Applicable to version – 9.5.4 build 66 onwards

Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards Dropped Source Routed Packet log to syslog server in the below given format.

 

If you have not yet configured Cyberoam to forward logs, refer How To – Enable logging and forward Logs to Syslog.

Log ID structure

Log ID – Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g.010602605001

where:

c1c2 - Log Type ID

c3c4 - Log Component ID

c5c6 - Log Sub Type ID

c7 - Priority

c8c9c10c11c12 - Message ID

Log Type

Log Type ID	Log Type
01	Firewall
02	IDP
03	Anti Virus
04	Anti Spam
05	Content Filtering

Log Component

Log Component ID	Log Component
01	Firewall Rule
02	Invalid Traffic
03	Local ACLs
04	DoS Attack
05	ICMP Redirection
06	Source Routed
07	Anomaly
08	Signatures
09	HTTP
10	FTP
11	SMTP
12	POP3
13	IMAP4
14	Fragmented Traffic
15	Invalid Fragmented Traffic

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Log Subtype

Log Subtype ID	Sub Type
01	Allowed
02	Denied
03	Detect
04	Drop
05	Clean
06	Virus
07	Spam
08	Probable Spam

 

 

Priority

Priority	Description
0	Emergency
1	Alert
2	Critical
3	Error
4	Warning
5	Notice
6	Information
7	Debug

 

Each event is has unique message ID and is included as a part of log id.

Log Component	Event	Message ID
Firewall rule	Traffic allowed according to the firewall rule	00001
	Traffic denied/dropped according to the firewall rule	00002
Invalid traffic	Invalid traffic denied	01001
Local ACLs	Traffic allowed according to the configured Local ACL	02001
	Traffic denied according to the configured Local ACL	02002
DoS Attack	DoS attack denied according to the DoS settings	03001
ICMP Redirection	ICMP redirection traffic denied	04001
Source Routed	Source routed traffic denied	05001
Fragmented traffic	Fragmented traffic denied	01301
Invalid Fragmented traffic	Invalid Fragmented traffic denied	01601
IDP	Detected attacks based on unknown or suspicious patterns (anomaly)	06001
	Dropped attacks based on unknown or suspicious patterns (anomaly)	06002
	Detected attacks based on attack signature	07001
	Dropped attacks based on attack signature	07002
Antivirus	HTTP – Virus infected URL blocked	08001
	Virus infected FTP data transfer blocked	09001
	FTP data transfer completed successfully	09002
	Virus infected mail detected in SMTP traffic	10001
	Virus infected mail detected in POP3 traffic	11001
	Virus infected mail detected in IMAP4 traffic	12001
Antispam	Mail detected as SPAM in SMTP traffic and rejected	13001
	Mail detected as SPAM in SMTP traffic and dropped	13004
	Mail detected as SPAM in SMTP traffic but accepted	13005
	Mail detected as SPAM in SMTP traffic but mail is forwarded after changing the original recipient address	13006
	Mail detected as SPAM in SMTP traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	13007
	Mail detected as a PROBABLE SPAM in SMTP traffic and rejected	13002
	Mail detected as PROBABLE SPAM in SMTP traffic and dropped	13008
	Mail detected as PROBABLE SPAM in SMTP traffic but accepted	13009
	Mail detected as PROBABLE SPAM in SMTP traffic but is forwarded after changing the original recipient address	13010
	Mail detected as PROBABLE SPAM in SMTP traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	13011
	Clean mail in SMTP traffic	13004
	Mail detected as SPAM in POP3 traffic but accepted	14001
	Mail detected as PROBABLE SPAM in POP3 traffic but accepted	14002
	Clean mail in POP3 traffic	14003
	Mail detected as SPAM in POP3 traffic but mail is forwarded after changing the original recipient address
	Mail detected as PROBABLE SPAM in POP3 traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	14005
	Mail detected as SPAM in IMAP4 traffic but accepted	15001
	Mail detected as PROBABLE SPAM in IMAP4 traffic but accepted	15002
	Clean mail in IMAP4 traffic	15003
	Mail detected as SPAM in IMAP4 traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	15004
Content Filter	Web site/file/application access allowed according to the Internet Access policy	16001
	Web site/file/application access blocked according to the Internet Access policy	16002

 

 Sample Log

             

Event

Log sample

Source routed traffic denied

date=2007-12-12 time=14:10:53 timezone="IST" device_name="CR500i" device_id=C010600411-YFK5RL deployment_mode="Route" log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" priority=Information duration=0 fw_rule_id=”” user_name="" user_gp="" iap=”” application="" application_id=”” in_interface="" out_interface="" src_ip=192.168.1.76 dst_ip=192.168.13.25 protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=0.0.0.0 tran_src_port=0 tran_dst_ip=0.0.0.0 tran_dst_port=0 srczonetype=”” dstzonetype=”” dir_disp=”” connevent=”” connid=”” vconnid=””

 

Log fields and description

SR. No.	DATA FIELDS	TYPE	DESCRIPTION
1	date	date	Date (yyyy-mm-dd) when the event occurred For the allowed traffic - the date on which connection was started on Cyberoam For the dropped traffic - the date when the packet was dropped by Cyberoam
2	time	time	Time (hh:mm:ss) when the event occurred For the allowed traffic - the time when the connection was started on Cyberoam For the dropped traffic - the time when the packet was dropped by Cyberoam
3	timezone		Time zone set on Cyberoam appliance e.g. IST
4	device_name	string	Model Number of the Cyberoam Appliance
5	device_id	string	Unique Identifier of the Cyberoam Appliance
6	deployment_mode	string	Mode in which Cyberoam is deployed Possible values: Route, Bridge
7	log_id	string	Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11) c1c2 - Log Type e.g. 01 for firewall log c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack etc. c5c6 - Log Sub Type i.e. allow/violation  c7 - Priority e.g. 0 for Emergency C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by firewall
8	log_type	string	Type of event occurred in Cyberoam e.g. firewall event
9	log_component	string	Component responsible for logging e.g. Firewall rule
10	log_subtype	string	Decision taken on traffic
11	priority	string	Severity level of traffic
12	duration	integer	Durability of traffic (seconds)
13	firewall_rule_id	integer	Firewall rule id i.e. firewall rule id which is applied on the traffic
14	user_name	string	User name
15	user_group	string	Group Id of user
16	iap	integer	Internet Access policy Id applied on the traffic
17	application	string	Application name
18	application_id	string	Application identifier
19	in_interface	string	Interface for incoming traffic e.g. Port A Blank for outgoing traffic
20	out_interface	string	Interface for outgoing traffic e.g. Port B Blank for incoming traffic
21	source_ip	string	Original Source IP address of traffic
22	destination ip	string	Original Destination IP address of traffic
23	protocol	integer	Protocol number of traffic
24	source_port	integer	Original Source Port of TCP and UDP traffic
25	destination_port	integer	Original Destination Port of TCP and UDP traffic
26	icmp_type	integer	ICMP type of ICMP traffic
27	icmp_code	integer	ICMP code of ICMP traffic
28	sent_packets	integer	Total number of packets sent
29	received_packets	integer	Total number of packets received
30	sent_bytes	integer	Total number of bytes sent
31	received_bytes	integer	Total number of bytes received
32	translated_source_ ip	integer	Translated source IP address for outgoing traffic. It is applicable only in route mode. Possible values: "" – When Cyberoam is deployed in Bridge mode or source IP address translation is not done IP Address – IP Address with which the original source IP address is translated
33	translated_source_port	integer	Translated source port for outgoing traffic. It is applicable only in route mode. Possible values: "" – When Cyberoam is deployed in Bridge mode or source port translation is not done Port – Port with which the original port is translated
34	translated_destination_ip	integer	Translated Destination IP address for outgoing traffic. It is applicable only in route mode. Possible values: "" – When Cyberoam is deployed in Bridge mode or destination IP address translation is not done IP Address – IP Address with which the original destination IP address is translated
35	translated_destination_port	integer	Translated Destination port for outgoing traffic. It is applicable only in route mode. Possible values: "N/A" – When Cyberoam is deployed in Bridge mode or destination port translation is not done Port – Port with which the original port is translated
36	sourcezonetype	string	Type of source zone e.g. LAN
37	destinationzonetype	string	Type of destination zone e.g. WAN
38	direction_disposition	string	Packet direction Possible values: “org”, “reply”, “”
39	connection_event		Event on which this log is generated
40	connection id	integer	Unique identifier of connection
41	virtual connection id	integer	Connection ID of the master connection

 

Document version – 1.0-95466-26/06/2008