HP X Unified Security Platform 317

Remote Syslog Log Format

The remote syslog format for the Alert, IPS Block, and the Firewall Block Logs is described in this section.

Note For the System, Audit, VPN, and Firewall Session Logs, there is no specific format for the remote syslog. For these logs, the downloaded file is sent directly to the remote syslog server as a straight data dump without any manipulation of the data.

The following is an example of packet data sent to a collector. Make note that collectors may display the header portion of the stream differently.

<13>Jan 13 12:55:01 192.168.65.22 ALT,v4,20050113T125501+0360,"i robot"/192.168.65.22,1017,Alert,1,1,00000002-0002-0002-0002- 000000000164,"0164: ICMP: EchoRequest (Ping)","0164: ICMP: Echo Request (Ping)",icmp,0,216.136.107.233:0,216.136.107.91:0,20 050113T125205+0360,199," ",1,3:1

In this example, the header follows the standard syslog format. Using the previous log entry as the example, the message is as follows:

ALT,v4,20050113T125501+0360,"i robot"/ 192.168.65.22,1017,Permit,1,Low,00000002-0002-0002-0002- 000000000164,"0164: ICMP: EchoRequest (Ping)","0164: ICMP: Echo Request(Ping)",icmp,0,216.136.107.233:0,216.136.107.91:0,20050113T1252 05+0360,199," ",1,3:1

The character located between each field is the configured delimiter. In this case, the delimiter is a comma. The following table details the fields and their descriptions.

Table C–7: Remote Syslog Field Descriptions

Field	Description


1	Log-type; ALT = alert, BLK = block, P2P = misuse and abuse

2	Version of this message format

3	ISO 8601 Date-Time-TZ when this alert was generated

4	Hostname/IP address that generated the alert; note that the quotes are required
	for this release because of a bug in the hostname validation (note the space in the
	name)

5	Sequence ID

6	(reserved)

7	Action performed (“Block” or “Permit”)

8	Severity (“Low”, “Minor”, “Major”, or “Critical”)

9	Policy UUID

X Family LSM User’s Guide V 2.5.1	301