1.3. Context Parameters

Home Prev	cOS Core 15.00.01 Log Reference Guide	Next

In many cases, information regarding a certain object is featured in the log message. This can be information about, for example, a connection. In this case, the log message should, besides all the normal log message attributes, also include information about which protocol is used, source and destination IP addresses and ports (if applicable) and so on.

As the same information will be included in many log messages, these are referenced as a Context Parameter. So whenever a log message includes information about a connection, it will feature the CONN parameter in the Context Parameter list. This means that additional information about the connection will also be included in the log message.

A description of all available context parameters follows with an explanation of all the additional parameters. The names of the additional parameters are specified using the Syslog format.

	Note
	The additional parameters are formatted differently in the EFWLog format, giving them a more user friendly presentation.

ALG Module Name

The type of ALG related to an event. An ALG is always of a certain type, for example FTP, H323 or HTTP. This parameter specifies the name of the ALG sub-module, in order to quickly distinguish which type of ALG this is.

algmod: The name of the ALG sub-module.

ALG Session ID

The ALG session ID related to an event. Each ALG session has its own session ID, which uniquely identifies an ALG session. This is useful, for example, when matching the opening of an ALG session with the closure of the same ALG session.

algsesid: The session ID of an ALG session.

Packet Buffer

Information about the packet buffer related to an event. This can contain a large number of additional objects. Certain parameters may or may not be included, depending on the type of packet buffer. For example, the TCP flags are only included if the buffer contains the TCP protocol. The ICMP-specific parameters are only included if the buffer contains the ICMP protocol.

recvif: The name of the receiving interface.
recvzone: The zone assigned to the receiving interface.
[hwsender]: The sender hardware address. Valid if the protocol is ARP.
[hwdest]: The destination hardware address. Valid if the protocol is ARP.
[arp]: The ARP state. Valid if the protocol is ARP. Possible values: request|reply.
[srcip]: The source IP Address. Valid if the protocol is not ARP.
[destip]: The destination IP Address. Valid if the protocol is not ARP.
iphdrlen: The IP header length.
[fragoffs]: Fragmentation offset. Valid if the IP packet is fragmented.
[fragid]: Fragmentation ID. Valid if the IP packet is fragmented.
ipproto: The IP Protocol.
ipdatalen: The IP data length.
[srcport]: The source port. Valid if the protocol is TCP or UDP.
[destport]: The destination port. Valid if the protocol is TCP or UDP.
[tcphdrlen]: The TCP header length. Valid if the protocol is TCP.
[udptotlen]: The total UDP data length. Valid if the protocol is UDP.
[[tcpflag]=1]: The specific TCP flag is set. Valid if the protocol is TCP. Possible values for tcpflag: syn, rst, ack, psh, fin, urg, ece, cwr and ns.
[icmptype]: The ICMP sub-protocol name. Valid if the protocol is ICMP.
[echoid]: The ICMP echo ID. Valid if the protocol is ICMP and sub-protocol is echo.
[echoseq]: The ICMP echo sequence number. Valid if the protocol is ICMP and sub-protocol is echo.
[unreach]: The ICMP destination unreachable code. Valid if the protocol is ICMP and sub-protocol is destination unreachable.
[redirect]: The ICMP redirect code. Valid if the protocol is ICMP and sub-protocol is redirect.
[icmpcode]: The ICMP sub-protocol code. Valid if the protocol is ICMP and sub-protocol is not echo, destination unreachable or redirect.
[ipmf]: The "More Fragment" flag in the IP Packet 0 means "Last Fragment" and 1 means "More Fragments"
[ipdf]: The "Don't Fragment" flag in the IP packet 0 means "May Fragment" and 1 means "Don't Fragment".
[iprf]: Reserved flag. Not used.
[ipff]: First fragment (IPv6). This entry indicates that this packet is the first fragmented packet.
[optionlen]: The length of extension headers (IPv6).

Connection

Additional information about a connection that generated the event. Certain parameters may or may not be included depending on the type and status of the connection. For example, the number of bytes sent by the originator and terminator is only included if the connection is closed.

conn: The status of the connection. Possible values: open, close, closing and unknown.
connipproto: The IP protocol used in this connection.
connrecvif: The name of the receive interface.
connrecvzone: The zone assigned to the receiving interface.
connsrcip: The source IP address.
connsrcmac: The source MAC address.
connsrcdevice: The source device type.
[connsrcport]: The source port. Valid if the protocol is TCP or UDP.
[connsrcidt]: The source ID. Valid if the protocol is not TCP or UDP.
conndestif: The name of the destination interface.
conndestzone: The zone assigned to the destination interface.
conndestip: The destination IP address.
conndestmac: The destination MAC address.
conndestdevice: The destination device type.
[conndestport]: The destination port. Valid if the protocol is TCP or UDP.
[conndestidt]: The destination ID. Valid if the protocol is not TCP or UDP.
[origsent]: The number of bytes sent by the originator in this connection. Valid if the connection is closing or closed.
[termsent]: The number of bytes sent by the terminator in this connection. Valid if the connection is closing or closed.

IDP

Specifies the name and a description of the signature that triggered this event.

	Note
	For IDP log messages an additional log receiver, an SMTP log receiver, can be configured. This information is only sent to log receives of that kind and not included in the Syslog or EFWLog format.

Dropped Fragments

Specifies detailed information about dropped fragments in a packet.

	Note
	This information is only sent in the EFWLog format

Rule Name

Specifies the name of the rule set entry that was triggered to generate this event.

rule: The name of the rule.

Rule Information

Additional information about the rule set entry that generated this event. Certain parameters may or may not be included, depending on the type of entry. For example, the name of an authenticated user is only included if this rule contains network objects that have user authentication information in them.

rule: The name of the rule.
[satsrcrule]: The name of the SAT source rule. Valid if the rule action is SAT.
[satdestrule]: The name of the SAT destination rule. Valid if the rule action is SAT.
[srcusername]: The name of the authenticated user in the source network object. Valid if the source network object has user authentication information.
[destusername]: The name of the authenticated user in the destination network object. Valid if the destination network object has user authentication information.

User Authentication

Additional information about a user authentication event.

authrule: The name of the user authentication rule.
authagent: The name of the user authentication agent.
authevent: The user authentication event that occurred. Possible values: login, logout, timedout, disallowed_login, accounting and unknown.
username: The name of the user that triggered this event.
srcip: The source IP address of the user that triggered this event.

OSPF

Additional information about an OSPF event.

logsection: The OSPF section Possible values: packet, hello, ddesc, exchange, lsa, spf, route and unknown.
loglevel: The log level value.

OSPF LSA

Additional information about OSPF LSA.

lsatype: The LSA type Possible values: Router, network, IP summary, ASBR summary and AS external.
lsaid: The LSA identifier.
lsaadvrtr: The originating router for the LSA.

Dynamic Route

Additional information about a dynamic route event.

event: The dynamic routing event that occurred. Possible values: add, remove, modify, export, unexport and unknown.
from: Originating router process.
to: Destination router process.

Route

Additional information about a route event.

route: Route network.
routeiface: Route destination interface.
routezone: The zone assigned to the destination interface.
routegw: Route gateway.
routemetric: Route metric (cost).

Deep Inspection

Additional information about a deep inspection event.

UINT64

Additional information about a UINT64 event.