Skip to main content
Versa Networks

Flow Logs

Versa-logo-release-icon.png For supported software information, click here.

You can configure Versa Operating SystemTM (VOSTM) devices to send logs for traffic flows (sessions). The flow logs consist of a flow identification log message followed immediately by log messages for the specific services that are part of the flow.

VOS devices can send flow logs for the following services:

  • Application delivery controller (ADC) services
  • Authentication using Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML)
  • Cloud access security broker (CASB)
  • Carrier-grade NAT (CGNAT)
  • Data loss prevention (DLP)
  • Domain name system (DNS)
  • File filtering
  • Sandboxing
  • SASE web logging
  • SD-WAN SLA violations
  • SD-WAN traffic
  • Security features, including access, antivirus, IDP, and URL filtering

Flow Identification

For a single tenant on a VOS device, you can identify individual traffic flows by matching logs that have the same source IP address, destination IP address, source port number, destination port number, and protocol value. In all service-specific flow logs, you can locate this information in the following fields:

  • destinationIPv4Address or destinationIPv6Address
  • destinationTransportPort
  • protocolIdentifier
  • sourceIPv4Address or sourceIPv6Address
  • sourceTransportPort

You can use the values in these fields to correlate logs for a single flow.

However, it is possible that a second flow with identical values for these fields might begin after the the initial flow terminates. In this case, you might mistakenly correlate the logs in the two flows as being a single flow. To provide an alternate way to correlate flow logs, VOS devices generate a flow identification number and timestamp (called a flow cookie). The combination of these two fields uniquely identifies a flow for the tenant on the VOS device. All service-specific flow logs provide the flow identification and timestamp information in the following fields:

  • flowId
  • flowCookie

You can export logs from multiple VOS devices, tenants, and virtual service nodes (VSN) to the same third-party server. In this case, to determine which logs belong to a particular flow, you must also match the following fields that are included in all service-specific flow logs:

  • applianceName
  • tenantId
  • vsnId

You typically use the combination of flow ID, flow cookie, appliance name, tenant ID, and VSN ID to correlate flow logs on third-party servers. However, you can instead correlate the flow logs using the combination of the source port, source IP address, destination port, destination IP address, protocol identifier, VOS device name, tenant ID, and VSN ID.

Flow Metadata

VOS devices collect flow metadata, such as the flow's sending and receiving interfaces, but this information is not included in service-specific flow logs. Instead, VOS devices generate a flow identification log at the beginning of each flow, and this log includes the flow metadata. Flow identification logs also include the flow ID and flow cookie, and you can use the values in these two fields to correlate flow metadata with service-specific logs.

Flow Identification Logs

A flow identification log is generated at the start of each flow.

Flow Identification Log Message Format

2017-11-26T22:42:38+0000 flowIdLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, 
flowCookie=1511734794, sourceIPv4Address=172.21.1.2, destinationIPv4Address=172.21.2.2, 
sourcePort=44657, destinationPort=5001, tenantId=1, vsnId=0, applianceId=1, 
ingressInterfaceName=vni-0/2.0, egressInterfaceName=ptvi-0/43, fromCountry=, toCountry=, 
protocolIdentifier=6, fromZone=trust, fromUser=unknown, toZone=ptvi, icmpTypeIPv4=0

Flow Identification Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).
flowId Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.
flowCookie Time when the flow was created, in UNIX epoch time format.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.
sourcePort Layer 4 source port.
destinationPort Layer 4 destination port.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
applianceId VOS device identifier. This field is not used.
vsnId Identifier of the virtual service node, or virtual machine (VM).
ingressInterfaceName Interface receiving the flow.
egressInterfaceName Interface sending the flow.
fromCountry If the source IP address is a public IP address, country to which the IP address belongs.
toCountry If the destination IP address is a public IP address, country to which the IP address belongs.
protocolIdentifier Layer 4 protocol identifier.
fromZone Zone configured on the device receiving the flow.
toZone Zone configured on the device sending the flow.
fromUser Username of the client initiating the traffic if an IP address-to-user mapping is available from Active Directory or Kerberos.
icmpTypeIPv4 For an ICMP flow, the ICMP message type.

ADC Logs

For Releases 21.1.1 and later.

VOS devices use ADC services to load-balance incoming application traffic on TCP and UDP port connections. The ADC service uses network address translation (NAT) to map each connection between the system that initiates the connection and the TCP or UDP port on an ADC server.

The ADC service relays data between the initiating system and the ADC server using two connections. The first connection is between the initiating system and the ADC service. For this connection, the initiating system is the source and the ADC service is the destination. The second connection is between the ADC service and the ADC server. For this connection, the ADC service is the source and the ADC server is the destination. Five values are required to identify each connection—the IP addresses for the source and destination, the TCP or UDP port numbers for the source and destination, and the protocol used for the connection. In logs, these values are stored in the fields listed below.

The following fields are for the connection between the initiating system (source) and the ADC service (destination):

  • destinationIPv4Address
  • destinationPort
  • protocolIdentifier
  • sourceIPv4Address
  • sourcePort

The following fields are for the connection between the ADC service (post-NAT source) and the ADC server (server):

  • postNATSourceIPv4Address
  • postNAPTsourceTransportPort
  • protocolIdentifier
  • serverIPv4Address
  • serverPort

ADC Log

ADC Log Message Format

2024-03-27T02:13:18+0000 adcL4Log, applianceName=SDWAN-Controller1, tenantName=provider-org, 
observationTimeMilliseconds=1711505613183, flowCookie=1711505613, flowId=33554478, flowStartMilliseconds=33180, 
flowEndMilliseconds=33180, sentOctets=0, sentPackets=0, recvdOctets=0, recvdPackets=0, sourceIPv4Address=169.254.0.3, 
destinationIPv4Address=172.16.0.0, postNATSourceIPv4Address=172.16.0.0, serverIPv4Address=192.168.95.2, 
sourcePort=4869, destinationPort=53764, postNAPTsourceTransportPort=10650, serverPort=1234, tenantId=1, vsnId=0, 
applianceId=0, protocolIdentifier=6, ingressInterfaceName=tvi-0/602.0, egressInterfaceName=, eventType=start

ADC Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).
observationTimeMilliseconds

Time when the event occurred.

flowCookie Time when the flow was created, in UNIX epoch time format.
flowId Flow identifier. This value is allocated internally by the VOS device.
flowStartMilliSeconds

Time when the session started, in UNIX epoch time format.

flowEndMilliSeconds Time when the session was torn down, in UNIX epoch time format.
sentOctets Number of octets sent.
sentPackets Number of packets sent.
recvdOctets Number of octets received.
recvdPackets Number of packets received.

sourceIPv4Address

IP address of the system that initiated the connection to the ADC service.

destinationIPv4Address

IP address of the ADC service.
postNATSourceIPv4Address IP address used by the ADC service for the connection to the ADC server.
serverIPv4Address IP address of the ADC server.
postNAPTsourceTransportPort

Port number used by the ADC service for the connection to the ADC server.

serverPort Port number of the ADC server.

tenantId

Tenant identifier. This value is allocated internally by the VOS device.
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
protocolIdentifier Protocol used for connections.
ingressInterfaceName Interface receiving the flow from the initiating system.
egressInterfaceName Interface relaying the flow to the ADC server.
eventType Type of event; that is, whether the log was generated at the start or end of the flow.

ATP Logs

For Releases 22.1.3 and later.

ATP Log Message Format

2024-01-12T23:10:12+0000 sandboxLog, applianceName=Bangalore-New-DC-Active, tenantName=Corp-Inline-Customer-1, 
flowId=2185922396, flowCookie=1705100975, vsnId=0, applianceId=1, tenantId=2, profileName=sb, appIdStr=http, 
fileName=, fileType=xml, fileSize=1420, fileTransDir=upload, atpVerdict=SandBoxMultiAVFileIsClean, 
sandboxAction=allow, fileHashType=SHA256, fileHashValue=e92455ccbf12f0c1c302b50e64fdffc3b8db3c4d1bf550c4de06d5057782942d, 
fileRuleName=r1, sourceIPv4Address=10.145.1.253, destinationIPv4Address=23.57.40.213, sourceTransportPort=52622, 
destinationTransportPort=80, protocolIdentifier=5, fromUser=Unknown, threatType=, threatSeverity=, sandboxNotifProfile=

ATP Log Message Fields

Field Description
applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.

tenantName Name of the organization (tenant).
flowId Flow identifier. This value is allocated internally by the VOS device.
flowCookie Time when the flow was created, in UNIX epoch time format.
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
tenantId Unique ID number for the tenant. This value is allocated internally by the VOS device.
profileName Sandbox profile.

appIdStr

Application name.

fileName

Filename.

fileType

File type.

fileSize

File size, in bytes.

fileTransDir

File transfer direction:

  • Both
  • Download
  • Upload
atpVerdict ATP verdict:
  • CloudLookUp
  • CloudLookUpFileIsClean
  • CloudLookUpFileIsMalicious
  • CloudLookUpFileIsSuspicious
  • CloudLookUpFileIsUnknown
  • DefaultAction
  • SandBoxAIMLAnalysisFileIsClean
  • SandBoxAIMLAnalysisFileIsMalicious
  • SandBoxAIMLAnalysisFileIsSuspicious
  • SandBoxAIMLAnalysisFileIsUnknown
  • SandBoxAllowAndScanFirstTime
  • SandBoxBlockAndScanFirstTime
  • SandBoxCacheHitMalicious
  • SandBoxDynamicAnalysisFileIsClean
  • SandBoxDynamicAnalysisFileIsMalicious
  • SandBoxDynamicAnalysisFileIsSuspicious
  • SandBoxDynamicAnalysisFileIsUnknown
  • SandBoxMultiAVFileIsClean
  • SandBoxMultiAVFileIsMalicious
  • SandBoxMultiAVFileIsSuspicious
  • SandBoxMultiAVFileIsUnknown
  • SandBoxStaticAnalysisFileIsClean
  • SandBoxStaticAnalysisFileIsMalicious
  • SandBoxStaticAnalysisFileIsSuspicious
  • SandBoxStaticAnalysisFileIsUnknown
  • SandBoxTimeout

sandboxAction

Action taken:

  • Alert
  • Allow
  • Block
  • Reject
  • Send To Sandbox

fileRuleName

File rule name.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

Layer 4 protocol identifier.

fromUser

Username of the client initiating the threat.

threatType

Threat type. This field is populated if a threat is detected.

threatSeverity

Severity of the threat.

sandboxNotifProfile

Email notification profile that is used to send email.

Authentication Logs

Authentication Event Logs

Authentication event logs are generated when a user is authenticated using LDAP or SAML.

Authentication Event Log Message Format

2021-05-12T18:27:38+0000 authEventLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, 
flowId=3255680146,flowCookie=1620844028, vsnId=0, applianceId=1, tenantId=1, authProfile=LDAPAuth-Profile, 
authMethod=LDAP, userName=user123@versa-networks.com, authStatus=success, 
authStatusMessage="VSA : LDAP : Authenticated successfully.", authTime=0, sourceIPv4Address=73.93.153.96, 
destinationIPv4Address=207.47.61.83, sourceTransportPort=45977, destinationTransportPort=443

Authentication Event Log Message Fields

Log Type

Description

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Identifier of the virtual service node, or VM.

applianceId

VOS device identifier. This field is not used.

tenantId

Tenant identifier. This value is allocated internally by the VOS device.

authProfile

Authentication profile used for the user.

authMethod

Authentication method:

  • LDAP
  • SAML

username

Name of the user trying to authenticate.

authStatus

Status of the authentication:

  • Failure
  • Success

authStatusMessage

Message describing details of authentication status.

authTime

Amount of time required to perform the authentication.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

Authentication Policy Logs

Authentication policy logs are generated when user traffic is evaluated by an authentication policy and an action is taken.

Authentication Policy Log Message Format

2021-05-12T18:33:26+0000 authPolicyLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=3254914730, 
flowCookie=1620844509, vsnId=0, applianceId=1, tenantId=2,authPolicyRuleName=Default, 
authPolicyRuleAction=no-authenticate, sourceIPv4Address=172.16.11.103, destinationIPv4Address=172.16.31.10, 
sourceTransportPort=37944, destinationTransportPort=80

Authentication Policy Log Message Fields

Log Type

authPolicyLog

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Identifier of the virtual service node, or VM.

applianceId

VOS device identifer. This field is not used.

tenantId

Tenant identifier. This value is allocated internally by the VOS device.

authPolicyRuleName

Name of the authentication policy rule that matched the traffic.

authPolicyRuleAction

Authentication action taken based on rule match.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

CASB Logs

For Releases 22.1.3 and later.

CASB Message Format

2024-01-13T00:07:13+0000 casbLog, applianceName=AMS-Hub-02, tenantName=Prospective-Customer, flowId=33568051, 
flowCookie=1705104892, vsnId=0, applianceId=1, tenantId=25, casbProfileName=CASB-Profile-1, casbRuleName=, 
casbAppName=box_net, casbAppActivity=download_file, casbAction=allow, casbEmailProfileName=, 
sourceIPv4Address=100.72.0.0, destinationIPv4Address=74.112.186.128, sourceTransportPort=53460, 
destinationTransportPort=443, protocolIdentifier=6, fromUser=user123@versa-networks.com, 
casbFromUser=, casbToUser= 

CASB Log Message Fields

Field Description

applianceName

Appliance name. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Identifier of the virtual service node, or VM.

applianceId

VOS device identifier. This field is not used.

tenantId

Tenant identifier. This value is allocated internally by the VOS device.

casbProfileName

Name of the CASB profile that matched the traffic.

casbRuleName

Name of the CASB rule that matched the traffic.

casbAppName

Application that was detected.

casbAppActivity

Application activity.

casbAction

Action taken by CASB.

casbEmailProfileName

Email profile name used for the event.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

Layer 4 protocol identifier.

fromUser

Username.

CGNAT Logs

NAT44 Session Creation and Deletion Logs

NAT44 Session Creation and Deletion Log Message Format

2017-11-26T22:36:31+0000 cgnatLog, applianceName=DC1Branch1, tenantName=Customer1, 
observationTimeMilliseconds=2337165310, flowCookie=1511736417, flowId=33889107, 
sourceIPv4Address=172.18.101.10, destinationIPv4Address=8.8.8.8, 
postNATSourceIPv4Address=70.70.5.2, postNATDestinationIPv4Address=8.8.8.8, 
sourcePort=37190, destinationPort=53, postNAPTsourceTransportPort=45643, 
postNAPTdestinationTransportPort=53, tenantId=1, vsnId=0, applianceId=0, 
protocolIdentifier=17, sourceNatPoolName=DIA-Pool-ISPA-Network, destNatPoolName=-, 
natRuleName=DIA-Rule-Customer1-LAN1-VR-ISPA-Network, natEvent=nat44-sess-create
2017-11-26T22:37:22+0000 cgnatLog, applianceName=DC1Branch1, tenantName=Customer1, 
observationTimeMilliseconds=2337165310, flowCookie=1511736417, flowId=33889107, 
sourceIPv4Address=172.18.101.10, destinationIPv4Address=8.8.8.8, postNATSourceIPv4Address=70.70.5.2, 
postNATDestinationIPv4Address=8.8.8.8, sourcePort=37190, destinationPort=53, 
postNAPTsourceTransportPort=45643, postNAPTdestinationTransportPort=53,tenantId=1, vsnId=0, 
applianceId=0, protocolIdentifier=17, sourceNatPoolName=DIA-Pool-ISPA-Network, destNatPoolName=-, 
natRuleName=DIA-Rule-Customer1-LAN1-VR-ISPA-Network, natEvent=nat44-sess-delete 

NAT44 Session Creation and Deletion Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).
observationTimeMillisecond Time when the event occurred.

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

sourceIPv4Address Source IPv4 address.
destinationIPv4Address Destination IPv4 address.
postNATSourceIPv4Address Translated IPv4 source address.
postNATDestinationIPv4Address Translated IPv4 destination address.
sourcePort Layer 4 source port.
destinationPort Layer 4 destination port.
postNAPTsourceTransportPort Translated IPv4 source port.
postNAPTdestinationTransportPort Translated IPv4 destination port.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
protocolIdentifier Layer 4 protocol identifier.
sourceNatPoolName DHCP pool from which the source NAT IP address was allocated.
destNatPoolName DHCP pool from which the destination NAT IP address was allocated.
natRuleName Name of the NAT rule for which traffic usage in the last measurement interval is being reported.
natEvent NAT44 session creation or deletion.

NAT64 Session Creation and Deletion Logs

NAT64 Session Creation and Deletion Log Message Format

2020-05-07T23:14:33+0000 cgnatLog, applianceName=versa, tenantName=Tenant1, 
observationTimeMilliseconds=21034388, flowCookie=1588893277, flowId=33589149, 
sourceIPv6Address=2001:172:16:31::10, destinationIPv6Address=2001:192:168:5::10, 
postNATSourceIPv6Address=2001:172:16:91:ff9f::10, postNATDestinationIPv6Address=2001:192:168:5::10,
sourcePort=6000, destinationPort=6000, postNAPTsourceTransportPort=6000, 
postNAPTdestinationTransportPort=6000, tenantId=1, vsnId=0, applianceId=1, protocolIdentifier=58, 
sourceNatPoolName=NPT_POOL_66, natRuleName=NPT_RULE_66, natEvent=nat66-sess-create
2020-05-07T23:14:44+0000 cgnatLog, applianceName=versa, tenantName=Tenant1, 
observationTimeMilliseconds=21034388, flowCookie=1588893277, flowId=33589149, 
sourceIPv6Address=2001:172:16:31::10, destinationIPv6Address=2001:192:168:5::10, 
postNATSourceIPv6Address=2001:172:16:91:ff9f::10, postNATDestinationIPv6Address=2001:192:168:5::10, 
sourcePort=6000, destinationPort=6000, postNAPTsourceTransportPort=6000, 
postNAPTdestinationTransportPort=6000, tenantId=1, vsnId=0, applianceId=1, protocolIdentifier=58, 
sourceNatPoolName=NPT_POOL_66, natRuleName=NPT_RULE_66, natEvent=nat66-sess-delete

NAT64 Session Creation and Deletion Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).
observationTimeMillisecond Time when the event occurred.

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

sourceIPv6Address Source IPv6 address.
destinationIPv6Address Destination IPv6 address.
postNATSourceIPv6Address Translated IPv6 source address.
postNATDestinationIPv6Address Translated IPv6 destination address.
sourcePort Layer 4 source port.
destinationPort Layer 4 destination port.
postNAPTsourceTransportPort Translated IPv4 source port.
postNAPTdestinationTransportPort Translated IPv4 destination port.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
protocolIdentifier Layer 4 protocol identifier.
sourceNatPoolName DHCP pool from which the source NAT IP address was allocated.
destNatPoolName DHCP pool from which the destination NAT IP address was allocated.
natRuleName Name of the NAT rule for which traffic usage in the last measurement interval is being reported.
natEvent NAT64 session creation or deletion.

NAT Address Pool Exhausted Logs

NAT Address Pool Exhausted Log Message Format

2020-05-07T23:44:43+0000 alarmLog, applianceName=versa, tenantName=Tenant1, alarmType=cgnat-pool-utilization,
alarmKey=Tenant1_NAPT_POOL1, generateTime=1588895083, applianceId=1, vsnId=0, tenantId=1,
alarmCause=resourceAtOrNearingCapacity, alarmClearable=yes, alarmClass=changed, alarmKind=symptom,
alarmEventType=equipmentAlarm, alarmSeverity=critical, alarmOwner=tenant, alarmSeqNo=6, 
alarmText="CGNAT pool Tenant1_NAPT_POOL1 addresses near exhaustion (utilization: 93%)", siteName=,
serialNum=br103.versa

NAT Address Pool Exhausted Log Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).
alarmType Type of alarm. For more information, see Supported Alarm Types in Configure VOS Device Alarms.
alarmKey String generated by the VOS device that uniquely identifies the alarm.
generateTime Time when the log was generated, in UNIX epoch time format.
applianceId VOS device identifier. This field is not used.
vsnId Identifier of the virtual service node, or VM.
alarmCause Cause of the alarm.
alarmClearable Whether the alarm has an associated clear notification.
alarmClass Alarm class:
  • Changed
  • Cleared
  • New
alarmKind Type of alarm:
  • Root cause
  • Symptom
  • Unknown
alarmEventType Alarm event type. Examples are communicationsAlarm and qualityOfServiceAlarm.
alarmSeverity Severity of the alarm:
  • Cleared
  • Critical
  • Intermediate
  • Major
  • Minor
  • Warning
alarmOwner Alarm owner:
  • Customer tenant
  • Provider tenant
alarmSeqNo Unique alarm sequence number generated for a tenant and VOS device.
alarmText Text description of the alarm.
siteName Name of the SD-WAN site that generated the alarm.
serialNum Serial number of the VOS device.

DLP Logs

For Releases 22.1.3 and later.

DLP Log Message Format

2024-01-13T01:44:48+0000 dlpLog, applianceName=AMS-Hub-02, tenantName=Prospective-Customer, flowId=33609083,
flowCookie=1705110716, vsnId=0, applianceId=1, tenantId=25, profileName=DLP-Profile-1, appIdStr=http,
fileName=PCI-DSS-Name_CC_CVV.docx, fileType=docx, fileSize=18621, fileTransDir=download, fileFoundIn=Payload,
dlpMatchStr="Cache Hit", dlpRuleAction=block, dlpMatchType=ContentAnalysisMatch, fileRuleName=Rule-Userdef-Credit-Card,
dlpPatternName="CREDIT_CARD_NUMBER", dlpDataProfileName="CREDIT_CARD_NUMBER", dlpMatchComponent="ContentAnalysisMatch", 
sourceIPv4Address=100.72.0.0, destinationIPv4Address=74.112.186.128, sourceTransportPort=54290, 
destinationTransportPort=443, protocolIdentifier=6, fromUser=user123@versa-networks.com, 
dlpRuleMatchCount=1, fileHashValue=5269d43557251538e3add083fd1389695176cd8d847cf27c42464fbb fa0b27ff, fileLabelOp=""

DLP Log Message Fields

Field/p>

Description

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Identifier of the virtual service node, or VM.

applianceId

Appliance identifier. This field is not used.

tenantId

Tenant identifier. This value is allocated internally by the VOS device.

profileName

Name of the DLP profile that matched the user’s session.

appIdStr

Application identifier string.

filename

Filename.

fileType

File type.

fileSize

File size, in bytes.

fileTransDir

File transfer direction.

fileFoundIn

Location where file was found.

dlpMatchStr

DLP match string.

dlpRuleAction

DLP rule action.

dlpMatchType

DLP match type.

fileRuleName

Rule name.

dlpPatternName

DLP pattern.

dlpDataProfileName

DLP data profile name.

dlpMatchComponent

DLP match component.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

Protocol identifier.

fromUser

Username.

dlpRuleMatchCount

Number of DLP rules matched.

fileHashValue

File hash value.

fileLabelOp

File label operation.

DNS-Filtering Logs

For Releases 21.1.1 and later, except as noted.

DNS-filtering logs use the syslog identifier dnsfLog. Releases 22.1.3 and later add support for the syslog identifier dnsfTunnelLog.

DNS-Filtering Log Message Format

2021-02-15T18:05:50+0000 dnsfLog, applianceName= SDWAN-Branch1, tenantName= Tenant1, flowId=34423394, 
flowCookie=1644948381, tenantId=1, vsnId=0, applianceId=1, dnsfProfileName=User-defined-DNS-Filtering-1, 
dnsfMsgType=response, dnsfEvType=ip-filter, dnsfAction=reject, dnsfDomain="ofFICe.com", 
dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr =2001:501:b1f9::30, dnsfBadCname=ofFICe.com, 
dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=Phishing , dnsfIpGeoLocation=US, 
sourceIPv4Address=10.100.226.56, destinationIPv4Address=202.12.27.33, sourceTransportPort=50081, 
destinationTransportPort=53, protocolIdentifier=6, fromUser=user123@versanetworks.com

DNS-Filtering Log Message Format for a Deny-List Event Type with a Drop Packet Action

024-01-23T14:05:48+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, 
flowId=33554458, flowCookie=1706018747, tenantId=2, vsnId=0, applianceId=1, 
dnsfProfileName=dnsfilter_profile, dnsfMsgType=request, dnsfEvType=blacklist, dnsfAction=drop-packet, 
dnsfDomain="www.facebook.com", dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, 
dnsfBadCname=, dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=, dnsfIpGeoLocation=, 
sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=55524, 
destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", 
threatType="", dnsfSinkHoleIp=""

DNS-Filtering Log Message Format for an Accept-List Event Type with an Allow Action

2024-01-23T14:25:21+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, 
flowId=33554475, flowCookie=1706019920, tenantId=2, vsnId=0, applianceId=1, 
dnsfProfileName=dnsfilter_profile, dnsfMsgType=request, dnsfEvType=whitelist, dnsfAction=allow, 
dnsfDomain="www.facebook.com", dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, 
dnsfBadCname=, dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=, dnsfIpGeoLocation=, 
sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=54303, 
destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", 
threatType="", dnsfSinkHoleIp=""

DNS-Filtering Log Message Format for a Query-Based Action with a Reject Action

2024-01-23T16:08:36+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554619, 
flowCookie=1706026115, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, 
dnsfMsgType=request, dnsfEvType=query-action-rule, dnsfAction=reject, dnsfDomain="www.facebook.com", 
dnsfRuleName=query, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, dnsfBadCname=, dnsfDomainReputation=, 
dnsfDomainCategory=, dnsfIpReputation=, dnsfIpGeoLocation=, sourceIPv4Address=172.16.11.10, 
destinationIPv4Address=10.48.0.99, sourceTransportPort=57927, destinationTransportPort=53, 
protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", threatType="", dnsfSinkHoleIp=""

DNS-Filtering Log Message Format for an IP-Filtering Reputation-Based Action

2024-01-23T16:38:29+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554649, 
flowCookie=1706027908, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, 
dnsfMsgType=response, dnsfEvType=ip-filter, dnsfAction=reject, dnsfDomain="interestingfurniture.com", 
dnsfRuleName=, dnsfBadResolvedV4Addr=3.64.163.50, dnsfBadResolvedV6Addr=, 
dnsfBadCname=interestingfurniture.com, dnsfDomainReputation=, dnsfDomainCategory=, 
dnsfIpReputation=Windows Exploits | BotNets | Phishing | Proxy, dnsfIpGeoLocation=DE, 
sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=53200, 
destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="undefined", 
threatType="", dnsfSinkHoleIp=""

DNS-Filtering Log Message Format for a URL-Filtering Reputation-Based Action

2024-01-23T17:55:35+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554840, 
flowCookie=1706032534, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, 
dnsfMsgType=request, dnsfEvType=url-filter, dnsfAction=drop-packet, dnsfDomain="www.facebook.com", 
dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, dnsfBadCname=, dnsfDomainReputation=trustworthy, 
dnsfDomainCategory=social_network, dnsfIpReputation=, dnsfIpGeoLocation=, sourceIPv4Address=172.16.11.10, 
destinationIPv4Address=10.48.0.99, sourceTransportPort=56553, destinationTransportPort=53, 
protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", threatType="", dnsfSinkHoleIp=""

DNS-Filtering Log Message Fields

Field

Description

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Virtual service node identifier, or VM.

applianceId

Appliance identifier. This field is not used.

tenantId

Tenant identifier. This value is allocated internally by the VOS device.

dnsfProfileName

DNS-filtering profile name matched for the event.

dnsfMsgType

Type of DNS message.

dnsfEvType

Type of DNS-filtering event.

dnsfAction

DNS-filtering action taken.

dnsfDomain

DNS domain.

dnsfRuleName

DNS-filtering rule name.

dnsfBadResolvedV4Addr

DNS could not resolve an IPv4 address.

dnsfBadResolvedV6Addr

DNS could not resolve an IPv6 address.

dnsfBadCname

DNS could not resolve a domain name.

dnsfDomainReputation

DNS domain reputation.

dnsfDomainCategory

DNS domain category.

dnsfIpReputation

DNS IP reputation.

dnsfIpGeoLocation

DNS IP geographic location.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

(For Releases 22.1.1 and later.) Protocol identifier.

fromUser

(For Releases 22.1.1 and later.) Username.

threatSeverity

(Releases 22.1.3 and later.) Severity of the threat.

 

threatType (Releases 22.1.3 and later.) Type of threat.
dnsfSinkHoleIp (For Releases 22.1.3 and later.) IP address of DNS sinkhole that is spoofing DNS servers to prevent the resolution of the hostnames associated with URLs.

DNS-Tunneling Log Message Format

For Releases 22.1.3 and later.

2024-01-23T18:27:20+0000 dnsfTunnelLog, applianceName=SDWAN-Branch1, tenantName=Tenant1,
flowId=33554877, flowCookie=1706034438, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile,
dnsfAction=sink-hole, dnsfDetectedDomain="www.twitter.com", dnsfDetectionType=EXCESSIVE_REQ_FOR_SAME_FQDN,
dnsfDetectionReason="Too many requests(2) for same FQDN", dnsfDetectionTime=2024-01-23 18:27:19,
dnsfTunnelClientIp=172.16.11.10, sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99,
sourceTransportPort=60570, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown,
threatSeverity="informational", threatType="", dnsfSinkHoleIp="207.47.61.60"

DNS-Tunneling Log Message Fields

For Releases 22.1.3 and later.

Field

Description

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Virtual service node identifier, or VM.

applianceId

Appliance identifier. This field is not used.

tenantId

Tenant identifier. This value is allocated internally by the VOS device.

dnsfProfileName

DNS-filtering profile name matched for the event.

dnsfAction

DNS-filtering action taken:

  • Accept
  • Drop packet
  • Reject

dnsfDetectedDomain

Detected domain name of DNS tunnel.

dnsfDetectionType Type of the detected DNS tunnel.
dnsfDetectionReason

DNS behavior that allowed the tunnel of the given detection type to be detected.

dnsfDetectionTime Amount of time taken for the DNS tunnel to be detected.
dnsfTunnelClientIp If the DNS tunnel is detected through an IP address (known as global tracking), the IP address is included in this field.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

Protocol identifier.

fromUser

Username.

threatSeverity

Severity of the threat.
threatType Type of threat.
dnsfSinkHoleIp IP address of DNS sinkhole that is spoofing DNS servers to prevent the resolution of the hostnames associated with URLs.

DNS Metadata Logs

You can configure traffic monitoring rules to send DNS metadata, which provides detailed DNS information about a traffic flow.

Log Message Format

2024-01-11T16:26:13+0000 flowMonDnsLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, 
flowId=2181548554, flowCookie=1704990373, transactionId=62383, vsnId=0, applianceId=1, dnsResponseCode=No error, 
dnsQueryType=A, dnsEipInfo="", dnsDomainCategory=computer_and_internet_info, 
dnsDomain="browser.pipe.aria.microsoft.com", dnsOpcode=QUERY, dnsIpAddrs="52.168.117.168",
dnsCnames="browser.events.data.trafficmanager.net|onedscolprdeus07.eastus.clouda pp.azure.com", 
dnsDnsfProfile=, dnsfAction=, sourceIPv4Address=10.42.144.130, destinationIPv4Address=10.48.0.99, 
sourceTransportPort=45271, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown 

DNS Flow Log Message Fields

Field

Description

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Tenant or organization name.

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

transactionId

Transaction identifier.

applianceId

Appliance identifier. This field is not used.

vsnId

Virtual service node identifier, or VM

dnsResponseCode

DNS response code.

dnsQueryType

DNS query type.

dnsEipInfo

DNS endpoint information.

dnsDomainCategory

DNS domain category.

dnsDomain

DNS domain.

dnsOpcode

DNS opcode.

dnsIpAddr

DNS IP addresses.

dnsCnames

DNS domain names.

dnsDnsfProfile

DNS-filtering profile if matching this traffic flow.

dnsfAction

DNS-filtering action that was taken if traffic flow matched a profile.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

(For Releases 22.1.1 and later.) Protocol identifier.

fromUser

(For Releases 22.1.1 and later.) Username.

File-Filtering Logs

File-Filtering Log Message Format

2022-02-15T18:44:39+0000 fileFilterLog, applianceName= SDWAN-Branch1, tenantName= Tenant1, flowId=1107299034, 
flowCookie=1637457178, vsnId=0, applianceId=1, tenantId=1, profileName=Versa_Corporate_Profile, appIdStr=http, 
fileName=v2/computes, fileType=text file, fileSize=2, fileTransDir=upload, fileFoundIn=DefaultAction, 
fileSizeExceed=false, fileFilterAction=alert, fileHashType=, fileHashValue=, fileRuleName=, 
sourceIPv4Address=172.30.57.68, destinationIPv4Address=10.48.245.14, sourceTransportPort=50470, 
destinationTransportPort=3080, protocolIdentifier=6, fromUser=user123@versa-networks.com

File-Filtering Log Message Fields

Field

Description

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Virtual service node identifier, or VM.

applianceId

VOS device identifier. This field is not used.

tenantId

Tenant or organization identifier.

profileName

File-filtering profile name matched for this event.

appIdStr

Application of the traffic that triggered the event.

filename

Filename that was accessed.

filetype

File type.

fileSize

File size.

fileTransDir

File transfer direction. It can be either download or upload.

fileFoundIn

Location where file was found.

fileSizeExceeded

File size exceeded.

fileFilterAction

File-filtering action.

fileHashType

File hash type.

fileHashValue

File hash value.

fileRuleName

File rule name.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

(For Releases 22.1.1 and later.) Protocol identifier.

fromUser

(For Releases 22.1.1 and later.) Username.

HTTP Metadata Logs

HTTP Metadata Log Message Format

2024-01-11T18:01:49+0000 flowMonHttpLog, applianceName=Colovore-DCBranch-1, 
tenantName=Corp-Inline-Customer-1, flowId=2181338631, flowCookie=1704996134, transactionId=0, vsnId=0, 
applianceId=1, urlCategory=private_ip_addresses, appIdStr=http, httpHost=10.40.251.5, 
httpMimeType=application/json, httpUrl=/wp-json/wp/v2/blockpatterns/categories?_locale=user, httpMethod=GET, 
httpUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, 
os=Windows, browser=Firefox, sourceIPv4Address=172.30.60.226, 
destinationIPv4Address=10.40.251.5, sourceTransportPort=64552, destinationTransportPort=80, 
protocolIdentifier=6, fromUser=user123@versanetworks.com 

HTTP Metadata Log Message Fields

Field Description

applianceName

Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.

tenantName

Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

transactionId

Transaction identifier.

vsnId

Virtual service node identifier, or VM.

applianceId

VOS device identifier. This field is not used.

urlCategory

URL Category.

appIdStr

Application name.

httpHost

HTTP header host.

httpMimeType

HTTP mime type.

httpUrl

HTTP URL.

httpMethod

HTTP method.

httpUserAgent

HTTP user agent.

OS

Operation system of the user session.

Browser

Browser of the user session.

sourceIPv4Address or  sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port. 

destinationTransportPort

Destination transport port.

protocolIdentifier

(For Releases 22.1.1 and later.) Protocol identifier.

fromUser

(For Releases 22.11. and later.) Username.

SASE Web Logs

For Releases 22.1.1 and later

SASE web logs are sent for web traffic for cloud-hosted SASE services. They include firewall and UTM policy information for a user’s traffic session in a single log message

SASE Web Log Message Format

024-01-10T14:15:21+0000 saseWebLog, applianceName=Bangalore-ECT-DCActive, tenantName=Corp-Inline-Customer-1, 
flowId=34034049, flowCookie=1704896094, vsnId=0, applianceId=1, httpHost="10.192.165.250:5001", 
httpUrl="/update_note", httpMethod="POST", httpReferrer="", httpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0", 
urlCategory=private_ip_addresses, httpProtocol=http, appIdStr=http, appSubFamily=web, sslSNI="", 
PolicyRuleName=Allow-RAC-Users, policyActionName=allow, policyActionModule=policy, traffScope=none, 
sentOctets=2124, recvdOctets=1032, flowDurationMsecs=337, sslDecrypted=no, sourceIPv4Address=172.30.58.18, 
destinationIPv4Address=10.192.165.250, sourceTransportPort=60077, destinationTransportPort=5001, protocolIdentifier=6, 
fromUser=user123@versa-networks.com 

SASE Web Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.

vsnId

Virtual service node identifier, or VM.

applianceId

VOS device identifier. This field is not used.

httpHost

HTTP header host.

httpUrl

HTTP URL

httpMethod

HTTP method.

httpReferrer

HTTP referrer.

httpUserAgent

HTTP user agent.

urlCategory

URL category.

httpProtocol

HTTP protocol (for example, HTTP)

appIdStr

Application name.

appSubFamily

Application family.

policyRuleName

Policy rule that was matched.

policyActionName

Policy action that was taken.

policyActionModule

Policy module that took the action.

traffScope

Whether traffic is sent to private applications or to the internet.

sentOctets

Number of octets sent.

sentPackets

Number of packets sent.

flowDurationMsec

Duration of flow, in milliseconds.

sslDecypted

Whether traffic is decrypted by SSL.

sourceIPv4Address or sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort

Destination transport port.

protocolIdentifier

Protocol identifier.

fromUser

Username.

SD-WAN SLA Violation Logs

When you enable log export functionality (LEF) in an SD-WAN policy rule, SD-WAN SLA violation log messages are sent when traffic steering, or redirection, occurs.

Log Message Format

2017-11-28T23:12:43+0000 sdwanSlaPathViolLog, applianceName=Site1Branch1, tenantName=Customer1, flowId=34076716, 
flowCookie=1511911224, applianceId=1, tenantId=1, vsnId=0, rule=Rule_Http, localSiteName=Site1Branch1, 
fromRemoteSiteName=, fromLocalAccCktName=, fromRemoteAccCktName=, toRemoteSiteName=Site3Branch1, 
toLocalAccCktName=ISPA-Network, toRemoteAccCktName=ISPA-Network, forwardingClass=fc_be, fromPriority=P-0, toPriority=SLA Vio, 
reason="Violating metrics [Current value(Configured Threshold)]: latency-714(250) loss percentage-12.50(5) "

SD-WAN Traffic Logs

SD-WAN traffic log messages are enabled as part of SD-WAN traffic flow monitoring. These log messages record flow information at the beginning or end of a flow, or both at the beginning and end of a flow. If the traffic monitoring policy rule is set to enable the sending of external application metadata (send-ext-app-metadata), the SD-WAN traffic log messages include application metadata, such as application risk, productivity, family, and subfamily.

SD-WAN Traffic Log Message Format

2017-11-26T22:42:38+0000 flowMonLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, 
flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, 
sentOctets=15000, sentPackets=34, recvdOctets=360, recvdPackets=6, vsnId=0, applianceId=1, 
tenantId=1, appRisk=1, appProductivity=3, appIdStr=iperf, appFamily=, appSubFamily=, urlCategory=, 
rule=catchall, localSiteName=Branch1, fwdEgrSiteName=Branch2, fwdEgrAccCktName=MPLS:MPLS, 
revIngAccCktName=MPLS, revIngSiteName=, fwdIngSiteName=, fwdIngAccCktName=vni-0/2.0, 
revEgrSiteName=, revEgrAccCktName=vni-0/2.0, deviceKey=, 
forwardForwardingClass=fc_be, reverseForwardingClass=fc_be

2017-11-26T22:42:38+0000 flowMonLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, 
flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, sentOctets=15000, 
sentPackets=34, recvdOctets=360, recvdPackets=6, vsnId=0, applianceId=1, tenantId=1, appRisk=1, 
appProductivity=3, appIdStr=iperf, appFamily=, appSubFamily=, urlCategory=, rule=catchall, 
localSiteName=Branch1, fwdEgrSiteName=Branch2, fwdEgrAccCktName=MPLS:MPLS, revIngAccCktName=MPLS, 
revIngSiteName=, fwdIngSiteName=, fwdIngAccCktName=vni-0/2.0, revEgrSiteName=, revEgrAccCktName=vni-0/2.0, 
deviceKey=, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be, sourceIPv4Address=172.16.41.106, 
destinationIPv4Address=172.16.21.10, sourceTransportPort=38528, destinationTransportPort=80, 
protocolIdentifier=17, fromUser=Unknown 

SD-WAN Traffic Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.
flowStartMilliSeconds

Time when the session started, in UNIX epoch time format.

flowEndMilliSeconds Time when the session was torn down, in UNIX epoch time format.
sentOctets Number of octets sent.
sentPackets Number of packets sent.
recvdOctets Number of octets received.
recvdPackets Number of packets received.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
applianceId VOS device identifier. This field is not used.
vsnId Identifier of the virtual service node, or VM.
appIdStr Application identifier.
appRisk Application risk value.
appProductivity Application productivity value.
appFamily Application family.
appSubFamily Application subfamily.
urlCategory URL category for web traffic.
Rule Traffic monitoring rule that evaluated the flow.
localSiteName

Name of the local SD-WAN site that generated the traffic log.

fwdEgrSiteName Name of the destination SD-WAN site name towards which traffic is sent from the local site. This forward-direction traffic traffic flows from the local source to its destination.
fwdEgrAccCktName Name of the circuit or interface used to send forward-direction traffic. For traffic forwarded to an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was sent. For traffic sent directly to the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was sent.
revIngSiteName

Name of the SD-WAN remote site from which traffic is received by the local site. This reverse-direction traffic flows from its destination to the local source.

revIngAccCktName

Name of the circuit or interface used to receive reverse-direction traffic. For traffic received from an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was received. For traffic sent directly to the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was received.

fwdIngSiteName Name of the SD-WAN remote site from which reverse-direction traffic was received by the local site.
fwdIngAccCktName

Name of the circuit or interface used to receive forward-direction traffic. For traffic received from an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was received. For traffic received directly from the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was received.

revEgrSiteName Name of SD-WAN site to which reverse-direction traffic was sent by the local site.
revEgrAccCktName

Name of the circuit or interface used to send reverse-direction traffic. For traffic sent from an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was sent. For traffic sent directly to the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was sent.

deviceKey Device key, which shows when device identification is enabled.
forwardForwardingClass Forwarding class for the traffic flow in the forward direction.
reverseForwardingClass Forwarding class for the traffic flow in the reverse direction.

sourceIPv4Address or  sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port. 

destinationTransportPort Destination transport port.
protocolIdentifier (For Releases 22.1.1 and later.) Layer 4 protocol identifier,
fromUser (For Releases 22.1.1 and later.) Username.

Threat Logs

Access Logs

Access Log Message Format

2021-03-18T16:00:17+0000 accessLog, applianceName=SDWAN-Branch4, tenantName=Tenant1, 
flowId=2181092523, flowCookie=1616083363, flowStartMilliseconds=121604466, flowEndMilliseconds=121604514, 
sentOctets=565, sentPackets=6, recvdOctets=1074, recvdPackets=4, appId=370, eventType=end, 
tenantId=2, urlCategory=entertainment_and_arts, action=allow, vsnId=0, applianceId=1, appRisk=3, 
appProductivity=1, appIdStr=netflix, appFamily=media, appSubFamily=audio_video, rule=Allow_From_Trust, 
forwardForwardingClass=fc_be, reverseForwardingClass=fc_be, host=www.netflix.com, deviceKey=Unknown, 
deviceName=Unknown, sourceIPv4Address=172.16.41.106, destinationIPv4Address=172.16.21.10, 
sourceTransportPort=38528, destinationTransportPort=80, protocolIdentifier=17, fromUser=Unknown, 
eipProfileName=, traffScope=none, srcSGT=, destSGT= 

Access Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.
flowStartMilliSeconds Time when the session was created, in UNIX epoch time format.
flowEndMilliSeconds Time when the session was ended (destroyed), in UNIX epoch time format.
sentOctets Number of octets sent.
sentPackets Number of packets sent.
recvdOctets Number of octets received.
recvdPackets Number of packets received.
appId Application identifier.
eventType Type of event; that is, whether the log was generated at the start or end of the flow.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
urlCategory URL category for web traffic.
action

Firewall action taken:

  • Allow
  • Deny
  • Reject
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
appRisk Risk level of the application.
appProductivity Application productivity.
appIdStr Application identifier string.
appFamily Application family.
appSubFamily Application subfamily.
rule Firewall rule that matches the traffic.
fowardForwardingClass Traffic-forwarding class in the forward direction.
reverseForwardingClass Traffic-forwarding class in the reverse direction.

host

Shows the header host for HTTP traffic. This is useful when the application is unknown-http or unknown-ssl.

deviceKey

Device key. This field is populated if the device identification feature is enabled.

deviceName

Device name. The field is populated if the device identification feature is enabled.

sourceIPv4Address or  sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort Destination transport port.
protocolIdentifier (For Releases 22.1.1 and later.) Protocol Identifier.
fromUser (For Releases 22.1.1 and later.) Username.
eipProfileName (For Releases 22.1.1 and later.) Endpoint information profile name.
traffScope Whether traffic is sent to private applications or to the internet.
srcSGT Source secure group tag.
destSGT Destination secure group tag.

Antivirus Logs

Antivirus Log Message Format

21-02-20T07:45:41Z avLog, tenant=Tenant3, applianceName=SDWAN-Branch1, srcAddr=172.53.2.3, 
destAddr=89.238.73.97, srcPort=51523, destPort=443, ingIf=vni-0/0.0, egrIf=vni-0/0.0, 
fromCountry=United States, toCountry=Germany, protocolId=6, fromZone=remote-client, 
fromUser=user1, toZone=RTI-WAN1-Zone, toLatLon=49.47,7.17, fromLatLon=40.71,-74.01, 
fromGeoHash=dr5reg, toGeoHash=u0v17j, profileName=Scan Web and Email Traffic, appId=http, 
fileName=eicarcom2.zip, fileType=zip, fileTransDir=download, avMalwareType=AV_DETECTION_TYPE_NONE, 
avMalwareName=EICAR_Test_File, avAccuracy=AV_DETECTION_ACCURACY_NONE, avAction=deny, 
threatType=virus_event, threatSeverity=critical, traffScope=public, 
fileHashValue=e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397

Antivirus Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
profileName Name of the antivirus profile that triggered the event.
appIdStr Application name.
filename Name of the file in which malware was detected.
fileTransDir

File transfer direction:

  • Download
  • Upload
avMalwareType Type of malware threat.
avMalwareName Name of the malware.
avAccuracy Accuracy of malware detection.
avAction Action taken for the event.

sourceIPv4Address or  sourceIPv6Address

Source IPv4 or IPv6 address. 

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port. 

destinationTransportPort

Destination transport port. 

protocolIdentifier

(For Releases 22.1.1 and later.) Protocol identifier.

fromUser

(For Releases 22.1.1 and later.) Username.

threatType (For Releases 22.1.1 and later.) Type of threat.
threatSeverity (For Releases 22.1.1 and later.) Severity of the threat.
traffScope (For Releases 22.1.1 and later.) Whether traffic is sent to private applications or to the internet.
fileHashValue (For Releases 22.1.1 and later.) The hash sum of the file, using the SHA-256 hash algorithm.

IDP Logs

IDP Log Message Format

2024-07-11 02:11:06 idpLog, applianceName=Branch1, 
tenantName=USA, flowId=41532610, flowCookie=1720663865, signatureId=1061212062, 
groupId=1, signatureRev=0, vsnId=0,  applianceId=1,  tenantId=2,  moduleId=10,  
signaturePriority=critical, idpAction=alert, 
signatureMsg="Microsoft Windows SNMP Service Memory Corruption", classMsg="Attempted User Privilege Gain", 
threatType=attempted-user, packetTime=07/11/2024-02:11:05.256264, HitCount=1, 
ipsProfile=Versa Recommended Profile-Exception-IPS-Override, 
ipsProfileRule=Attack Severity Rule Filter for older than 10 years, ipsDirection=ToServer, 
ipsProtocol=UDP, ipsApplication=snmp, sourceIPv4Address=10.205.167.170, 
destinationIPv4Address=10.191.64.21, sourceTransportPort=44924, 
destinationTransportPort=161, protocolIdentifier=17, fromUser=Unknown, traffScope=public

2017-11-26T22:37:11+0000 idpLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, 
signatureId=1000000530, groupId=1, signatureRev=0, vsnId=0, applianceId=1, tenantId=1, moduleId=12, signaturePriority=2, 
idpAction=alert, signatureMsg="Microsoft DNS Server Denial of Service", classMsg="Attempted Denial of Service", 
threatType=attempted-dos, packetTime=11/26/2017-14:37:11.000000, HitCount=1, ipsProfile=Vulnerablity_Profile, 
ipsProfileRule=Rule1, ipsDirection=ToClient, ipsProtocol=UDP, ipsApplication=dns

2021-03-08T23:53:54+0000 idpLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, 
flowId=1107414882, flowCookie=1615086843, signatureId=1140408011, groupId=1, signatureRev=0, vsnId=0, 
applianceId=1, tenantId=1, moduleId=10, signaturePriority=high, idpAction=reject, 
signatureMsg="OpenSSL TLS DTLS Heartbeat Information Disclosure", 
classMsg="information disclosure was detected", threatType=information-disclosure, 
packetTime=03/08/2021-15:59:01.982516, HitCount=1, ipsProfile=Versa Recommended Profile, 
ipsProfileRule=Attack Severity Rule Filter, ipsDirection=ToServer, ipsProtocol=TCP, ipsApplication=https, 
sourceIPv4Address=172.30.57.19, destinationIPv4Address=10.100.253.12, sourceTransportPort=62397, 
destinationTransportPort=443, protocolIdentifier=6, fromUser=abc@versa-networks.com 

IDP Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command.
tenantName Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.
signatureId Signature identifier matching the traffic.
groupId Group identifier.
signatureRev Version of the signature.
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
moduleId IPS module identifier.
signaturePriority Priority of the signature.
idpAction

Action taken by IDP, such as allow, alert, drop-session, reject

signatureMsg Message indicating the signature.
classMsg Class message.
threatType Type of intrusion threat. Values correspond to the classtypes defined in Snort.
packetTime Time when the event occurred.
hitCount Number of signature matches for the traffic flow.
ipsProfile

IPS profile name matching the traffic flow. 

ipsProfileRule IPS profile rule matching the traffic flow.
ipsDirection Direction of the traffic flow.
ipsProtocol Protocol of the traffic flow.
ipsApplication Application of the traffic flow.

sourceIPv4Address or  sourceIPv6Address

Source IPv4 or IPv6 address.

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port.

destinationTransportPort Destination transport port.
protocolIdentifier (For Releases 22.1.1 and later.) Protocol Identifier.
fromUser (For Releases 22.1.1 and later.) Username.
traffScope Scope of traffic, such as public or unknown.

URL-Filtering Logs

URL-filtering logs display entries for traffic that matches the URL-filtering profile associated with a security policy rule.

URL-Filtering Log Message Format

2017-11-26T24:42:38+0000 urlfLog, applianceName=DC1Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, 
vsnId=0, applianceId=1, tenantId=1, urlReputation=trustworthy, urlCategory=business_and_economy, 
httpUrl=apt.puppetlabs.com/dists/trusty/Release.gpg, urlfProfile=url_profile1, urlfAction=ask, 
urlfActionMessage=

2021-02-18T18:50:15+0000 urlfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=3254966030, 
flowCookie=1613674373, vsnId=0, applianceId=1, tenantId=2, urlReputation=trustworthy, 
urlCategory=streaming_media, httpUrl=www.youtube.com/index.html, urlfProfile=YoutubeRule, urlfAction=alert, 
urlfActionMessage=, sourceIPv4Address=172.16.11.103, destinationIPv4Address=172.16.31.10, 
sourceTransportPort=55333, destinationTransportPort=80, protocolIdentifier=6, fromUser=abc@versa-networks.com 

URL-Filtering Log Message Fields

Field Description
applianceName Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.
tenantName Name of the organization (tenant).

flowId

Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow.

flowCookie

Time when the flow was created, in UNIX epoch time format.
vsnId Identifier of the virtual service node, or VM.
applianceId VOS device identifier. This field is not used.
tenantId Tenant identifier. This value is allocated internally by the VOS device.
urlReputation

Reputation score of the URL:

  • High risk
  • Low risk
  • Trustworthy
urlCategory Name of URL category for web traffic.
httpUrl URL that triggered the traffic event.
urlProfile Name of the URL profile that matched the traffic.
urlAction URL-filtering action taken for the event.
urlActionMessage Description of the action taken for the event.

sourceIPv4Address or  sourceIPv6Address

Source IPv4 or IPv6 address. 

destinationIPv4Address or destinationIPv6Address

Destination IPv4 or IPv6 address.

sourceTransportPort

Source transport port. 

destinationTransportPort

Destination transport port. 

protocolIdentifier

(For Releases 22.1.1 and later.) Protocol identifier.

fromUser

(For Releases 22.1.1 and later.) Username.

Supported Software Information

Releases 20.2 and later support all content described in this article except:

  • Release 21.1.1 adds support for ADC and DNS-filtering logs.
  • Release 21.2.1 adds support for the hostname field in the DHCP flow log message.
  • Release 22.1.1 adds support for SASE web logs; adds support for the protocolIdentifier and fromUser fields in DNS-filtering, DNS metadata, and file-filtering logs; for the protocolIdentifier, fromUser, threatType, threatSeverity, traffScope, and fileHashValue fields for the syslog identifier avLog.
  • Release 22.1.3 adds support for ATP sandbox, CASB, and DLP logs; for the syslog identifier dnsfTunnelLog; for the threatSeverity, threatType, and dnsfSinkHoleIp fields for the syslog identifier dnsfLog.
  • Was this article helpful?