HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents
DrillDown Icon Knowledge Base Information
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Deployment
DrillDown Icon Registration & Licensing
DrillDown Icon System
DrillDown Icon Objects
DrillDown Icon Network
DrillDown Icon Identity
DrillDown Icon Firewall
DrillDown Icon VPN
DrillDown Icon IPS
DrillDown Icon Web Filter
DrillDown Icon Application Filter
DrillDown Icon Web Application Firewall (WAF)
DrillDown Icon IM
DrillDown Icon Quality of Service (QoS)
DrillDown Icon Anti Virus
DrillDown Icon Anti Spam
DrillDown Icon Logs & Reports
DrillDown Icon On-Appliance iView
DrillDown Icon Configure Cyberoam as a NetFlow Exporter
DrillDown Icon Error <SMTP Server Greetings Error>
DrillDown Icon Why do we see multiple Log entries for IP Address 0.0.0.0?
DrillDown Icon Admin Log Format
DrillDown Icon Anti Spam Log Format
DrillDown Icon Anti Virus Log Format
DrillDown Icon Authentication Log Format
DrillDown Icon Web Filter Log Format
DrillDown Icon Application Filter Log Format
DrillDown Icon IPS Log Format
DrillDown Icon IM Log Format
DrillDown Icon Firewall Log Format
DrillDown Icon System Log Format
DrillDown Icon Integrate Cyberoam with External iView
DrillDown Icon Configure Syslog Server
DrillDown Icon Enable Logging in Cyberoam
DrillDown Icon Application Reports are not getting generated in my Cyberoam Appliance. What do I do?
DrillDown Icon View Details of Applications accessed by live users
DrillDown Icon Error <Disable Deny_Unknown_Protocol to access HTTP/S Website>
DrillDown Icon How to obtain reports of Appliances which do not have On-Appliance iView: CR15i, CR15wi, CR15iNG and CR15wiNG?
DrillDown Icon Can Cyberoam detect Data Manipulation?
DrillDown Icon View L2TP VPN Logs using Cyberoam CLI Console
DrillDown Icon View PPTP VPN Logs using Cyberoam CLI Console
DrillDown Icon View IPSec VPN Logs using Cyberoam CLI Console
DrillDown Icon Clients
DrillDown Icon Cyberoam Maintenance
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Visio Stencils for Cyberoam security appliances
DrillDown Icon Product Technical Support
DrillDown Icon Cyberoam Virtual Security
DrillDown Icon Cyberoam iView
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
 
IPS Log Format

Applicable Version: 10.00 onwards

Overview

Cyberoam provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.

 

Once you have configured Cyberoam to send logs to external syslog server, Cyberoam forwards IPS log to syslog server in the below given format.

 

To know how to configure Cyberoam to send logs to external syslog server, refer to the article How To – Configure Syslog Server.

To know how to configure Cyberoam to forward logs, refer to the article How To – Enable Logging and Forward Logs to Syslog.


Log Structure
 
Log ID

Log ID is a Unique 12 characters code (
c1c2c3c4c5c6c7c8c9c10c11c12) e.g. 0101011, 0102011
Where:
c1c2- Log Type ID
c3c4- Log Component ID
c5c6- Log Sub Type ID
c7- Priority
c8c9c10c11c12- Message ID
 
Log Type
 
 

Log Type ID

Log Type

01

Firewall

02

IPS

03

Anti Virus

04

Anti Spam

05

Content Filtering

06

Event

07

WAF

 

 

Log Component
 

Log Component ID

Log Component

01

Firewall Rule

02

Invalid Traffic

03

Appliance Access

04

DoS Attack

05

ICMP Redirection

06

Source Routed

07

Anomaly

08

Signatures

09

HTTP

10

FTP

11

SMTP

12

POP3

13

IMAP4

14

Fragmented Traffi

15

Invalid Fragmented Traffic

16

HA

17

Foreign Host

18

IPMAC Filter

19

IP Spoof

20

GUI

21

CLI

22

LCD

23

CCC

24

IM

25

IPSec

26

L2TP

27

PPTP

28

SSLVPN

29

Firewall Authentication

30

VPN Authentication

31

SSL VPN Authentication

32

My AccountAuthentication

33

Appliance

34

DHCP server

35

Interface

36

Gateway

37

DDNS

38

WebCat

39

IPS

40

AV

41

Dial-In Authentication

42

Dial-In

43

Quarantine

44

Application filter

45

Landing Page

46

WLAN

47

ARP Flood

48

HTTPS

49

Guest User

50

WAF

51

Virtual Host

52

CTA

53

NTLM

54 Appliances Deactivated
55 PPPoE
56 External Authentication
57 API

 

 

 Log Subtype

 
 

Log Subtype ID

Sub Type

01

Allowed

02

Denied

03

Detect

04

Drop

05

Clean

06

Virus

07

Spam

08

Probable Spam

09

Admin

10

Authentication

11

System

12 OB Clean
13 OB Spam
14 OB Probable Spam
 

Priority

Priority

Description

0

Emergency

1

Alert

2

Critical

3

Error

4

Warning

5

Notification

6

Information

7

Debug

 
 
Message ID

Message ID

Message

17818

IPS Signatures upgraded from <old version> to <new version>

17921

IPS Signatures upgrade failed

 


   Sample Log

   Jan 29 11:47:39 10.4.105.1 date=2016-01-29 time=11:47:38 timezone="JST" device_name="CR25iNG" device_id=C06113445368-LPVO3Z log_id=020803407001 log_type="IDP" log_component="Signatures" log_subtype="Detect" status="" priority=Warning    idp_policy_id=5 fw_rule_id=5 user_name="" signature_id=4000123 signature_msg="Microsoft Internet Explorer CVE-2015-1729 Information Disclosure Vulnerability" classification="Unknown" rule_priority=0 src_ip=211.14.21.34 src_country_code=JPN    dst_ip=172.16.16.17 dst_country_code= protocol="TCP" src_port=80 dst_port=54992 platform="" category="" target=""

   Log Fields and Description     

 

Data Fields

Type

Description

status

string

Ultimate status of traffic – allowed or denied

ips_policy_id

integer

IPS policy id i.e. IPS policy id which is applied on the traffic

ips_policy_name

integer

IPS policy name i.e. IPS policy name which is applied on the traffic

firewall_rule_id

integer

Firewall rule id i.e. firewall rule id which is applied on the traffic

user_name

string

User name

signature_id

string

Signature identifier

singature_message

string

Signature messsage

classification

string

Signature classification

rule_priority

string

Priority of IPS policy

source_ip

string

Original Source IP address of traffic

destination ip

string

Original Destination IP address of traffic

protocol

integer

Protocol number of traffic

source_port

integer

Original Source Port of TCP and UDP traffic

destination_port

integer

Original Destination Port of TCP and UDP traffic

icmp_type

integer

ICMP type of ICMP traffic

icmp_code

integer

ICMP code of ICMP traffic

                                                                                                               


 

                                                            
                                                                                                                                                                Document Version: 1.1 – 13 April, 2016

               

                                                                                                                                                 
Attachments
Article ID: 2883