RcvPkts=0,RcvBytes=0,SourceVpnID=0,DestinationVpnID=0. |
none |
mtn |
<190>%%: Teardown an udp session, 10.1.1.1:1 (trust) to 10.1.1.2:1 (trust), duration 15, rcv 0 bytes via 0 packets, send 20 bytes via 1720 packets. |
In addition to the default format and MTN format, the template format is also supported. The template format is customized and not fixed.
Port range logs in syslog format
When outputting port range logs, firewalls support the France Telecom format, China Telecom format, and China Unicom format. By default, log content is in France Telecom format. You can run the nat port-block syslog descriptive format { cn | unicom } command to change the format to China Telecom or China Unicom. Currently, the eLog can parse logs only in France Telecom format.
The following figure shows log information in France Telecom format. You can parse log content using packet capture tools such as Wireshark and learn meanings of the fields.
The following figure shows log information in China Telecom format. You can parse log content using packet capture tools such as Wireshark and learn meanings of the fields.
The following figure shows log information in China Unicom format. You can parse log content using packet capture tools such as Wireshark and learn meanings of the fields.
Fields in a Session Log in Netflow Format
IPv4 netflow session logs
The following figure shows the IPv4 netflow session logs.
The following table describes meanings of the fields.
Field |
Length |
Meaning |
Description |
|---|---|---|---|
Log Header |
|||
00 09 |
2 bytes |
Version number of the netflow log packet |
0x09 |
00 02 |
2 bytes |
Number of FlowSets in the packet |
1-20 |
00 98 1f 9c |
4 bytes |
Packet generation time, that is, number of milliseconds since the system starts |
0-0xFFFFFFFF (host byte order) |
56 76 01 6f |
4 bytes |
UTC time |
0-0xFFFFFFFF (host byte order) |
00 00 00 09 |
4 bytes |
Sequence number of the output packet |
0-0xFFFFFFFF (host byte order) |
01 |
1 byte |
Log packet type |
0x01 for netflow IPv4 session logs |
00 |
1 byte |
Number of logs |
0 |
00 |
1 byte |
Device type |
0 |
0b |
1 byte |
Slot ID |
Current CPU ID |
Log Template |
|||
00 00 |
2 bytes |
Template FlowSet ID |
- |
00 58 |
2 bytes |
Template FlowSet total length |
- |
05 23 |
2 bytes |
Template ID |
- |
00 14 |
2 bytes |
Number of record fields |
- |
00 08 |
2 bytes |
Field type: source IP address |
0x08 |
00 04 |
2 bytes |
Source IP address length |
- |
00 e1 |
2 bytes |
Field type: Source NAT |
The IP address is 0xE1. |
00 04 |
2 bytes |
Source NAT IP address length |
- |
00 07 |
2 bytes |
Field type: source port |
0x07 |
00 02 |
2 bytes |
Source port length |
- |
00 e3 |
2 bytes |
Field type: source NAT port |
0xE7 |
00 02 |
2 bytes |
Source NAT port length |
- |
00 0c |
2 bytes |
Field type: destination IP address |
0x0C |
00 04 |
2 bytes |
Destination IP address length |
- |
00 e2 |
2 bytes |
Field type: destination NAT IP address |
0xE2 |
00 04 |
2 bytes |
Destination NAT IP address length |
- |
00 0b |
2 bytes |
Field type: destination port |
0x0B |
00 02 |
2 bytes |
Destination port length |
- |
00 e4 |
2 bytes |
Field type: destination NAT port |
0xE4 |
00 02 |
2 bytes |
Destination NAT port length |
- |
00 04 |
2 bytes |
Field type: protocol number |
0x04 |
00 01 |
2 bytes |
Protocol number length |
- |
00 3d |
2 bytes |
Field type: flow direction |
0x3D |
00 01 |
2 bytes |
Flow direction length |
- |
00 e6 |
2 bytes |
Operation event |
0xE6 |
00 01 |
2 bytes |
Operation event length |
- |
00 e5 |
2 bytes |
Session flow initiator |
0xE5 |
00 01 |
2 bytes |
Session flow initiator length |
- |
00 eb |
2 bytes |
Source VRF index |
0xEB |
00 04 |
2 bytes |
Source VRF index length |
- |
00 18 |
2 bytes |
Number of sent packets |
0x18 |
00 04 |
2 bytes |
Length of the number of sent packets |
- |
00 17 |
2 bytes |
Number of sent bytes |
0x17 |
00 04 |
2 bytes |
Length of the number of sent bytes |
- |
00 02 |
2 bytes |
Number of received packets |
0x02 |
00 04 |
2 bytes |
Length of the number of received packets |
- |
00 01 |
2 bytes |
Number of received bytes |
0x01 |
00 04 |
2 bytes |
Length of the number of received bytes |
- |
05 23 |
2 bytes |
DataFlowSet ID |
0x0523 |
00 40 |
2 bytes |
DataFlowSet total length |
- |
00 0b |
2 bytes |
Field type: destination port |
0x0B |
00 02 |
2 bytes |
Destination port length |
- |
00 e4 |
2 bytes |
Field type: destination NAT port |
0xE4 |
00 02 |
2 bytes |
Destination NAT port length |
- |
00 04 |
2 bytes |
Field type: protocol number |
0x04 |
00 01 |
2 bytes |
Protocol number length |
- |
00 3d |
2 bytes |
Field type: flow direction |
0x3D |
00 01 |
2 bytes |
Flow direction length |
- |
00 e6 |
2 bytes |
Operation event |
0xE6 |
00 01 |
2 bytes |
Operation event length |
- |
00 e5 |
2 bytes |
Session flow initiator |
0xE5 |
00 01 |
2 bytes |
Session flow initiator length |
- |
00 eb |
2 bytes |
Source VRF index |
0xEB |
00 04 |
2 bytes |
Source VRF index length |
- |
00 ea |
2 bytes |
Destination VRF index |
0xEA |
00 04 |
2 bytes |
Destination VRF index length |
- |
00 96 |
2 bytes |
Flow creation time |
0x96 |
00 04 |
2 bytes |
Flow creation time length |
- |
00 97 |
2 bytes |
Flow termination time |
0x97 |
00 04 |
2 bytes |
Flow termination time length |
- |
00 18 |
2 bytes |
Number of sent packets |
0x18 |
00 04 |
2 bytes |
Length of the number of sent packets |
- |
00 17 |
2 bytes |
Number of sent bytes |
0x17 |
00 04 |
2 bytes |
Length of the number of sent bytes |
- |
00 02 |
2 bytes |
Number of received packets |
0x02 |
00 04 |
2 bytes |
Length of the number of received packets |
- |
00 01 |
2 bytes |
Number of received bytes |
0x01 |
00 04 |
2 bytes |
Length of the number of received bytes |
- |
05 23 |
2 bytes |
DataFlowSet ID |
0x0523 |
00 40 |
2 bytes |
DataFlowSet total length |
- |
Log Content |
|||
c0 a8 14 fe |
4 bytes |
Source IP address |
0-0XFFFFFFFF (network byte order) |
00 00 00 00 |
4 bytes |
Post-NAT source IP address |
0-0XFFFFFFFF (network byte order) |
00 8a |
2 bytes |
Source port |
The source port and post-NAT source port form a fixed combination and displayed as "packet type" on the page. The value ranges from 0 to 0XFF (network byte order). |
00 00 |
2 bytes |
Post-NAT source port |
0-0XFF (network byte order) |
c0 a8 14 ff |
4 bytes |
Destination IP address |
0-0XFFFFFFFF (network byte order) |
00 00 00 00 |
4 bytes |
Post-NAT destination IP address |
0-0XFFFFFFFF (network byte order) |
00 8a |
2 bytes |
Destination port |
0-0XFF (network byte order) |
00 00 |
2 bytes |
Post-NAT destination port |
0-0XFF (network byte order) |
11 |
1 byte |
Protocol ID |
|
01 |
1 byte |
Session flow direction |
|
01 |
1 byte |
Operation event |
|
02 |
1 byte |
Session flow initiator |
|
00 00 00 00 |
4 bytes |
Source VRF index ID |
0-0XFFFFFFFF (network byte order) |
00 00 00 00 |
4 bytes |
Destination VRF index ID |
0-0XFFFFFFFF (network byte order) |
56 76 01 6f |
4 bytes |
Start time |
When a log is created, the value is set to the duration of the session. The actual session start time is the packet sending start time. |
00 00 00 00 |
4 bytes |
End time |
When a log is created, the end time is set to 0. The actual session end time is the packet sending start time plus ulStartTime. |
00 00 00 00 |
4 bytes |
(Source IP address) Number of sent packets |
0-0XFFFFFFFF (network byte order) |
00 00 00 00 |
4 bytes |
(Source IP address) Number of sent bytes |
0-0XFFFFFFFF (network byte order) |
00 00 00 00 |
4 bytes |
(Source IP address) Number of received packets |
0-0XFFFFFFFF (network byte order) |
00 00 00 00 |
4 bytes |
(Source IP address) Number of received bytes |
0-0XFFFFFFFF (network byte order) |
IPv6 NAT64 netflow session logs
The following figure shows IPv6 NAT64 & DS-Lite netflow session logs.
The following table describes meanings of the fields.
Field |
Length |
Meaning |
Description |
|---|---|---|---|
Log Header |
|||
00 09 |
2 bytes |
Version number of the netflow log packet |
0x09 |
00 02 |
2 bytes |
Number of FlowSets in the packet |
1-20 |
0e 73 16 4d |
4 bytes |
Packet generation time, that is, number of milliseconds since the system starts |
0-0xFFFFFFFF (host byte order) |
56 7d d9 68 |
4 bytes |
UTC time |
0-0xFFFFFFFF (host byte order) |
00 00 02 40 |
4 bytes |
Sequence number of the output packet |
0-0xFFFFFFFF (host byte order) |
02 |
1 byte |
Log packet type |
0x01 for netflow IPv4 session logs |
00 |
1 byte |
Number of logs |
0 |
00 |
1 byte |
Device type |
0 |
0b |
1 byte |
Slot ID |
Current CPU ID |
Log Template |
|||
00 00 |
2 bytes |
Template FlowSet ID |
- |
00 68 |
2 bytes |
Template FlowSet total length |
- |
05 24 |
2 bytes |
Template ID |
- |
00 18 |
2 bytes |
Number of record fields |
- |
00 08 |
2 bytes |
Field type: source IP address |
0x08 |
00 04 |
2 bytes |
Source IP address length |
- |
00 e1 |
2 bytes |
Field type: Source NAT IP address |
The IP address is 0xE1. |
00 04 |
2 bytes |
Source NAT IP address length |
- |
00 07 |
2 bytes |
Field type: source port |
0x07 |
00 02 |
2 bytes |
Source port length |
- |
00 e3 |
2 bytes |
Field type: source NAT port |
0xE7 |
00 02 |
2 bytes |
Source NAT port length |
- |
00 0c |
2 bytes |
Field type: destination IP address |
0x0C |
00 04 |
2 bytes |
Destination IP address length |
- |
00 e2 |
2 bytes |
Field type: destination NAT IP address |
0xE2 |
00 04 |
2 bytes |
Destination NAT IP address length |
- |
00 0b |
2 bytes |
Field type: destination port |
0x0B |
00 02 |
2 bytes |
Destination port length |
- |
00 e4 |
2 bytes |
Field type: destination NAT port |
0xE4 |
00 02 |
2 bytes |
Destination NAT port length |
- |
00 04 |
2 bytes |
Field type: protocol number |
0x04 |
00 01 |
2 bytes |
Protocol number length |
- |
00 3d |
2 bytes |
Field type: flow direction |
0x3D |
00 01 |
2 bytes |
Flow direction length |
- |
00 e6 |
2 bytes |
Operation event |
0xE6 |
00 01 |
2 bytes |
Operation event length |
- |
00 e5 |
2 bytes |
Session flow initiator |
0xE5 |
00 01 |
2 bytes |
Session flow initiator length |
- |
00 eb |
2 bytes |
Source VRF index |
0xEB |
00 04 |
2 bytes |
Source VRF index length |
- |
00 ea |
2 bytes |
Destination VRF index |
0xEA |
00 04 |
2 bytes |
Destination VRF index length |
- |
00 1b |
2 bytes |
Source IPv6 address |
0x1B |
00 10 |
2 bytes |
Source IPv6 address length |
- |
01 19 |
2 bytes |
Source NAT IP address |
0x0119 |
00 10 |
2 bytes |
Source NAT IP address length |
- |
00 1c |
2 bytes |
Destination IPv6 address |
0x1C |
00 10 |
2 bytes |
Destination IPv6 address length |
- |
01 1a |
2 bytes |
Destination NAT IP address |
0x011A |
00 10 |
2 bytes |
Destination NAT IP address length |
- |
00 96 |
2 bytes |
Flow creation time |
0x96 |
00 04 |
2 bytes |
Flow creation time length |
- |
00 97 |
2 bytes |
Flow termination time |
0x97 |
00 04 |
2 bytes |
Flow termination time length |
- |
00 18 |
2 bytes |
Number of sent packets |
0x18 |
00 04 |
2 bytes |
Length of the number of sent packets |
- |
00 17 |
2 bytes |
Number of sent bytes |
0x17 |
00 04 |
2 bytes |
Length of the number of sent bytes |
- |
00 02 |
2 bytes |
Number of received packets |
0x02 |
00 04 |
2 bytes |
Length of the number of received packets |
- |
00 01 |
2 bytes |
Number of received bytes |
0x01 |
00 04 |
2 bytes |
Length of the number of received bytes |
- |
05 24 |
2 bytes |
DataFlowSet ID |
|
00 80 |
2 bytes |
DataFlowSet total length |
- |
Log Content |
|||
00 00 00 00 |
4 bytes |
Source IP address |
0-0XFFFFFFFF (network byte order) |
c0 a8 00 05 |
4 bytes |
Post-NAT source IP address |
0-0XFFFFFFFF (network byte order) |
00 01 |
2 bytes |
Source port |
The source port and post-NAT source port form a fixed combination and displayed as "packet type" on the page. The value ranges from 0 to 0XFF (network byte order). |
00 01 |
2 bytes |
Post-NAT source port |
0-0XFF (network byte order) |
00 00 00 00 |
4 bytes |
Destination IP address |
0-0XFFFFFFFF (network byte order) |
c0 a8 00 02 |
4 bytes |
Post-NAT destination IP address |
0-0XFFFFFFFF (network byte order) |
00 01 |
2 bytes |
Destination port |
0-0XFF (network byte order) |
00 01 |
2 bytes |
Post-NAT destination port |
0-0XFF (network byte order) |
11 |
1 byte |
Protocol ID |
|
01 |
1 byte |
Session flow direction |
|
02 |
1 byte |
Operation event |
|
01 |
1 byte |
Session flow initiator |
|
00 00 00 00 |
4 bytes |
Source VRF index ID |
0-0XFFFFFFFF (network byte order) |
00 00 00 00 |
4 bytes |
Destination VRF index ID |
0-0XFFFFFFFF (network byte order) |
30 11 00 00 00 00 00 00 00 00 00 00 00 00 00 13 |
16 bytes |
Source IPv6 address |
- |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
16 bytes |
Post-NAT source IPv6 address |
- |
80 00 00 00 00 00 00 00 00 c0 a8 00 02 00 00 00 |
16 bytes |
Destination IPv6 address |
- |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
16 bytes |
Post-NAT destination IPv6 address |
- |
56 7d d9 1e |
4 bytes |
Start time |
When a log is created, the value is set to the duration of the session. The actual session start time is the packet sending start time. |
56 7d d9 68 |
4 bytes |
End time |
When a log is created, the end time is set to 0. The actual session end time is the packet sending start time plus the ulStartTime value. |
00 01 47 3e |
4 bytes |
(Source IP address) Number of sent packets |
0-0XFFFFFFFF (network byte order) |
00 6d ee d4 |
4 bytes |
(Source IP address) Number of sent bytes |
0-0XFFFFFFFF (network byte order) |
00 00 00c8 |
4 bytes |
(Source IP address) Number of received packets |
0-0XFFFFFFFF (network byte order) |
00 00 4b 00 |
4 bytes |
(Source IP address) Number of received bytes |
0-0XFFFFFFFF (network byte order) |