Skip to content



Constructor: Arkoon

Product: Firewall

Log type(s): FW, IDS

Theoretical injector performance

14318 EPS

Log sample

IP-Logs: AKLOG - id=firewall time="2017-04-24 13:50:01" gmtime=1493034601 fw=AA-BB-C-1.corp pri=6 aktype=IP ip_log_type=ENDCONN src= dst= proto="domain" protocol=17 port_src=57551 port_dest=53 intf_in= intf_out= nat=NO snat_addr=0 snat_port=0 dnat_addr=0 dnat_port=0 sent=143 rcvd=40 end_reason="End of connection"
IP-Logs: AKLOG - id=firewall time="2015-11-17 10:43:29" gmtime=1447753409 pri=6 aktype=IP ip_log_type=ENDCONN src= dst= proto="https" protocol=6 port_src=42 port_dest=43 intf_in= intf_out= nat=HIDE snat_addr= snat_port=31 dnat_addr=0 dnat_port=0 sent=534 rcvd=4299 end_reason="Closed by Client"
Alerts: AKLOG - id=firewall time="2015-11-17 10:46:02" gmtime=1447753562 pri=2 aktype=ALERT alert_type="Blocked by filter" user="" alert_level="Medium" alert_desc="PROTO:112 from to [Default deny on input]"
Alerts: AKLOG - id=firewall time="2015-11-17 10:45:58" gmtime=1447753558 pri=2 aktype=ALERT alert_type="Unsequenced packet" user="" alert_level="Medium" alert_desc="Unsequenced TCP packet from to"

Parsing strategy

  1. Check and remove the log type (e.g: \'IP-Logs: \')
  2. Check and remove the header \'AKLOG - \'
  3. Apply the key-value operator to the main log payload
  4. Remove useless KV fields (such as empty ones or containing the value )
  5. Do the binding to normalized fields