How to Read the Logs

Although the exact format of each log entry depends on how yoursyslog recipient works, most are very much alike. The way in whichlogs are read is also dependent on how your syslog recipient works.Syslog daemons on UNIX servers usually log to text files, line byline.

Most syslog recipients preface each log entry with a timestamp andthe IP address of the machine that sent the log data:

Oct 20 2003 09:45:23 gateway

This is followed by the text the sender has chosen to send. Alllog entries from the firewall are prefaced with "EFW:" and acategory, e.g. "DROP:"

Oct 20 2003 09:45:23 gateway EFW: DROP:

Subsequent text is dependent on the event that hasoccurred.

 

USAGE Events

These events are sent periodically and provide statisticalinformation regarding connections and amount of traffic.

Example:

Oct 20 2003 09:45:23 gateway EFW: USAGE: conns=1174 if0=coreip0=127.0.0.1 tp0=0.00 if1=wan ip1=192.168.10.2 tp1=11.93 if2=lanip2=192.168.0.1 tp2=13.27 if3=dmz ip3=192.168.1.1 tp3=0.99

The value after conns is the number of open connectionsthrough the firewall when the usage log was sent. The value aftertp is the throughput through the firewall at the time theusage log was logged.

 

DROP Events

These events may be generated by a number of different functionsin the firewall. The most common source is probably thepolicies.

Example:

Oct 20 2003 09:42:25 gateway EFW: DROP: prio=1 rule=Rule_1action=drop recvif=wan srcip=192.168.10.2 destip=192.168.0.1ipproto=TCP ipdatalen=28 srcport=3572 destport=135 tcphdrlen=28syn=1

In this line, traffic from 192.168.10.2 coming from the WAN sideof the firewall, connecting to 192.168.10.1 on port 135 is dropped.The protocol used is TCP.

 

CONN Events

These events are generated if auditing has been enabled.

One event will be generated when a connection is established. Thisevent will include information about protocol, receiving interface,source IP address, source port, destination interface, destinationIP address and destination port.

Open Example:

Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8conn=open connipproto=TCP connrecvif=lan connsrcip=192.168.0.10connsrcport=3179 conndestif=wan conndestip=64.7.210.132conndestport=80

In this line, traffic from 192.168.0.10 on the LAN interface isconnecting to 64.7.210.132 on port 80 on the WAN side of thefirewall (Internet).

Another event is generated when the connection is closed. Theinformation included in the event is the same as in the event sentwhen the connection was opened, with the exception that statisticsregarding sent and received traffic is also included.

Close Example:

Oct 20 2003 09:48:05 gateway EFW: CONN: prio=1 rule=Rule_8conn=close connipproto=TCP connrecvif=lan connsrcip=192.168.0.10connsrcport=3179 conndestif=wan conndestip=64.7.210.132conndestport=80 origsent=62 termsent=60

In this line, the connection in the other example is closed.