Stormshield Newtork Security¶
Description¶
Constructor: Stormshield
Product: Newtork Security
Log type(s): web
Log sample¶
1 | id=firewall time="2017-02-03 12:02:22" fw="THSDC1IN" tz=+0000 startime="2017-02-03 12:02:22" pri=5 confid=00 slotlevel=2 ruleid=17 srcif="Ethernet4" srcifname="eth2" ipproto=tcp dstif="Ethernet6" dstifname="eth4" proto=https src=1.1.242.2 srcport=30178 srcportname=ephemeral_fw_tcp srcname=H_1.1.242.2 dst=1.1.197.105 dstport=443 dstportname=https ipv=4 action=pass logtype="filter" |
1 | id=firewall time="2017-02-03 12:21:51" fw="THS" tz=+0000 startime="2017-02-03 12:21:50" pri=4 confid=00 srcif="Ethernet6" srcifname="eth4" ipproto=icmp icmptype=3 icmpcode=10 proto=icmp src=1.1.4.12 srcmac=00:00:00:19:77:c0 dst=1.1.144.229 dstname=Firewall_eth4 ipv=4 action=block msg="Message ICMP invalide (out of TCP sequence)" class=protocol classification=0 alarmid=67 logtype="alarm" |
Parsing explanation¶
Parsing process abstract
- kv() operator is applied
- Binding tmp:[kv][field_name] to normalized fields.
Note: For [logtype] fields, there is a direct normalization with the
type field:
- ,
- ,
- ,
- ,
- ,
- .
| Normalization | Key in log |
|---|---|
| [alcatel] | [alarm][id] Tuple that is used to save any other data specific to |
| [alarm][sev] | tmp:[kv][alarmid] [msg] [pri] [fw] [src] |
| [init][host][ip] | tmp:[kv][srcifname] [user] [dst] [dstport] |
| [init][host][mac] | [dstportname] [error] [service] [method] |
| [init][usr][name] | |
| [target][host][ip] | |
| [target][host][port] | |
| [target][host][if] | |
| [action] [app][name] | |
| [app][return][code] | |
| [app][name] | |
| [app][method] | |
| [rule][id] |