Flow Logs
For supported software information, click here.
You can configure Versa Operating SystemTM (VOSTM) devices to send logs for traffic flows (sessions). The flow logs consist of a flow identification log message followed immediately by log messages for the specific services that are part of the flow.
VOS devices can send flow logs for the following services:
- Application delivery controller (ADC) services
- Authentication using Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML)
- Cloud access security broker (CASB)
- Carrier-grade NAT (CGNAT)
- Data loss prevention (DLP)
- Domain name system (DNS)
- File filtering
- Sandboxing
- SASE web logging
- SD-WAN SLA violations
- SD-WAN traffic
- Security features, including access, antivirus, IDP, and URL filtering
Flow Identification
For a single tenant on a VOS device, you can identify individual traffic flows by matching logs that have the same source IP address, destination IP address, source port number, destination port number, and protocol value. In all service-specific flow logs, you can locate this information in the following fields:
- destinationIPv4Address or destinationIPv6Address
- destinationTransportPort
- protocolIdentifier
- sourceIPv4Address or sourceIPv6Address
- sourceTransportPort
You can use the values in these fields to correlate logs for a single flow.
However, it is possible that a second flow with identical values for these fields might begin after the the initial flow terminates. In this case, you might mistakenly correlate the logs in the two flows as being a single flow. To provide an alternate way to correlate flow logs, VOS devices generate a flow identification number and timestamp (called a flow cookie). The combination of these two fields uniquely identifies a flow for the tenant on the VOS device. All service-specific flow logs provide the flow identification and timestamp information in the following fields:
- flowId
- flowCookie
You can export logs from multiple VOS devices, tenants, and virtual service nodes (VSN) to the same third-party server. In this case, to determine which logs belong to a particular flow, you must also match the following fields that are included in all service-specific flow logs:
- applianceName
- tenantId
- vsnId
You typically use the combination of flow ID, flow cookie, appliance name, tenant ID, and VSN ID to correlate flow logs on third-party servers. However, you can instead correlate the flow logs using the combination of the source port, source IP address, destination port, destination IP address, protocol identifier, VOS device name, tenant ID, and VSN ID.
Flow Metadata
VOS devices collect flow metadata, such as the flow's sending and receiving interfaces, but this information is not included in service-specific flow logs. Instead, VOS devices generate a flow identification log at the beginning of each flow, and this log includes the flow metadata. Flow identification logs also include the flow ID and flow cookie, and you can use the values in these two fields to correlate flow metadata with service-specific logs.
Flow Identification Logs
A flow identification log is generated at the start of each flow.
Flow Identification Log Message Format
2017-11-26T22:42:38+0000 flowIdLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, sourceIPv4Address=172.21.1.2, destinationIPv4Address=172.21.2.2, sourcePort=44657, destinationPort=5001, tenantId=1, vsnId=0, applianceId=1, ingressInterfaceName=vni-0/2.0, egressInterfaceName=ptvi-0/43, fromCountry=, toCountry=, protocolIdentifier=6, fromZone=trust, fromUser=unknown, toZone=ptvi, icmpTypeIPv4=0
Flow Identification Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
flowId | Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie | Time when the flow was created, in UNIX epoch time format. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourcePort | Layer 4 source port. |
destinationPort | Layer 4 destination port. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
applianceId | VOS device identifier. This field is not used. |
vsnId | Identifier of the virtual service node, or virtual machine (VM). |
ingressInterfaceName | Interface receiving the flow. |
egressInterfaceName | Interface sending the flow. |
fromCountry | If the source IP address is a public IP address, country to which the IP address belongs. |
toCountry | If the destination IP address is a public IP address, country to which the IP address belongs. |
protocolIdentifier | Layer 4 protocol identifier. |
fromZone | Zone configured on the device receiving the flow. |
toZone | Zone configured on the device sending the flow. |
fromUser | Username of the client initiating the traffic if an IP address-to-user mapping is available from Active Directory or Kerberos. |
icmpTypeIPv4 | For an ICMP flow, the ICMP message type. |
ADC Logs
For Releases 21.1.1 and later.
VOS devices use ADC services to load-balance incoming application traffic on TCP and UDP port connections. The ADC service uses network address translation (NAT) to map each connection between the system that initiates the connection and the TCP or UDP port on an ADC server.
The ADC service relays data between the initiating system and the ADC server using two connections. The first connection is between the initiating system and the ADC service. For this connection, the initiating system is the source and the ADC service is the destination. The second connection is between the ADC service and the ADC server. For this connection, the ADC service is the source and the ADC server is the destination. Five values are required to identify each connection—the IP addresses for the source and destination, the TCP or UDP port numbers for the source and destination, and the protocol used for the connection. In logs, these values are stored in the fields listed below.
The following fields are for the connection between the initiating system (source) and the ADC service (destination):
- destinationIPv4Address
- destinationPort
- protocolIdentifier
- sourceIPv4Address
- sourcePort
The following fields are for the connection between the ADC service (post-NAT source) and the ADC server (server):
- postNATSourceIPv4Address
- postNAPTsourceTransportPort
- protocolIdentifier
- serverIPv4Address
- serverPort
ADC Log
ADC Log Message Format
2024-03-27T02:13:18+0000 adcL4Log, applianceName=SDWAN-Controller1, tenantName=provider-org, observationTimeMilliseconds=1711505613183, flowCookie=1711505613, flowId=33554478, flowStartMilliseconds=33180, flowEndMilliseconds=33180, sentOctets=0, sentPackets=0, recvdOctets=0, recvdPackets=0, sourceIPv4Address=169.254.0.3, destinationIPv4Address=172.16.0.0, postNATSourceIPv4Address=172.16.0.0, serverIPv4Address=192.168.95.2, sourcePort=4869, destinationPort=53764, postNAPTsourceTransportPort=10650, serverPort=1234, tenantId=1, vsnId=0, applianceId=0, protocolIdentifier=6, ingressInterfaceName=tvi-0/602.0, egressInterfaceName=, eventType=start
ADC Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
observationTimeMilliseconds |
Time when the event occurred. |
flowCookie | Time when the flow was created, in UNIX epoch time format. |
flowId | Flow identifier. This value is allocated internally by the VOS device. |
flowStartMilliSeconds |
Time when the session started, in UNIX epoch time format. |
flowEndMilliSeconds | Time when the session was torn down, in UNIX epoch time format. |
sentOctets | Number of octets sent. |
sentPackets | Number of packets sent. |
recvdOctets | Number of octets received. |
recvdPackets | Number of packets received. |
sourceIPv4Address |
IP address of the system that initiated the connection to the ADC service. |
destinationIPv4Address |
IP address of the ADC service. |
postNATSourceIPv4Address | IP address used by the ADC service for the connection to the ADC server. |
serverIPv4Address | IP address of the ADC server. |
postNAPTsourceTransportPort |
Port number used by the ADC service for the connection to the ADC server. |
serverPort | Port number of the ADC server. |
tenantId |
Tenant identifier. This value is allocated internally by the VOS device. |
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
protocolIdentifier | Protocol used for connections. |
ingressInterfaceName | Interface receiving the flow from the initiating system. |
egressInterfaceName | Interface relaying the flow to the ADC server. |
eventType | Type of event; that is, whether the log was generated at the start or end of the flow. |
ATP Logs
For Releases 22.1.3 and later.
ATP Log Message Format
2024-01-12T23:10:12+0000 sandboxLog, applianceName=Bangalore-New-DC-Active, tenantName=Corp-Inline-Customer-1, flowId=2185922396, flowCookie=1705100975, vsnId=0, applianceId=1, tenantId=2, profileName=sb, appIdStr=http, fileName=, fileType=xml, fileSize=1420, fileTransDir=upload, atpVerdict=SandBoxMultiAVFileIsClean, sandboxAction=allow, fileHashType=SHA256, fileHashValue=e92455ccbf12f0c1c302b50e64fdffc3b8db3c4d1bf550c4de06d5057782942d, fileRuleName=r1, sourceIPv4Address=10.145.1.253, destinationIPv4Address=23.57.40.213, sourceTransportPort=52622, destinationTransportPort=80, protocolIdentifier=5, fromUser=Unknown, threatType=, threatSeverity=, sandboxNotifProfile=
ATP Log Message Fields
Field | Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
flowId | Flow identifier. This value is allocated internally by the VOS device. |
flowCookie | Time when the flow was created, in UNIX epoch time format. |
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
tenantId | Unique ID number for the tenant. This value is allocated internally by the VOS device. |
profileName | Sandbox profile. |
appIdStr |
Application name. |
fileName |
Filename. |
fileType |
File type. |
fileSize |
File size, in bytes. |
fileTransDir |
File transfer direction:
|
atpVerdict | ATP verdict:
|
sandboxAction |
Action taken:
|
fileRuleName |
File rule name. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
Layer 4 protocol identifier. |
fromUser |
Username of the client initiating the threat. |
threatType |
Threat type. This field is populated if a threat is detected. |
threatSeverity |
Severity of the threat. |
sandboxNotifProfile |
Email notification profile that is used to send email. |
Authentication Logs
Authentication Event Logs
Authentication event logs are generated when a user is authenticated using LDAP or SAML.
Authentication Event Log Message Format
2021-05-12T18:27:38+0000 authEventLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, flowId=3255680146,flowCookie=1620844028, vsnId=0, applianceId=1, tenantId=1, authProfile=LDAPAuth-Profile, authMethod=LDAP, userName=user123@versa-networks.com, authStatus=success, authStatusMessage="VSA : LDAP : Authenticated successfully.", authTime=0, sourceIPv4Address=73.93.153.96, destinationIPv4Address=207.47.61.83, sourceTransportPort=45977, destinationTransportPort=443
Authentication Event Log Message Fields
Log Type |
Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId |
Identifier of the virtual service node, or VM. |
applianceId |
VOS device identifier. This field is not used. |
tenantId |
Tenant identifier. This value is allocated internally by the VOS device. |
authProfile |
Authentication profile used for the user. |
authMethod |
Authentication method:
|
username |
Name of the user trying to authenticate. |
authStatus |
Status of the authentication:
|
authStatusMessage |
Message describing details of authentication status. |
authTime |
Amount of time required to perform the authentication. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
Authentication Policy Logs
Authentication policy logs are generated when user traffic is evaluated by an authentication policy and an action is taken.
Authentication Policy Log Message Format
2021-05-12T18:33:26+0000 authPolicyLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=3254914730, flowCookie=1620844509, vsnId=0, applianceId=1, tenantId=2,authPolicyRuleName=Default, authPolicyRuleAction=no-authenticate, sourceIPv4Address=172.16.11.103, destinationIPv4Address=172.16.31.10, sourceTransportPort=37944, destinationTransportPort=80
Authentication Policy Log Message Fields
Log Type |
authPolicyLog |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId |
Identifier of the virtual service node, or VM. |
applianceId |
VOS device identifer. This field is not used. |
tenantId |
Tenant identifier. This value is allocated internally by the VOS device. |
authPolicyRuleName |
Name of the authentication policy rule that matched the traffic. |
authPolicyRuleAction |
Authentication action taken based on rule match. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
CASB Logs
For Releases 22.1.3 and later.
CASB Message Format
2024-01-13T00:07:13+0000 casbLog, applianceName=AMS-Hub-02, tenantName=Prospective-Customer, flowId=33568051, flowCookie=1705104892, vsnId=0, applianceId=1, tenantId=25, casbProfileName=CASB-Profile-1, casbRuleName=, casbAppName=box_net, casbAppActivity=download_file, casbAction=allow, casbEmailProfileName=, sourceIPv4Address=100.72.0.0, destinationIPv4Address=74.112.186.128, sourceTransportPort=53460, destinationTransportPort=443, protocolIdentifier=6, fromUser=user123@versa-networks.com, casbFromUser=, casbToUser=
CASB Log Message Fields
Field | Description |
---|---|
applianceName |
Appliance name. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId |
Identifier of the virtual service node, or VM. |
applianceId |
VOS device identifier. This field is not used. |
tenantId |
Tenant identifier. This value is allocated internally by the VOS device. |
casbProfileName |
Name of the CASB profile that matched the traffic. |
casbRuleName |
Name of the CASB rule that matched the traffic. |
casbAppName |
Application that was detected. |
casbAppActivity |
Application activity. |
casbAction |
Action taken by CASB. |
casbEmailProfileName |
Email profile name used for the event. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
Layer 4 protocol identifier. |
fromUser |
Username. |
CGNAT Logs
NAT44 Session Creation and Deletion Logs
NAT44 Session Creation and Deletion Log Message Format
2017-11-26T22:36:31+0000 cgnatLog, applianceName=DC1Branch1, tenantName=Customer1, observationTimeMilliseconds=2337165310, flowCookie=1511736417, flowId=33889107, sourceIPv4Address=172.18.101.10, destinationIPv4Address=8.8.8.8, postNATSourceIPv4Address=70.70.5.2, postNATDestinationIPv4Address=8.8.8.8, sourcePort=37190, destinationPort=53, postNAPTsourceTransportPort=45643, postNAPTdestinationTransportPort=53, tenantId=1, vsnId=0, applianceId=0, protocolIdentifier=17, sourceNatPoolName=DIA-Pool-ISPA-Network, destNatPoolName=-, natRuleName=DIA-Rule-Customer1-LAN1-VR-ISPA-Network, natEvent=nat44-sess-create
2017-11-26T22:37:22+0000 cgnatLog, applianceName=DC1Branch1, tenantName=Customer1, observationTimeMilliseconds=2337165310, flowCookie=1511736417, flowId=33889107, sourceIPv4Address=172.18.101.10, destinationIPv4Address=8.8.8.8, postNATSourceIPv4Address=70.70.5.2, postNATDestinationIPv4Address=8.8.8.8, sourcePort=37190, destinationPort=53, postNAPTsourceTransportPort=45643, postNAPTdestinationTransportPort=53,tenantId=1, vsnId=0, applianceId=0, protocolIdentifier=17, sourceNatPoolName=DIA-Pool-ISPA-Network, destNatPoolName=-, natRuleName=DIA-Rule-Customer1-LAN1-VR-ISPA-Network, natEvent=nat44-sess-delete
NAT44 Session Creation and Deletion Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
observationTimeMillisecond | Time when the event occurred. |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
sourceIPv4Address | Source IPv4 address. |
destinationIPv4Address | Destination IPv4 address. |
postNATSourceIPv4Address | Translated IPv4 source address. |
postNATDestinationIPv4Address | Translated IPv4 destination address. |
sourcePort | Layer 4 source port. |
destinationPort | Layer 4 destination port. |
postNAPTsourceTransportPort | Translated IPv4 source port. |
postNAPTdestinationTransportPort | Translated IPv4 destination port. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
protocolIdentifier | Layer 4 protocol identifier. |
sourceNatPoolName | DHCP pool from which the source NAT IP address was allocated. |
destNatPoolName | DHCP pool from which the destination NAT IP address was allocated. |
natRuleName | Name of the NAT rule for which traffic usage in the last measurement interval is being reported. |
natEvent | NAT44 session creation or deletion. |
NAT64 Session Creation and Deletion Logs
NAT64 Session Creation and Deletion Log Message Format
2020-05-07T23:14:33+0000 cgnatLog, applianceName=versa, tenantName=Tenant1, observationTimeMilliseconds=21034388, flowCookie=1588893277, flowId=33589149, sourceIPv6Address=2001:172:16:31::10, destinationIPv6Address=2001:192:168:5::10, postNATSourceIPv6Address=2001:172:16:91:ff9f::10, postNATDestinationIPv6Address=2001:192:168:5::10, sourcePort=6000, destinationPort=6000, postNAPTsourceTransportPort=6000, postNAPTdestinationTransportPort=6000, tenantId=1, vsnId=0, applianceId=1, protocolIdentifier=58, sourceNatPoolName=NPT_POOL_66, natRuleName=NPT_RULE_66, natEvent=nat66-sess-create
2020-05-07T23:14:44+0000 cgnatLog, applianceName=versa, tenantName=Tenant1, observationTimeMilliseconds=21034388, flowCookie=1588893277, flowId=33589149, sourceIPv6Address=2001:172:16:31::10, destinationIPv6Address=2001:192:168:5::10, postNATSourceIPv6Address=2001:172:16:91:ff9f::10, postNATDestinationIPv6Address=2001:192:168:5::10, sourcePort=6000, destinationPort=6000, postNAPTsourceTransportPort=6000, postNAPTdestinationTransportPort=6000, tenantId=1, vsnId=0, applianceId=1, protocolIdentifier=58, sourceNatPoolName=NPT_POOL_66, natRuleName=NPT_RULE_66, natEvent=nat66-sess-delete
NAT64 Session Creation and Deletion Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
observationTimeMillisecond | Time when the event occurred. |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
sourceIPv6Address | Source IPv6 address. |
destinationIPv6Address | Destination IPv6 address. |
postNATSourceIPv6Address | Translated IPv6 source address. |
postNATDestinationIPv6Address | Translated IPv6 destination address. |
sourcePort | Layer 4 source port. |
destinationPort | Layer 4 destination port. |
postNAPTsourceTransportPort | Translated IPv4 source port. |
postNAPTdestinationTransportPort | Translated IPv4 destination port. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
protocolIdentifier | Layer 4 protocol identifier. |
sourceNatPoolName | DHCP pool from which the source NAT IP address was allocated. |
destNatPoolName | DHCP pool from which the destination NAT IP address was allocated. |
natRuleName | Name of the NAT rule for which traffic usage in the last measurement interval is being reported. |
natEvent | NAT64 session creation or deletion. |
NAT Address Pool Exhausted Logs
NAT Address Pool Exhausted Log Message Format
2020-05-07T23:44:43+0000 alarmLog, applianceName=versa, tenantName=Tenant1, alarmType=cgnat-pool-utilization, alarmKey=Tenant1_NAPT_POOL1, generateTime=1588895083, applianceId=1, vsnId=0, tenantId=1, alarmCause=resourceAtOrNearingCapacity, alarmClearable=yes, alarmClass=changed, alarmKind=symptom, alarmEventType=equipmentAlarm, alarmSeverity=critical, alarmOwner=tenant, alarmSeqNo=6, alarmText="CGNAT pool Tenant1_NAPT_POOL1 addresses near exhaustion (utilization: 93%)", siteName=, serialNum=br103.versa
NAT Address Pool Exhausted Log Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
alarmType | Type of alarm. For more information, see Supported Alarm Types in Configure VOS Device Alarms. |
alarmKey | String generated by the VOS device that uniquely identifies the alarm. |
generateTime | Time when the log was generated, in UNIX epoch time format. |
applianceId | VOS device identifier. This field is not used. |
vsnId | Identifier of the virtual service node, or VM. |
alarmCause | Cause of the alarm. |
alarmClearable | Whether the alarm has an associated clear notification. |
alarmClass | Alarm class:
|
alarmKind | Type of alarm:
|
alarmEventType | Alarm event type. Examples are communicationsAlarm and qualityOfServiceAlarm. |
alarmSeverity | Severity of the alarm:
|
alarmOwner | Alarm owner:
|
alarmSeqNo | Unique alarm sequence number generated for a tenant and VOS device. |
alarmText | Text description of the alarm. |
siteName | Name of the SD-WAN site that generated the alarm. |
serialNum | Serial number of the VOS device. |
DLP Logs
For Releases 22.1.3 and later.
DLP Log Message Format
2024-01-13T01:44:48+0000 dlpLog, applianceName=AMS-Hub-02, tenantName=Prospective-Customer, flowId=33609083,
flowCookie=1705110716, vsnId=0, applianceId=1, tenantId=25, profileName=DLP-Profile-1, appIdStr=http,
fileName=PCI-DSS-Name_CC_CVV.docx, fileType=docx, fileSize=18621, fileTransDir=download, fileFoundIn=Payload,
dlpMatchStr="Cache Hit", dlpRuleAction=block, dlpMatchType=ContentAnalysisMatch, fileRuleName=Rule-Userdef-Credit-Card,
dlpPatternName="CREDIT_CARD_NUMBER", dlpDataProfileName="CREDIT_CARD_NUMBER", dlpMatchComponent="ContentAnalysisMatch",
sourceIPv4Address=100.72.0.0, destinationIPv4Address=74.112.186.128, sourceTransportPort=54290,
destinationTransportPort=443, protocolIdentifier=6, fromUser=user123@versa-networks.com,
dlpRuleMatchCount=1, fileHashValue=5269d43557251538e3add083fd1389695176cd8d847cf27c42464fbb fa0b27ff, fileLabelOp=""
DLP Log Message Fields
Field/p> |
Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device.
|
tenantName |
Name of organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId |
Identifier of the virtual service node, or VM. |
applianceId |
Appliance identifier. This field is not used. |
tenantId |
Tenant identifier. This value is allocated internally by the VOS device. |
profileName |
Name of the DLP profile that matched the user’s session. |
appIdStr |
Application identifier string. |
filename |
Filename. |
fileType |
File type. |
fileSize |
File size, in bytes. |
fileTransDir |
File transfer direction. |
fileFoundIn |
Location where file was found. |
dlpMatchStr |
DLP match string. |
dlpRuleAction |
DLP rule action. |
dlpMatchType |
DLP match type. |
fileRuleName |
Rule name. |
dlpPatternName |
DLP pattern. |
dlpDataProfileName |
DLP data profile name. |
dlpMatchComponent |
DLP match component. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
Protocol identifier. |
fromUser |
Username. |
dlpRuleMatchCount |
Number of DLP rules matched. |
fileHashValue |
File hash value. |
fileLabelOp |
File label operation. |
DNS-Filtering Logs
For Releases 21.1.1 and later, except as noted.
DNS-filtering logs use the syslog identifier dnsfLog. Releases 22.1.3 and later add support for the syslog identifier dnsfTunnelLog.
DNS-Filtering Log Message Format
2021-02-15T18:05:50+0000 dnsfLog, applianceName= SDWAN-Branch1, tenantName= Tenant1, flowId=34423394, flowCookie=1644948381, tenantId=1, vsnId=0, applianceId=1, dnsfProfileName=User-defined-DNS-Filtering-1, dnsfMsgType=response, dnsfEvType=ip-filter, dnsfAction=reject, dnsfDomain="ofFICe.com", dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr =2001:501:b1f9::30, dnsfBadCname=ofFICe.com, dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=Phishing , dnsfIpGeoLocation=US, sourceIPv4Address=10.100.226.56, destinationIPv4Address=202.12.27.33, sourceTransportPort=50081, destinationTransportPort=53, protocolIdentifier=6, fromUser=user123@versanetworks.com
DNS-Filtering Log Message Format for a Deny-List Event Type with a Drop Packet Action
024-01-23T14:05:48+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554458, flowCookie=1706018747, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, dnsfMsgType=request, dnsfEvType=blacklist, dnsfAction=drop-packet, dnsfDomain="www.facebook.com", dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, dnsfBadCname=, dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=, dnsfIpGeoLocation=, sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=55524, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", threatType="", dnsfSinkHoleIp=""
DNS-Filtering Log Message Format for an Accept-List Event Type with an Allow Action
2024-01-23T14:25:21+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554475, flowCookie=1706019920, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, dnsfMsgType=request, dnsfEvType=whitelist, dnsfAction=allow, dnsfDomain="www.facebook.com", dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, dnsfBadCname=, dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=, dnsfIpGeoLocation=, sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=54303, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", threatType="", dnsfSinkHoleIp=""
DNS-Filtering Log Message Format for a Query-Based Action with a Reject Action
2024-01-23T16:08:36+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554619, flowCookie=1706026115, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, dnsfMsgType=request, dnsfEvType=query-action-rule, dnsfAction=reject, dnsfDomain="www.facebook.com", dnsfRuleName=query, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, dnsfBadCname=, dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=, dnsfIpGeoLocation=, sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=57927, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", threatType="", dnsfSinkHoleIp=""
DNS-Filtering Log Message Format for an IP-Filtering Reputation-Based Action
2024-01-23T16:38:29+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554649, flowCookie=1706027908, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, dnsfMsgType=response, dnsfEvType=ip-filter, dnsfAction=reject, dnsfDomain="interestingfurniture.com", dnsfRuleName=, dnsfBadResolvedV4Addr=3.64.163.50, dnsfBadResolvedV6Addr=, dnsfBadCname=interestingfurniture.com, dnsfDomainReputation=, dnsfDomainCategory=, dnsfIpReputation=Windows Exploits | BotNets | Phishing | Proxy, dnsfIpGeoLocation=DE, sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=53200, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="undefined", threatType="", dnsfSinkHoleIp=""
DNS-Filtering Log Message Format for a URL-Filtering Reputation-Based Action
2024-01-23T17:55:35+0000 dnsfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554840, flowCookie=1706032534, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, dnsfMsgType=request, dnsfEvType=url-filter, dnsfAction=drop-packet, dnsfDomain="www.facebook.com", dnsfRuleName=, dnsfBadResolvedV4Addr=, dnsfBadResolvedV6Addr=, dnsfBadCname=, dnsfDomainReputation=trustworthy, dnsfDomainCategory=social_network, dnsfIpReputation=, dnsfIpGeoLocation=, sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=56553, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", threatType="", dnsfSinkHoleIp=""
DNS-Filtering Log Message Fields
Field |
Description | ||
---|---|---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
||
tenantName |
Name of the organization (tenant). |
||
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. | ||
flowCookie |
Time when the flow was created, in UNIX epoch time format. | ||
vsnId |
Virtual service node identifier, or VM. |
||
applianceId |
Appliance identifier. This field is not used. |
||
tenantId |
Tenant identifier. This value is allocated internally by the VOS device. | ||
dnsfProfileName |
DNS-filtering profile name matched for the event. |
||
dnsfMsgType |
Type of DNS message. |
||
dnsfEvType |
Type of DNS-filtering event. |
||
dnsfAction |
DNS-filtering action taken. |
||
dnsfDomain |
DNS domain. |
||
dnsfRuleName |
DNS-filtering rule name. |
||
dnsfBadResolvedV4Addr |
DNS could not resolve an IPv4 address. |
||
dnsfBadResolvedV6Addr |
DNS could not resolve an IPv6 address. | ||
dnsfBadCname |
DNS could not resolve a domain name. |
||
dnsfDomainReputation |
DNS domain reputation. |
||
dnsfDomainCategory |
DNS domain category. |
||
dnsfIpReputation |
DNS IP reputation. |
||
dnsfIpGeoLocation |
DNS IP geographic location. |
||
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
||
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
||
sourceTransportPort |
Source transport port. |
||
destinationTransportPort |
Destination transport port. |
||
protocolIdentifier |
(For Releases 22.1.1 and later.) Protocol identifier. |
||
fromUser |
(For Releases 22.1.1 and later.) Username. |
||
threatSeverity |
(Releases 22.1.3 and later.) Severity of the threat.
|
||
threatType | (Releases 22.1.3 and later.) Type of threat. | ||
dnsfSinkHoleIp | (For Releases 22.1.3 and later.) IP address of DNS sinkhole that is spoofing DNS servers to prevent the resolution of the hostnames associated with URLs. |
DNS-Tunneling Log Message Format
For Releases 22.1.3 and later.
2024-01-23T18:27:20+0000 dnsfTunnelLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=33554877, flowCookie=1706034438, tenantId=2, vsnId=0, applianceId=1, dnsfProfileName=dnsfilter_profile, dnsfAction=sink-hole, dnsfDetectedDomain="www.twitter.com", dnsfDetectionType=EXCESSIVE_REQ_FOR_SAME_FQDN, dnsfDetectionReason="Too many requests(2) for same FQDN", dnsfDetectionTime=2024-01-23 18:27:19, dnsfTunnelClientIp=172.16.11.10, sourceIPv4Address=172.16.11.10, destinationIPv4Address=10.48.0.99, sourceTransportPort=60570, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown, threatSeverity="informational", threatType="", dnsfSinkHoleIp="207.47.61.60"
DNS-Tunneling Log Message Fields
For Releases 22.1.3 and later.
Field |
Description | ||
---|---|---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
||
tenantName |
Name of the organization (tenant). |
||
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. | ||
flowCookie |
Time when the flow was created, in UNIX epoch time format. | ||
vsnId |
Virtual service node identifier, or VM. |
||
applianceId |
Appliance identifier. This field is not used. |
||
tenantId |
Tenant identifier. This value is allocated internally by the VOS device. | ||
dnsfProfileName |
DNS-filtering profile name matched for the event. |
||
dnsfAction |
DNS-filtering action taken:
|
||
dnsfDetectedDomain |
Detected domain name of DNS tunnel. |
||
dnsfDetectionType | Type of the detected DNS tunnel. | ||
dnsfDetectionReason |
DNS behavior that allowed the tunnel of the given detection type to be detected. |
||
dnsfDetectionTime | Amount of time taken for the DNS tunnel to be detected. | ||
dnsfTunnelClientIp | If the DNS tunnel is detected through an IP address (known as global tracking), the IP address is included in this field. | ||
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
||
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
||
sourceTransportPort |
Source transport port. |
||
destinationTransportPort |
Destination transport port. |
||
protocolIdentifier |
Protocol identifier. |
||
fromUser |
Username. |
||
threatSeverity |
Severity of the threat. | ||
threatType | Type of threat. | ||
dnsfSinkHoleIp | IP address of DNS sinkhole that is spoofing DNS servers to prevent the resolution of the hostnames associated with URLs. |
DNS Metadata Logs
You can configure traffic monitoring rules to send DNS metadata, which provides detailed DNS information about a traffic flow.
Log Message Format
2024-01-11T16:26:13+0000 flowMonDnsLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, flowId=2181548554, flowCookie=1704990373, transactionId=62383, vsnId=0, applianceId=1, dnsResponseCode=No error, dnsQueryType=A, dnsEipInfo="", dnsDomainCategory=computer_and_internet_info, dnsDomain="browser.pipe.aria.microsoft.com", dnsOpcode=QUERY, dnsIpAddrs="52.168.117.168", dnsCnames="browser.events.data.trafficmanager.net|onedscolprdeus07.eastus.clouda pp.azure.com", dnsDnsfProfile=, dnsfAction=, sourceIPv4Address=10.42.144.130, destinationIPv4Address=10.48.0.99, sourceTransportPort=45271, destinationTransportPort=53, protocolIdentifier=17, fromUser=Unknown
DNS Flow Log Message Fields
Field |
Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Tenant or organization name. |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
transactionId |
Transaction identifier. |
applianceId |
Appliance identifier. This field is not used. |
vsnId |
Virtual service node identifier, or VM |
dnsResponseCode |
DNS response code. |
dnsQueryType |
DNS query type. |
dnsEipInfo |
DNS endpoint information. |
dnsDomainCategory |
DNS domain category. |
dnsDomain |
DNS domain. |
dnsOpcode |
DNS opcode. |
dnsIpAddr |
DNS IP addresses. |
dnsCnames |
DNS domain names. |
dnsDnsfProfile |
DNS-filtering profile if matching this traffic flow. |
dnsfAction |
DNS-filtering action that was taken if traffic flow matched a profile. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
(For Releases 22.1.1 and later.) Protocol identifier. |
fromUser |
(For Releases 22.1.1 and later.) Username. |
File-Filtering Logs
File-Filtering Log Message Format
2022-02-15T18:44:39+0000 fileFilterLog, applianceName= SDWAN-Branch1, tenantName= Tenant1, flowId=1107299034,
flowCookie=1637457178, vsnId=0, applianceId=1, tenantId=1, profileName=Versa_Corporate_Profile, appIdStr=http,
fileName=v2/computes, fileType=text file, fileSize=2, fileTransDir=upload, fileFoundIn=DefaultAction,
fileSizeExceed=false, fileFilterAction=alert, fileHashType=, fileHashValue=, fileRuleName=,
sourceIPv4Address=172.30.57.68, destinationIPv4Address=10.48.245.14, sourceTransportPort=50470,
destinationTransportPort=3080, protocolIdentifier=6, fromUser=user123@versa-networks.com
File-Filtering Log Message Fields
Field |
Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId |
Virtual service node identifier, or VM. |
applianceId |
VOS device identifier. This field is not used. |
tenantId |
Tenant or organization identifier. |
profileName |
File-filtering profile name matched for this event. |
appIdStr |
Application of the traffic that triggered the event. |
filename |
Filename that was accessed. |
filetype |
File type. |
fileSize |
File size. |
fileTransDir |
File transfer direction. It can be either download or upload. |
fileFoundIn |
Location where file was found. |
fileSizeExceeded |
File size exceeded. |
fileFilterAction |
File-filtering action. |
fileHashType |
File hash type. |
fileHashValue |
File hash value. |
fileRuleName |
File rule name. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
(For Releases 22.1.1 and later.) Protocol identifier. |
fromUser |
(For Releases 22.1.1 and later.) Username. |
HTTP Metadata Logs
HTTP Metadata Log Message Format
2024-01-11T18:01:49+0000 flowMonHttpLog, applianceName=Colovore-DCBranch-1, tenantName=Corp-Inline-Customer-1, flowId=2181338631, flowCookie=1704996134, transactionId=0, vsnId=0, applianceId=1, urlCategory=private_ip_addresses, appIdStr=http, httpHost=10.40.251.5, httpMimeType=application/json, httpUrl=/wp-json/wp/v2/blockpatterns/categories?_locale=user, httpMethod=GET, httpUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, os=Windows, browser=Firefox, sourceIPv4Address=172.30.60.226, destinationIPv4Address=10.40.251.5, sourceTransportPort=64552, destinationTransportPort=80, protocolIdentifier=6, fromUser=user123@versanetworks.com
HTTP Metadata Log Message Fields
Field | Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
transactionId |
Transaction identifier. |
vsnId |
Virtual service node identifier, or VM. |
applianceId |
VOS device identifier. This field is not used. |
urlCategory |
URL Category. |
appIdStr |
Application name. |
httpHost |
HTTP header host. |
httpMimeType |
HTTP mime type. |
httpUrl |
HTTP URL. |
httpMethod |
HTTP method. |
httpUserAgent |
HTTP user agent. |
OS |
Operation system of the user session. |
Browser |
Browser of the user session. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
(For Releases 22.1.1 and later.) Protocol identifier. |
fromUser |
(For Releases 22.11. and later.) Username. |
SASE Web Logs
For Releases 22.1.1 and later
SASE web logs are sent for web traffic for cloud-hosted SASE services. They include firewall and UTM policy information for a user’s traffic session in a single log message
SASE Web Log Message Format
024-01-10T14:15:21+0000 saseWebLog, applianceName=Bangalore-ECT-DCActive, tenantName=Corp-Inline-Customer-1, flowId=34034049, flowCookie=1704896094, vsnId=0, applianceId=1, httpHost="10.192.165.250:5001", httpUrl="/update_note", httpMethod="POST", httpReferrer="", httpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0", urlCategory=private_ip_addresses, httpProtocol=http, appIdStr=http, appSubFamily=web, sslSNI="", PolicyRuleName=Allow-RAC-Users, policyActionName=allow, policyActionModule=policy, traffScope=none, sentOctets=2124, recvdOctets=1032, flowDurationMsecs=337, sslDecrypted=no, sourceIPv4Address=172.30.58.18, destinationIPv4Address=10.192.165.250, sourceTransportPort=60077, destinationTransportPort=5001, protocolIdentifier=6, fromUser=user123@versa-networks.com
SASE Web Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId |
Virtual service node identifier, or VM. |
applianceId |
VOS device identifier. This field is not used. |
httpHost |
HTTP header host. |
httpUrl |
HTTP URL |
httpMethod |
HTTP method. |
httpReferrer |
HTTP referrer. |
httpUserAgent |
HTTP user agent. |
urlCategory |
URL category. |
httpProtocol |
HTTP protocol (for example, HTTP) |
appIdStr |
Application name. |
appSubFamily |
Application family. |
policyRuleName |
Policy rule that was matched. |
policyActionName |
Policy action that was taken. |
policyActionModule |
Policy module that took the action. |
traffScope |
Whether traffic is sent to private applications or to the internet. |
sentOctets |
Number of octets sent. |
sentPackets |
Number of packets sent. |
flowDurationMsec |
Duration of flow, in milliseconds. |
sslDecypted |
Whether traffic is decrypted by SSL. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
Protocol identifier. |
fromUser |
Username. |
SD-WAN SLA Violation Logs
When you enable log export functionality (LEF) in an SD-WAN policy rule, SD-WAN SLA violation log messages are sent when traffic steering, or redirection, occurs.
Log Message Format
2017-11-28T23:12:43+0000 sdwanSlaPathViolLog, applianceName=Site1Branch1, tenantName=Customer1, flowId=34076716, flowCookie=1511911224, applianceId=1, tenantId=1, vsnId=0, rule=Rule_Http, localSiteName=Site1Branch1, fromRemoteSiteName=, fromLocalAccCktName=, fromRemoteAccCktName=, toRemoteSiteName=Site3Branch1, toLocalAccCktName=ISPA-Network, toRemoteAccCktName=ISPA-Network, forwardingClass=fc_be, fromPriority=P-0, toPriority=SLA Vio, reason="Violating metrics [Current value(Configured Threshold)]: latency-714(250) loss percentage-12.50(5) "
SD-WAN Traffic Logs
SD-WAN traffic log messages are enabled as part of SD-WAN traffic flow monitoring. These log messages record flow information at the beginning or end of a flow, or both at the beginning and end of a flow. If the traffic monitoring policy rule is set to enable the sending of external application metadata (send-ext-app-metadata), the SD-WAN traffic log messages include application metadata, such as application risk, productivity, family, and subfamily.
SD-WAN Traffic Log Message Format
2017-11-26T22:42:38+0000 flowMonLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, sentOctets=15000, sentPackets=34, recvdOctets=360, recvdPackets=6, vsnId=0, applianceId=1, tenantId=1, appRisk=1, appProductivity=3, appIdStr=iperf, appFamily=, appSubFamily=, urlCategory=, rule=catchall, localSiteName=Branch1, fwdEgrSiteName=Branch2, fwdEgrAccCktName=MPLS:MPLS, revIngAccCktName=MPLS, revIngSiteName=, fwdIngSiteName=, fwdIngAccCktName=vni-0/2.0, revEgrSiteName=, revEgrAccCktName=vni-0/2.0, deviceKey=, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be 2017-11-26T22:42:38+0000 flowMonLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, sentOctets=15000, sentPackets=34, recvdOctets=360, recvdPackets=6, vsnId=0, applianceId=1, tenantId=1, appRisk=1, appProductivity=3, appIdStr=iperf, appFamily=, appSubFamily=, urlCategory=, rule=catchall, localSiteName=Branch1, fwdEgrSiteName=Branch2, fwdEgrAccCktName=MPLS:MPLS, revIngAccCktName=MPLS, revIngSiteName=, fwdIngSiteName=, fwdIngAccCktName=vni-0/2.0, revEgrSiteName=, revEgrAccCktName=vni-0/2.0, deviceKey=, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be, sourceIPv4Address=172.16.41.106, destinationIPv4Address=172.16.21.10, sourceTransportPort=38528, destinationTransportPort=80, protocolIdentifier=17, fromUser=Unknown
SD-WAN Traffic Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
flowStartMilliSeconds |
Time when the session started, in UNIX epoch time format. |
flowEndMilliSeconds | Time when the session was torn down, in UNIX epoch time format. |
sentOctets | Number of octets sent. |
sentPackets | Number of packets sent. |
recvdOctets | Number of octets received. |
recvdPackets | Number of packets received. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
applianceId | VOS device identifier. This field is not used. |
vsnId | Identifier of the virtual service node, or VM. |
appIdStr | Application identifier. |
appRisk | Application risk value. |
appProductivity | Application productivity value. |
appFamily | Application family. |
appSubFamily | Application subfamily. |
urlCategory | URL category for web traffic. |
Rule | Traffic monitoring rule that evaluated the flow. |
localSiteName |
Name of the local SD-WAN site that generated the traffic log. |
fwdEgrSiteName | Name of the destination SD-WAN site name towards which traffic is sent from the local site. This forward-direction traffic traffic flows from the local source to its destination. |
fwdEgrAccCktName | Name of the circuit or interface used to send forward-direction traffic. For traffic forwarded to an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was sent. For traffic sent directly to the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was sent. |
revIngSiteName |
Name of the SD-WAN remote site from which traffic is received by the local site. This reverse-direction traffic flows from its destination to the local source. |
revIngAccCktName |
Name of the circuit or interface used to receive reverse-direction traffic. For traffic received from an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was received. For traffic sent directly to the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was received. |
fwdIngSiteName | Name of the SD-WAN remote site from which reverse-direction traffic was received by the local site. |
fwdIngAccCktName |
Name of the circuit or interface used to receive forward-direction traffic. For traffic received from an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was received. For traffic received directly from the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was received. |
revEgrSiteName | Name of SD-WAN site to which reverse-direction traffic was sent by the local site. |
revEgrAccCktName |
Name of the circuit or interface used to send reverse-direction traffic. For traffic sent from an SD-WAN site, this field shows the names of the local and remote SD-WAN links on which the traffic was sent. For traffic sent directly to the internet, this field shows the name of the local SD-WAN link or the interface on which the traffic was sent. |
deviceKey | Device key, which shows when device identification is enabled. |
forwardForwardingClass | Forwarding class for the traffic flow in the forward direction. |
reverseForwardingClass | Forwarding class for the traffic flow in the reverse direction. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort | Destination transport port. |
protocolIdentifier | (For Releases 22.1.1 and later.) Layer 4 protocol identifier, |
fromUser | (For Releases 22.1.1 and later.) Username. |
Threat Logs
Access Logs
Access Log Message Format
2021-03-18T16:00:17+0000 accessLog, applianceName=SDWAN-Branch4, tenantName=Tenant1, flowId=2181092523, flowCookie=1616083363, flowStartMilliseconds=121604466, flowEndMilliseconds=121604514, sentOctets=565, sentPackets=6, recvdOctets=1074, recvdPackets=4, appId=370, eventType=end, tenantId=2, urlCategory=entertainment_and_arts, action=allow, vsnId=0, applianceId=1, appRisk=3, appProductivity=1, appIdStr=netflix, appFamily=media, appSubFamily=audio_video, rule=Allow_From_Trust, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be, host=www.netflix.com, deviceKey=Unknown, deviceName=Unknown, sourceIPv4Address=172.16.41.106, destinationIPv4Address=172.16.21.10, sourceTransportPort=38528, destinationTransportPort=80, protocolIdentifier=17, fromUser=Unknown, eipProfileName=, traffScope=none, srcSGT=, destSGT=
Access Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
flowStartMilliSeconds | Time when the session was created, in UNIX epoch time format. |
flowEndMilliSeconds | Time when the session was ended (destroyed), in UNIX epoch time format. |
sentOctets | Number of octets sent. |
sentPackets | Number of packets sent. |
recvdOctets | Number of octets received. |
recvdPackets | Number of packets received. |
appId | Application identifier. |
eventType | Type of event; that is, whether the log was generated at the start or end of the flow. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
urlCategory | URL category for web traffic. |
action |
Firewall action taken:
|
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
appRisk | Risk level of the application. |
appProductivity | Application productivity. |
appIdStr | Application identifier string. |
appFamily | Application family. |
appSubFamily | Application subfamily. |
rule | Firewall rule that matches the traffic. |
fowardForwardingClass | Traffic-forwarding class in the forward direction. |
reverseForwardingClass | Traffic-forwarding class in the reverse direction. |
host |
Shows the header host for HTTP traffic. This is useful when the application is unknown-http or unknown-ssl. |
deviceKey |
Device key. This field is populated if the device identification feature is enabled. |
deviceName |
Device name. The field is populated if the device identification feature is enabled. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort | Destination transport port. |
protocolIdentifier | (For Releases 22.1.1 and later.) Protocol Identifier. |
fromUser | (For Releases 22.1.1 and later.) Username. |
eipProfileName | (For Releases 22.1.1 and later.) Endpoint information profile name. |
traffScope | Whether traffic is sent to private applications or to the internet. |
srcSGT | Source secure group tag. |
destSGT | Destination secure group tag. |
Antivirus Logs
Antivirus Log Message Format
21-02-20T07:45:41Z avLog, tenant=Tenant3, applianceName=SDWAN-Branch1, srcAddr=172.53.2.3, destAddr=89.238.73.97, srcPort=51523, destPort=443, ingIf=vni-0/0.0, egrIf=vni-0/0.0, fromCountry=United States, toCountry=Germany, protocolId=6, fromZone=remote-client, fromUser=user1, toZone=RTI-WAN1-Zone, toLatLon=49.47,7.17, fromLatLon=40.71,-74.01, fromGeoHash=dr5reg, toGeoHash=u0v17j, profileName=Scan Web and Email Traffic, appId=http, fileName=eicarcom2.zip, fileType=zip, fileTransDir=download, avMalwareType=AV_DETECTION_TYPE_NONE, avMalwareName=EICAR_Test_File, avAccuracy=AV_DETECTION_ACCURACY_NONE, avAction=deny, threatType=virus_event, threatSeverity=critical, traffScope=public, fileHashValue=e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397
Antivirus Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
profileName | Name of the antivirus profile that triggered the event. |
appIdStr | Application name. |
filename | Name of the file in which malware was detected. |
fileTransDir |
File transfer direction:
|
avMalwareType | Type of malware threat. |
avMalwareName | Name of the malware. |
avAccuracy | Accuracy of malware detection. |
avAction | Action taken for the event. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
(For Releases 22.1.1 and later.) Protocol identifier. |
fromUser |
(For Releases 22.1.1 and later.) Username. |
threatType | (For Releases 22.1.1 and later.) Type of threat. |
threatSeverity | (For Releases 22.1.1 and later.) Severity of the threat. |
traffScope | (For Releases 22.1.1 and later.) Whether traffic is sent to private applications or to the internet. |
fileHashValue | (For Releases 22.1.1 and later.) The hash sum of the file, using the SHA-256 hash algorithm. |
IDP Logs
IDP Log Message Format
2024-07-11 02:11:06 idpLog, applianceName=Branch1, tenantName=USA, flowId=41532610, flowCookie=1720663865, signatureId=1061212062, groupId=1, signatureRev=0, vsnId=0, applianceId=1, tenantId=2, moduleId=10, signaturePriority=critical, idpAction=alert, signatureMsg="Microsoft Windows SNMP Service Memory Corruption", classMsg="Attempted User Privilege Gain", threatType=attempted-user, packetTime=07/11/2024-02:11:05.256264, HitCount=1, ipsProfile=Versa Recommended Profile-Exception-IPS-Override, ipsProfileRule=Attack Severity Rule Filter for older than 10 years, ipsDirection=ToServer, ipsProtocol=UDP, ipsApplication=snmp, sourceIPv4Address=10.205.167.170, destinationIPv4Address=10.191.64.21, sourceTransportPort=44924, destinationTransportPort=161, protocolIdentifier=17, fromUser=Unknown, traffScope=public 2017-11-26T22:37:11+0000 idpLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, signatureId=1000000530, groupId=1, signatureRev=0, vsnId=0, applianceId=1, tenantId=1, moduleId=12, signaturePriority=2, idpAction=alert, signatureMsg="Microsoft DNS Server Denial of Service", classMsg="Attempted Denial of Service", threatType=attempted-dos, packetTime=11/26/2017-14:37:11.000000, HitCount=1, ipsProfile=Vulnerablity_Profile, ipsProfileRule=Rule1, ipsDirection=ToClient, ipsProtocol=UDP, ipsApplication=dns 2021-03-08T23:53:54+0000 idpLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, flowId=1107414882, flowCookie=1615086843, signatureId=1140408011, groupId=1, signatureRev=0, vsnId=0, applianceId=1, tenantId=1, moduleId=10, signaturePriority=high, idpAction=reject, signatureMsg="OpenSSL TLS DTLS Heartbeat Information Disclosure", classMsg="information disclosure was detected", threatType=information-disclosure, packetTime=03/08/2021-15:59:01.982516, HitCount=1, ipsProfile=Versa Recommended Profile, ipsProfileRule=Attack Severity Rule Filter, ipsDirection=ToServer, ipsProtocol=TCP, ipsApplication=https, sourceIPv4Address=172.30.57.19, destinationIPv4Address=10.100.253.12, sourceTransportPort=62397, destinationTransportPort=443, protocolIdentifier=6, fromUser=abc@versa-networks.com
IDP Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification branch CLI command. |
tenantName | Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
signatureId | Signature identifier matching the traffic. |
groupId | Group identifier. |
signatureRev | Version of the signature. |
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
moduleId | IPS module identifier. |
signaturePriority | Priority of the signature. |
idpAction |
Action taken by IDP, such as allow, alert, drop-session, reject |
signatureMsg | Message indicating the signature. |
classMsg | Class message. |
threatType | Type of intrusion threat. Values correspond to the classtypes defined in Snort. |
packetTime | Time when the event occurred. |
hitCount | Number of signature matches for the traffic flow. |
ipsProfile |
IPS profile name matching the traffic flow. |
ipsProfileRule | IPS profile rule matching the traffic flow. |
ipsDirection | Direction of the traffic flow. |
ipsProtocol | Protocol of the traffic flow. |
ipsApplication | Application of the traffic flow. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort | Destination transport port. |
protocolIdentifier | (For Releases 22.1.1 and later.) Protocol Identifier. |
fromUser | (For Releases 22.1.1 and later.) Username. |
traffScope | Scope of traffic, such as public or unknown. |
URL-Filtering Logs
URL-filtering logs display entries for traffic that matches the URL-filtering profile associated with a security policy rule.
URL-Filtering Log Message Format
2017-11-26T24:42:38+0000 urlfLog, applianceName=DC1Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, vsnId=0, applianceId=1, tenantId=1, urlReputation=trustworthy, urlCategory=business_and_economy, httpUrl=apt.puppetlabs.com/dists/trusty/Release.gpg, urlfProfile=url_profile1, urlfAction=ask, urlfActionMessage= 2021-02-18T18:50:15+0000 urlfLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, flowId=3254966030, flowCookie=1613674373, vsnId=0, applianceId=1, tenantId=2, urlReputation=trustworthy, urlCategory=streaming_media, httpUrl=www.youtube.com/index.html, urlfProfile=YoutubeRule, urlfAction=alert, urlfActionMessage=, sourceIPv4Address=172.16.11.103, destinationIPv4Address=172.16.31.10, sourceTransportPort=55333, destinationTransportPort=80, protocolIdentifier=6, fromUser=abc@versa-networks.com
URL-Filtering Log Message Fields
Field | Description |
---|---|
applianceName | Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName | Name of the organization (tenant). |
flowId |
Flow identifier. This value is allocated internally by the VOS device. The combination of the flow identifier and the flow cookie uniquely identify the flow. |
flowCookie |
Time when the flow was created, in UNIX epoch time format. |
vsnId | Identifier of the virtual service node, or VM. |
applianceId | VOS device identifier. This field is not used. |
tenantId | Tenant identifier. This value is allocated internally by the VOS device. |
urlReputation |
Reputation score of the URL:
|
urlCategory | Name of URL category for web traffic. |
httpUrl | URL that triggered the traffic event. |
urlProfile | Name of the URL profile that matched the traffic. |
urlAction | URL-filtering action taken for the event. |
urlActionMessage | Description of the action taken for the event. |
sourceIPv4Address or sourceIPv6Address |
Source IPv4 or IPv6 address. |
destinationIPv4Address or destinationIPv6Address |
Destination IPv4 or IPv6 address. |
sourceTransportPort |
Source transport port. |
destinationTransportPort |
Destination transport port. |
protocolIdentifier |
(For Releases 22.1.1 and later.) Protocol identifier. |
fromUser |
(For Releases 22.1.1 and later.) Username. |
Supported Software Information
Releases 20.2 and later support all content described in this article except:
- Release 21.1.1 adds support for ADC and DNS-filtering logs.
- Release 21.2.1 adds support for the hostname field in the DHCP flow log message.
- Release 22.1.1 adds support for SASE web logs; adds support for the protocolIdentifier and fromUser fields in DNS-filtering, DNS metadata, and file-filtering logs; for the protocolIdentifier, fromUser, threatType, threatSeverity, traffScope, and fileHashValue fields for the syslog identifier avLog.
- Release 22.1.3 adds support for ATP sandbox, CASB, and DLP logs; for the syslog identifier dnsfTunnelLog; for the threatSeverity, threatType, and dnsfSinkHoleIp fields for the syslog identifier dnsfLog.
Additional Information
Analytics Log Collector Log Types Overview
Configure the Exporting of Session Log Records