Applicable to version – 9.5.4 build 66 onwards

Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards content filtering log to syslog server in the below given format.

 

If you have not yet configured Cyberoam to forward logs, refer How To – Enable logging and forward Logs to Syslog.

Log ID structure

Log ID – Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g.050901716001

where:

c1c2 - Log Type ID

c3c4 - Log Component ID

c5c6 - Log Sub Type ID

c7 - Priority

c8c9c10c11c12 - Message ID

Log Type

Log Type ID	Log Type
01	Firewall
02	IDP
03	Anti Virus
04	Anti Spam
05	Content Filtering

Log Component

Log Component ID	Log Component
01	Firewall Rule
02	Invalid Traffic
03	Local ACLs
04	DoS Attack
05	ICMP Redirection
06	Source Routed
07	Anomaly
08	Signatures
09	HTTP
10	FTP
11	SMTP
12	POP3
13	IMAP4
14	Fragmented Traffic
15	Invalid Fragmented Traffic

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Log Subtype

Log Subtype ID	Sub Type
01	Allowed
02	Denied
03	Detect
04	Drop
05	Clean
06	Virus
07	Spam
08	Probable Spam

 

 

Priority

Priority	Description
0	Emergency
1	Alert
2	Critical
3	Error
4	Warning
5	Notice
6	Information
7	Debug

 

Each event is has unique message ID and is included as a part of log id.

Log Component	Event	Message ID
Firewall rule	Traffic allowed according to the firewall rule	00001
	Traffic denied/dropped according to the firewall rule	00002
Invalid traffic	Invalid traffic denied	01001
Local ACLs	Traffic allowed according to the configured Local ACL	02001
	Traffic denied according to the configured Local ACL	02002
DoS Attack	DoS attack denied according to the DoS settings	03001
ICMP Redirection	ICMP redirection traffic denied	04001
Source Routed	Source routed traffic denied	05001
Fragmented traffic	Fragmented traffic denied	01301
Invalid Fragmented traffic	Invalid Fragmented traffic denied	01601
IDP	Detected attacks based on unknown or suspicious patterns (anomaly)	06001
	Dropped attacks based on unknown or suspicious patterns (anomaly)	06002
	Detected attacks based on attack signature	07001
	Dropped attacks based on attack signature	07002
Antivirus	HTTP – Virus infected URL blocked	08001
	Virus infected FTP data transfer blocked	09001
	FTP data transfer completed successfully	09002
	Virus infected mail detected in SMTP traffic	10001
	Virus infected mail detected in POP3 traffic	11001
	Virus infected mail detected in IMAP4 traffic	12001
Antispam	Mail detected as SPAM in SMTP traffic and rejected	13001
	Mail detected as SPAM in SMTP traffic and dropped	13004
	Mail detected as SPAM in SMTP traffic but accepted	13005
	Mail detected as SPAM in SMTP traffic but mail is forwarded after changing the original recipient address	13006
	Mail detected as SPAM in SMTP traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	13007
	Mail detected as a PROBABLE SPAM in SMTP traffic and rejected	13002
	Mail detected as PROBABLE SPAM in SMTP traffic and dropped	13008
	Mail detected as PROBABLE SPAM in SMTP traffic but accepted	13009
	Mail detected as PROBABLE SPAM in SMTP traffic but is forwarded after changing the original recipient address	13010
	Mail detected as PROBABLE SPAM in SMTP traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	13011
	Clean mail in SMTP traffic	13004
	Mail detected as SPAM in POP3 traffic but accepted	14001
	Mail detected as PROBABLE SPAM in POP3 traffic but accepted	14002
	Clean mail in POP3 traffic	14003
	Mail detected as SPAM in POP3 traffic but mail is forwarded after changing the original recipient address
	Mail detected as PROBABLE SPAM in POP3 traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	14005
	Mail detected as SPAM in IMAP4 traffic but accepted	15001
	Mail detected as PROBABLE SPAM in IMAP4 traffic but accepted	15002
	Clean mail in IMAP4 traffic	15003
	Mail detected as SPAM in IMAP4 traffic but forwarded after tagging the original subject i.e. adding prefix to the subject	15004
Content Filter	Web site/file/application access allowed according to the Internet Access policy	16001
	Web site/file/application access blocked according to the Internet Access policy	16002

 

 Sample Log 

Event	Log sample
Web site/file/application access allowed according to the Internet Access policy	date=2007-11-17 time=08:30:16 timezone=”IST” device_name=”CR500i” device_id=C010600401 log_id=050901716001 log_type=”Content Filtering” log_component=”HTTP” log_subtype=”Allowed” status=”Accept” priority=”Information” fw_rule_id=75 user_name=““ user_gp=““  iap=16 iap_policy_name=”General Corporate Policy” category=”Search Engine” url=”www.google.com” file=““ application=““ contentype=”text/html” httpresponsecode=”200OK” src_ip=192.168.15.40 dst_ip=72.14.235.104 protocol=”TCP” src_port=2458 dst_port=80 sent_bytes=162 recv_bytes=45
Web site/file/application access blocked according to the Internet Access policy	date=2007-11-17 time=08:28:06 timezone=”IST” device_name=”CR250i” device_id=C010600011 log_id=050902716002 log_type=”Content Filtering” log_component=”HTTP” log_subtype=”Denied” status=”Deny” priority=”Information” fw_rule_id=85 user_name=”ranch” user_gp=1 iap=12 iap_policy_name=”Deny Mail Sites” category=”WebBasedEmail” url=”www.gmail.com” file=““ application=““ contenttype=”text/html” httpresponsecode=““ src_ip=192.168.15.40 dst_ip=66.249.89.18 protocol=”TCP” src_port=2458 dst_port=80 sent_bytes=162 recv_bytes=45

Log fields and description

SR. No.	DATA FIELDS	TYPE	DESCRIPTION
1	date	date	Date (yyyy-mm-dd) when the event occurred For the allowed traffic - the date on which connection was started on Cyberoam For the dropped traffic - the date when the packet was dropped by Cyberoam
2	time	time	Time (hh:mm:ss) when the event occurred For the allowed traffic - the time when the connection was started on Cyberoam For the dropped traffic - the time when the packet was dropped by Cyberoam
3	timezone		Time zone set on Cyberoam appliance e.g. IST
4	device_name	string	Model Number of the Cyberoam Appliance
5	device_id	string	Unique Identifier of the Cyberoam Appliance
6	deployment_mode	string	Mode in which Cyberoam is deployed Possible values: Route, Bridge
7	log_id	string	Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11) c1c2 - Log Type e.g. 01 for firewall log c3c4 - Log Component i.e. firewall/local ACL/ DoS Attack etc. c5c6 - Log Sub Type i.e. allow/violation  c7 - Priority e.g. 0 for Emergency C8c9c10c11 - Message ID e.g. 00001 for traffic allowed by firewall
8	log_type	string	Type of event occurred in Cyberoam e.g. firewall event
9	log_component	string	Component responsible for logging e.g. Firewall rule
10	log_subtype	string	Decision taken on traffic
11	status	string	Ultimate state of traffic – accept/deny
12	priority	string	Severity level of traffic
13	duration	integer	Durability of traffic (seconds)
14	firewall_rule_id	integer	Firewall rule id i.e. firewall rule id which is applied on the traffic
15	user_name	string	User name
16	user_group	string	Group Id of user
17	iap	integer	Internet Access policy Id applied on the traffic
18	iap_policy_name	string	Name of the Internet Access policy applied on the traffic
19	category	string	Name of the category under which website/file/application falls
20	url	string	URL of the webpage accessed
21	filetype	string	Type of the file
22	application	string	Name of the application accessed
23	content_type	string	Type of the content
24	HTTP response code	string	code of HTTP response
25	source_ip	string	Original Source IP address of traffic
26	destination ip	string	Original Destination IP address of traffic
27	protocol	integer	Protocol number of traffic
28	source_port	integer	Original Source Port of TCP and UDP traffic
29	destination_port	integer	Original Destination Port of TCP and UDP traffic
30	icmp_type	integer	ICMP type of ICMP traffic
31	icmp_code	integer	ICMP code of ICMP traffic
32	sent_packets	integer	Total number of packets sent
33	received_packets	integer	Total number of packets received
34	sent_bytes	integer	Total number of bytes sent
35	received_bytes	integer	Total number of bytes received

 

Document version – 1.0-95466-26/06/2008