Log Export File Format

The Ingate Firewall® and SIParator® can currently export logs in three formats: WELF, commaseparated and tabseparated. The WELF format is documented at Webtrends.

The commaseparated and tabseparated formats are basically the same. Only the separator character differs.

This document specifies the export formats used by Ingate Firewall/SIParator® 2.4.0-3.0.2. It is exptected that future versions of Ingate products will log new types of events. The new events will be given a new event code.

Ingate Systems will try to avoid changing the format of logged events, but we may do so, for instance to allow more information to be logged. If that happens, the new format of the event will be given a new event code, so that log parsing utilities can distinguish between the old and the new log format.

Log file structure

Each event in the log is stored as a single line of text. Each line is terminated by a single linefeed (0x0A). The charset is ISO 8859-1 (also known as Latin1).

Each event contains several fields, separated by the separator (tab (0x09) or comma (",", 0x2C)). The first field is an event code that determines the type of the event, such as "an IP packet was received" or "the clock was set by the operator". All event codes are documented below, together with information about the fields that accompanies them.

The backslash character ("\", 0x5C) is used to quote the separator if it occurs inside a field. It is also used to quote a backslash.

The following example illustrates the syntax of the log files when comma is used as the separator:

DEMO,2000-03-03 18:13:27,Testing\, testing,y\\x

This event is logged with four fields:

  • DEMO is the event code.
  • 2000-03-03 18:13:29 is the second field. Most events store the time in the second field, but see CLKSET for an exception.
  • The third field has the value Testing, testing. Note the embedded comma.
  • The fourth and final field has the value y\x. Note that the backslash is quoted.

The fields never contain control characters.

Timestamps

All timestamps are logged in a common format: YYYY-mm-dd HH:MM:SS. Example: one minute past 3 PM, December 24, 1997 would be logged as 1997-12-24 15:01:00.

YYYY The year, with four digits.
mm The month, with two digits. January is 01, and December is 12.
dd The day of month, with two digits. 01-31.
HH The hour, with two digits. 00-23.
MM The minute, with two digits. 00-59.
SS The seconds, with two digits. Normally 00-59, but leap seconds may extend the range to 00-60.

The IP event type

The IP event type is used for logged IP packets. It has several fields:

event code
The code field is set to IP.
timestamp
The timestamp (see above).
protocol
The IP protocol. This can be one of the strings TCP, UDP, ICMP, IGMP, IPIP, GRE, ESP, AH, SKIP, or a decimal number.
source interface
The name of the source interface, such as eth0 or ipsec1. May be empty.
source IP address
The source IP number, such as 10.0.3.4.
source port
The source port number, such as 53. Only used for TCP and UDP packets; blank otherwise.
destination interface
The name of the destination interface, such as eth0 or ipsec1. May be empty.
destination IP address
The destination IP number, such as 10.0.3.4.
destination port
The destination port number, such as 53. Only used for TCP and UDP packets; blank otherwise.
icmp_type
The ICMP type field, such as 8. Only used for ICMP and IGMP packets; blank otherwise.
icmp_code
The ICMP code field, such as 0. Only used for ICMP and IGMP packets; blank otherwise.
tcp_flags
The TCP flags, as a string. This string consists of one character for each TCP flag that is set:
character TCP flag
S SYN
A ACK
U URG
P PUSH
F FIN
R RST

If no flags was set, or if the packet was not a TCP packet, the field is blank.

action
The action that was taken for this packet. The content of this field is language-dependent.
Blacklisted (discarded) Svartlistat (kastat)
Discarded Kastat
Blacklisted (rejected) Svartlistat (spärrat)
Rejected Spärrat
Accepted Framsläppta
NATed NATat

More actions may be added in the future.

Text message
There may be an additional text message in some rare cases.

The VPN event type

When the status of a VPN tunnel changes, a message of this type is logged.

event code
The code field is set to VPN.
timestamp
The timestamp (see above).
event type
The event type, which is language-dependent:
ISAKMP SA established ISAKMP SA etablerad
ISAKMP SA replaced ISAKMP SA utbytt
ISAKMP SA expired ISAKMP SA uttjänt
ISAKMP SA failed ISAKMP SA misslyckades
Peer uknown Okänd motpart
IPsec SA established IPsec SA etablerad
IPsec SA replaced IPsec SA utbytt
IPsec SA expired IPsec SA expired
IPsec SA failed IPsec SA misslyckades
Unknown connection Okänd uppkoppling

More event types may be added in the future.

Local security gateway
The IP number of the local security gateway (that is, one of the IP numbers of the Ingate Firewall/SIParator® that generates this log).
Local identity
This may be an IP address or a string, depending on how the tunnel is configured.
Local network
The local network that is tunneled through this tunnel, as an network address and a netmask. Example: 10.41.0.0/16. This field is blank for ISAKMP SA events.
Remote security gateway
The IP number of the remote security gateway.
Remote identity
The remote identity, if known.
Remote network
The remote network that is tunneled through this tunnel, as an network address and a netmask. This field is blank for ISAKMP SA events.

The TXT event type

The TXT event is a catch-all for various events that log a text message.

event code
The code field is set to TXT.
timestamp
The timestamp (see above).
category
The category is a string that categorizes the message. The current categories are:
CFG/AUTH Messages regarding authentication of accesses to the configuration server.
DHCP/CLIENT Messages from the built-in DHCP client about leases.
HARDWARE/FAN/CPU Messages regarding the CPU fan.
HARDWARE/FAN/FRONT Messages regarding the front (or chassis) fan.
HARDWARE/FAN/PS Messages regarding the power-supply fan.
MAIL/ALERT Messages regarding mail delivery problems.
RADIUS/ERROR Messages regarding problems with RADIUS servers, such as no or broken responses (but not broken passwords or wrong Service-Type attribute).
SIP/ERRORS Error messages regarding the SIP functions.
SIP/MESSAGE SIP messages (the entire contents).
SIP/SIGNALING The first line of a SIP message or the first packet of a media stream.
SIP/VERBOSE Messages regarding the SIP functionality (debug messages, etc).
SNMP/AGENT Messages from the SNMP agent of the firewall/SIParator®.
VPN/BLACKLIST A VPN client was blacklisted, or is no longer blacklisted.
VPN/PLUTO Messages from the Pluto subsystem, which handles IKE key negotiations.
VPN/USERAUTH Messages generated when a road warrior VPN user authenticates himself (currently with the aid of a RADIUS server).

More categories may be added in the future.

facility
The syslog facility. This is only useful for some categories.
priority
The syslog priority of the message.
progname
The name of the program that logged this message.
message
The message itself.

The TXT- event type

The TXT- event is an extension to the TXT event type. TXT- indicates that the next line is part of the same log message as the current one. In all other respects, it is the same as the TXT event type.

The CLKSET event type

The CLKSET event is generated when the time is changed.

event code
The code field is set to CLKSET.
old timestamp
The timestamp before the clock change.
new timestamp
The timestamp after the clock change.

The CFGSET event type

event code
The code field is set to CFGSET.
timestamp
The timestamp.
reason
The reason for the configuration change. This field is language-dependent:
Restart Omstart
Effectuate (trialrun) Drifttagning (provdrift)
Effectuate (finalize) Drifttagning (permanent)
Effectuate (timecontrol) Drifttagning (tidskontroll)
Effectuate (cancellation) Drifttagning (återgång)
Effectuate (reload) Drifttagning (omladdning)
Effectuate (VPN update) Drifttagning (VPN-uppdatering)

More reasons may be added in the future.

 Support?  |  Helpdesk!  
 Rissneleden 45 SE-174 44 Sundbyberg Sweden  |  info@ingate.com  |  Contact us  |  Home  
  How Ingate uses cookies