Exportable Firewall and Layer 2 Firewall log entry fields
Firewall and Layer 2 Firewall log entry fields are described in the following table. Because the fields are exportable, the table includes the syslog export field.
| Field | Syslog export field | Description |
|---|---|---|
| Acknowledged | ACK | Acknowledged alert. |
| Action | ACTION | Action of the rule that triggered the log event. The action values are Allow, Discard, Refuse, Terminate, Wait for further actions, and Wait for authentication. |
| Alert Type | ALERT | Type of alert. |
| Auth. Rule Tag | AUTH_RULE_ID | Rule number of the rule that triggered the log event. |
| Auth. User | AUTH_NAME | User name of the authorized user related to this event. |
| Bytes Rcvd | ACC_RX_BYTES | Number of bytes received during the connection. |
| Bytes Sent | ACC_TX_BYTES | Number of bytes sent during the connection. The number of bytes sent is counted when accounting entries are created. |
| Component ID | COMP_ID | The identifier of the creator of the log entry. |
| Creation Time | TIMESTAMP | Log entry creation time. |
| C-tag | VLAN_C_TAG | Customer tag in double-tagged VLAN traffic. |
| Data Identifier | LOG_ID | Data Identifier of the log entry. |
| DSCP Mark | DSCP_MARK | The DSCP Mark associated with the traffic that triggered the log event. |
| Dst Addr | DST | Packet destination IP address. |
| Dst Port | Dport | TCP or UDP destination port in the packet header. |
| Elapsed Time | ACC_ELAPSED | Elapsed time of the connection in seconds. The elapsed time is recorded when accounting entries are created at the time of connection closing. |
| Event | EVENT | The event that triggered the log creation, for example, New connection, Connection closed, Connection discarded. |
| Event ID | EVENT_ID | Event identifier, unique within one sender. |
| Facility | FACILITY | Firewall subsystem that generated the log event. |
| FP situation | FP_SITUATION | Situation identifier of a matching fingerprint. |
| ICMP code | ICMP_CODE | ICMP code field. ICMP code provides further information about message type (for example, network unreachable). For more information, see RFC 792 and RFC 950. |
| ICMP ID | ICMP_ID | The ICMP identifier recorded by the engine when ICMP packets pass through the firewall. The ICMP identifier can be used by the echo sender to aid in matching the replies with the echo requests. For example, the identifier might be used like a port in TCP or UDP to identify a session. For more information about ICMP ID and the ICMP protocol, see RFC 792 and RFC 950. |
| ICMP Type | ICMP_TYPE | The ICMP type attribute ecorded by the engine when ICMP packets pass through the firewall. |
| IKE Cookie | IKE_COOKIE | IKE Cookie used in the VPN negotiation. |
| Information message | INFO_MSG | A description of the log event that further explains the entry. |
| IPsec SPI | IPSEC_SSPI | The IPsec Security Parameter Index (SPI) is the connection identifier of the IPsec connection. The IPsec SPI value is displayed as a hexadecimal number. |
| NAT Dst | NAT_DST | Translated packet destination IP address. |
| NAT Dst Port | NAT_DPORT | Translated packet destination protocol port. |
| Nat Rule Tag | NAT_RULE_ID | The rule number of the NAT rule that triggered the log event. |
| NAT Src | NAT_SRC | Translated packet source IP address. |
| NAT Src Port | NAT_SPORT | Translated packet source protocol port. |
| Priority | QOS_PRIORITY | The priority assigned to the traffic according to the QoS policy. |
| Protocol | PROTOCOL | Connection IP protocol. |
| Protocol Agent | SRVHELPER_ID | Protocol Agent numeric ID code. |
| QoS Class | QOS_CLASS | The Quality of Service class assigned to the traffic according to the QoS policy. |
| Reception time | RECEPTION_TIME | Time when the Log Server received the entry. |
| Round trip | RTT | Round-trip time for outbound Multi-Link link testing. Time indicated is from sending queries to the first reply. The unit is 0.01 seconds. |
| Rule Tag | RULE_ID | Rule tag of the rule that triggered the log event. |
| Sender | NODE_ID | IP address of the engine or server that sent the log entry. |
| Sender type | SENDER_TYPE | The type of engine or server that sent the log entry. |
| Service | SERVICE | Special field for filtering logs using the defined services. Does not appear in the log entry table. |
| Severity | ALERT_SEVERITY | Severity of the situation related to the log event. |
| Situation | SITUATION | The identifier of the situation that triggered the log event. |
| Src Addr | SRC | Packet source IP address. |
| Src IF | Srcif | Defined source interface number for the firewall cluster. |
| Src Port | Sport | TCP or UDP source port in the packet header. |
| Src VLAN | SRC_VLAN | The source VLAN ID number (up to 4095). |
| S-tag | VLAN_S_TAG | Service provider tag in double-tagged VLAN traffic. |
| Syslog | SYSLOG_TYPE | Syslog is a system service used in some operating systems, for example, UNIX, and software packages. For more information about syslog and syslog types, see RFC 3164. |
| Type | TYPE | Log entry severity type. |