Skip to content

Stormshield Newtork Security

Description

Constructor: Stormshield

Product: Newtork Security

Log type(s): web

Log sample

1
id=firewall time="2017-02-03 12:02:22" fw="THSDC1IN" tz=+0000 startime="2017-02-03 12:02:22" pri=5 confid=00 slotlevel=2 ruleid=17 srcif="Ethernet4" srcifname="eth2" ipproto=tcp dstif="Ethernet6" dstifname="eth4" proto=https src=1.1.242.2 srcport=30178 srcportname=ephemeral_fw_tcp srcname=H_1.1.242.2 dst=1.1.197.105 dstport=443 dstportname=https ipv=4 action=pass logtype="filter"
1
id=firewall time="2017-02-03 12:21:51" fw="THS" tz=+0000 startime="2017-02-03 12:21:50" pri=4 confid=00 srcif="Ethernet6" srcifname="eth4" ipproto=icmp icmptype=3 icmpcode=10 proto=icmp src=1.1.4.12 srcmac=00:00:00:19:77:c0 dst=1.1.144.229 dstname=Firewall_eth4 ipv=4 action=block msg="Message ICMP invalide (out of TCP sequence)" class=protocol classification=0 alarmid=67 logtype="alarm"

Parsing explanation

Parsing process abstract

  1. kv() operator is applied
  2. Binding tmp:[kv][field_name] to normalized fields.

Note: For [logtype] fields, there is a direct normalization with the type field:

  • ,
  • ,
  • ,
  • ,
  • ,
  • .
Normalization Key in log
[alcatel] [alarm][id] Tuple that is used to save any other data specific to
[alarm][sev] tmp:[kv][alarmid] [msg] [pri] [fw] [src]
[init][host][ip] tmp:[kv][srcifname] [user] [dst] [dstport]
[init][host][mac] [dstportname] [error] [service] [method]
[init][usr][name]
[target][host][ip]
[target][host][port]
[target][host][if]
[action] [app][name]
[app][return][code]
[app][name]
[app][method]
[rule][id]