expression message

Function

The expression message command configures a content expression for session logs or URL session logs in the syslog format.

The undo expression message command cancels the configuration.

Format

expression message [ ipv6 ] content

undo expression message [ ipv6 ]

Parameters

Parameter	Description	Value
ipv6	Define the IPv6 session logs in the syslog format. If the IPv4 and IPv6 session logs share the same expression, you can run the command without ipv6 once. If the IPv4 and IPv6 session logs use different expressions, you need to run the command without ipv6 to configure an expression for the IPv4 session logs and run the command with ipv6 for the IPv6 session logs. When configuring an expression for a URL session log, ensure that the URL session log has the $httptype and $url fields.	-
content	Specifies the content expression of session logs in the syslog format.	The name is a string of case-sensitive characters and cannot contain question marks (?) or hyphens (-) .If the name does not contain any space, the length ranges from 1 to 480 characters. If the name contains spaces, the length ranges from 3 to 482 characters, and you must use double quotation marks ("") to enclose it.

Parameter

Description

Value

ipv6

Define the IPv6 session logs in the syslog format.

If the IPv4 and IPv6 session logs share the same expression, you can run the command without ipv6 once.
If the IPv4 and IPv6 session logs use different expressions, you need to run the command without ipv6 to configure an expression for the IPv4 session logs and run the command with ipv6 for the IPv6 session logs.
When configuring an expression for a URL session log, ensure that the URL session log has the $httptype and $url fields.

content

Specifies the content expression of session logs in the syslog format.

The name is a string of case-sensitive characters and cannot contain question marks (?) or hyphens (-) .If the name does not contain any space, the length ranges from 1 to 480 characters. If the name contains spaces, the length ranges from 3 to 482 characters, and you must use double quotation marks ("") to enclose it.

Views

Session log template view

Default Level

2: Configuration level

Usage Guidelines

Prerequisite

The expression message command is run in the session log template view. Therefore, before running the command, run the session-log template command to create a session log template and access the view of the template.

Usage Scenario

You can use the expression message command to define log contents. Based on the user-defined content expression in the template, the FW sends the contents of session logs in the syslog format or URL session logs to a log server.

The following table lists user-defined fields.

**Table 1** User-defined fields
Field Name	Description
$systime	System time
$hostname	Host name
$ipversion	IP version
$protocol	Protocol
$srcip	Source IP address
$srcport	Source port
$dstip	Destination IP address
$dstport	Destination port
$srcnatip	Source NAT IP address
$srcnatport	Source NAT port
$dstnatip	Destination NAT IP address
$dstnatport	Destination NAT port
$begintime	Start time
$endtime	End time NOTE: Only session aging logs support the field.
$sendpackets	Number of sent packets
$sendbytes	Number of sent bytes
$rcvpackets	Number of received packets
$rcvbytes	Number of received bytes
$srcvpnID	Source VPN ID
$dstvpnID	Destination VPN ID
$secpolicy	Security policy
$user	User name NOTE: Only session packets carrying a user name support the field.
$usrgroup	User group NOTE: Only session packets carrying a user name support the field.
$srczone	Source zone
$dstzone	Destination zone
$vsys	Virtual system name
$closereason	Reason why a session is closed
$logtype	Log type Session creation log: C Aged session log: D Periodic session log: P URL session log: H
$duringtime	Duration The unit is millisecond. Aged session logs and periodic session logs have the field.
$servicetype	User service type
$httptype	POST or GET type NOTE: Only URL session logs has the field.
$application	Indicates the application name (configured in a security policy) that the session matches.
$url	URL address NOTE: Only URL session logs has the field.

For example, if the expression message "$logtype ipver=$ipversion pro:$protocol source=$srcip:$srcport destination=$dstip:$dstport id1=$id1" command is run, the FW will automatically fill in the contents of a configurable field (such as $logtype) based on session information before sending a session log in the syslog format. The FW will send a session creation log based on the following contents:

c ipver=4 pro:udp source=4.4.4.1:10009 destination=4.4.4.2:20009

ipver= and pro: are configurable.

A space exists in the contents behind the expression message, and therefore double quotation marks ("") are required to enclose these contents.

Follow-up Procedure

Run the firewall log syslog content format template or firewall log session url-log template command to reference the configured template.

Example

# Configure a content expression for session logs in the syslog format in the session log template view.

<sysname> system-view
[sysname] session-log template test type syslog
[sysname-syslog-template-test] expression message "$logtype ipver=$ipversion pro:$protocol source=$srcip:$srcport "