Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 1998 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there an official UTM logfile schema description?

dtconnect

Hello community,

I am looking for a log file description for SG (and XG) firewalls. A lot of logs do have an id="xxxs" field, for example:

<30>2021:03:11-22:26:42 gateway ulogd[7988]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="24" initf="eth1" outitf="tun0" srcmac="de:22:b1:44:81:ef" dstmac="ee:3b:61:f4:3f:41" srcip="192.168.22.97" dstip="10.238.2.4" proto="1" length="84" tos="0x00" prec="0x00" ttl="62" type="8" code="0"

Can anybody refer me to a KB or document that describes the log files, especially the meaning of the "id" field.

Regards,

Daniel

 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    "id=" in log event indicated message ID for specific log component.

    Refer to the article below for more information on "Firewall Log Format".

    support.sophos.com/.../KB-000037366

  • 0 in reply to FormerMember

    Hi Yash,

    thank you for your response. I've seen that KB but I thought this was only valid for CR / XG ( It starts with a statement "Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g. 0101011, 0102011" - that's not true for SG logs. But I've realized that the Table "Message ID" might be, what I am looking for.

    But that only matches the packet filter.log. The Proxy Log has IDs like this one:

    <142>2021:03:12-07:28:08 gateway httpd: id="0299" srcip="xxxxxxxxxxxxx" localip="xxxxxxxxxxxx" size="55886" user="-" host="xxxxxxxxxxxxxxxx" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="114159" url="/" server="xxxxxxxxx" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="xxxxxxxxxxxxxxxxxx"

    I could not find ID 0299 in the KB doc. Can you help me on this, too?

    Regards,

    Daniel

Reply
  • 0 in reply to FormerMember

    Hi Yash,

    thank you for your response. I've seen that KB but I thought this was only valid for CR / XG ( It starts with a statement "Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g. 0101011, 0102011" - that's not true for SG logs. But I've realized that the Table "Message ID" might be, what I am looking for.

    But that only matches the packet filter.log. The Proxy Log has IDs like this one:

    <142>2021:03:12-07:28:08 gateway httpd: id="0299" srcip="xxxxxxxxxxxxx" localip="xxxxxxxxxxxx" size="55886" user="-" host="xxxxxxxxxxxxxxxx" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="114159" url="/" server="xxxxxxxxx" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="xxxxxxxxxxxxxxxxxx"

    I could not find ID 0299 in the KB doc. Can you help me on this, too?

    Regards,

    Daniel

Children
  • 0 in reply to dtconnect

    Hallo Daniel,

    Yeah, that Cyberoam documentation isn't very helpful for UTM.  The line you're showing isn't from Web Filtering, it's from the HTTP daemon log and I don't think I've ever seen a guide for that log.  I couldn't find a link to this old 2012 guide.  Here it is, but it doesn't cover the HTTP daemon.
    Logfile_Guide-2012-09.pdf

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML