Log Export File Format

The Ingate Firewall® and SIParator® can currently export logs in three formats: WELF, commaseparated and tabseparated. The WELF format is documented at Webtrends.

The commaseparated and tabseparated formats are basically the same. Only the separator character differs.

This document specifies the export formats used by Ingate Firewall/SIParator® 2.4.0-3.0.2. It is exptected that future versions of Ingate products will log new types of events. The new events will be given a new event code.

Ingate Systems will try to avoid changing the format of logged events, but we may do so, for instance to allow more information to be logged. If that happens, the new format of the event will be given a new event code, so that log parsing utilities can distinguish between the old and the new log format.

Log file structure

Each event in the log is stored as a single line of text. Each line is terminated by a single linefeed (0x0A). The charset is ISO 8859-1 (also known as Latin1).

Each event contains several fields, separated by the separator (tab (0x09) or comma (",", 0x2C)). The first field is an event code that determines the type of the event, such as "an IP packet was received" or "the clock was set by the operator". All event codes are documented below, together with information about the fields that accompanies them.

The backslash character ("\", 0x5C) is used to quote the separator if it occurs inside a field. It is also used to quote a backslash.

The following example illustrates the syntax of the log files when comma is used as the separator:

DEMO,2000-03-03 18:13:27,Testing\, testing,y\\x

This event is logged with four fields:

• DEMO is the event code.
• 2000-03-03 18:13:29 is the second field. Most events store the time in the second field, but see CLKSET for an exception.
• The third field has the value Testing, testing. Note the embedded comma.
• The fourth and final field has the value y\x. Note that the backslash is quoted.

The fields never contain control characters.

Timestamps

All timestamps are logged in a common format: YYYY-mm-dd HH:MM:SS. Example: one minute past 3 PM, December 24, 1997 would be logged as 1997-12-24 15:01:00.

The IP event type

The IP event type is used for logged IP packets. It has several fields:

event code

The code field is set to IP.

timestamp

The timestamp (see above).

protocol

The IP protocol. This can be one of the strings TCP, UDP, ICMP, IGMP, IPIP, GRE, ESP, AH, SKIP, or a decimal number.

source interface

The name of the source interface, such as eth0 or ipsec1. May be empty.

source IP address

The source IP number, such as 10.0.3.4.

source port

The source port number, such as 53. Only used for TCP and UDP packets; blank otherwise.

destination interface

The name of the destination interface, such as eth0 or ipsec1. May be empty.

destination IP address

The destination IP number, such as 10.0.3.4.

destination port

The destination port number, such as 53. Only used for TCP and UDP packets; blank otherwise.

icmp_type

The ICMP type field, such as 8. Only used for ICMP and IGMP packets; blank otherwise.

icmp_code

The ICMP code field, such as 0. Only used for ICMP and IGMP packets; blank otherwise.

tcp_flags

The TCP flags, as a string. This string consists of one character for each TCP flag that is set:

character	TCP flag
S	SYN
A	ACK
U	URG
P	PUSH
F	FIN
R	RST

If no flags was set, or if the packet was not a TCP packet, the field is blank.

action

The action that was taken for this packet. The content of this field is language-dependent.

Blacklisted (discarded)	Svartlistat (kastat)
Discarded	Kastat
Blacklisted (rejected)	Svartlistat (spärrat)
Rejected	Spärrat
Accepted	Framsläppta
NATed	NATat

More actions may be added in the future.

Text message

There may be an additional text message in some rare cases.

The VPN event type

When the status of a VPN tunnel changes, a message of this type is logged.

event code

The code field is set to VPN.

timestamp

The timestamp (see above).

event type

The event type, which is language-dependent:

ISAKMP SA established	ISAKMP SA etablerad
ISAKMP SA replaced	ISAKMP SA utbytt
ISAKMP SA expired	ISAKMP SA uttjänt
ISAKMP SA failed	ISAKMP SA misslyckades
Peer uknown	Okänd motpart
IPsec SA established	IPsec SA etablerad
IPsec SA replaced	IPsec SA utbytt
IPsec SA expired	IPsec SA expired
IPsec SA failed	IPsec SA misslyckades
Unknown connection	Okänd uppkoppling

More event types may be added in the future.

Local security gateway

The IP number of the local security gateway (that is, one of the IP numbers of the Ingate Firewall/SIParator® that generates this log).

Local identity

This may be an IP address or a string, depending on how the tunnel is configured.

Local network

The local network that is tunneled through this tunnel, as an network address and a netmask. Example: 10.41.0.0/16. This field is blank for ISAKMP SA events.

Remote security gateway

The IP number of the remote security gateway.

Remote identity

The remote identity, if known.

Remote network

The remote network that is tunneled through this tunnel, as an network address and a netmask. This field is blank for ISAKMP SA events.

The TXT event type

The TXT event is a catch-all for various events that log a text message.

event code

The code field is set to TXT.

timestamp

The timestamp (see above).

category

The category is a string that categorizes the message. The current categories are:

CFG/AUTH	Messages regarding authentication of accesses to the configuration server.
DHCP/CLIENT	Messages from the built-in DHCP client about leases.
HARDWARE/FAN/CPU	Messages regarding the CPU fan.
HARDWARE/FAN/FRONT	Messages regarding the front (or chassis) fan.
HARDWARE/FAN/PS	Messages regarding the power-supply fan.
MAIL/ALERT	Messages regarding mail delivery problems.
RADIUS/ERROR	Messages regarding problems with RADIUS servers, such as no or broken responses (but not broken passwords or wrong Service-Type attribute).
SIP/ERRORS	Error messages regarding the SIP functions.
SIP/MESSAGE	SIP messages (the entire contents).
SIP/SIGNALING	The first line of a SIP message or the first packet of a media stream.
SIP/VERBOSE	Messages regarding the SIP functionality (debug messages, etc).
SNMP/AGENT	Messages from the SNMP agent of the firewall/SIParator®.
VPN/BLACKLIST	A VPN client was blacklisted, or is no longer blacklisted.
VPN/PLUTO	Messages from the Pluto subsystem, which handles IKE key negotiations.
VPN/USERAUTH	Messages generated when a road warrior VPN user authenticates himself (currently with the aid of a RADIUS server).

More categories may be added in the future.

facility

The syslog facility. This is only useful for some categories.

priority

The syslog priority of the message.

progname

The name of the program that logged this message.

message

The message itself.

The TXT- event type

The TXT- event is an extension to the TXT event type. TXT- indicates that the next line is part of the same log message as the current one. In all other respects, it is the same as the TXT event type.

The CLKSET event type

The CLKSET event is generated when the time is changed.

event code

The code field is set to CLKSET.

old timestamp

The timestamp before the clock change.

new timestamp

The timestamp after the clock change.

The CFGSET event type