Skip to content

Stormshield Network Security


Constructor: Stormshield

Product: Network Security

Log type(s): web

Log sample

id=firewall time="2017-02-03 12:02:22" fw="THSDC1IN" tz=+0000 startime="2017-02-03 12:02:22" pri=5 confid=00 slotlevel=2 ruleid=17 srcif="Ethernet4" srcifname="eth2" ipproto=tcp dstif="Ethernet6" dstifname="eth4" proto=https src= srcport=30178 srcportname=ephemeral_fw_tcp srcname=H_1.1.242.2 dst= dstport=443 dstportname=https ipv=4 action=pass logtype="filter"
id=firewall time="2017-02-03 12:21:51" fw="THS" tz=+0000 startime="2017-02-03 12:21:50" pri=4 confid=00 srcif="Ethernet6" srcifname="eth4" ipproto=icmp icmptype=3 icmpcode=10 proto=icmp src= srcmac=00:00:00:19:77:c0 dst= dstname=Firewall_eth4 ipv=4 action=block msg="Message ICMP invalide (out of TCP sequence)" class=protocol classification=0 alarmid=67 logtype="alarm"

Parsing explanation

Parsing process abstract

  1. kv() operator is applied
  2. Binding tmp:[kv][field_name] to normalized fields.

Note: For [logtype] fields, there is a direct normalization with the type field:

  • ,
  • ,
  • ,
  • ,
  • ,
  • .
Normalization Key in log
[alcatel] [alarm][id] Tuple that is used to save any other data specific to
[alarm][sev] tmp:[kv][alarmid] [msg] [pri] [fw] [src]
[init][host][ip] tmp:[kv][srcifname] [user] [dst] [dstport]
[init][host][mac] [dstportname] [error] [service] [method]
[action] [app][name]