Default Log Format / ensure using a parameter="value" format eveywhere


I'm "playing" a lot with my Firebox Logs actually and i'm very upset by the Log format provided by my firewalls, it's so inconsistent ;-((

It's so difficult to integrate into a SIEM (Splunk for example) because field extraction is not easy when name of the important field is not provided when using a remote syslog server.

Why don't you provide a way to send logs using a parameter="value" format for each field ? This can be enabled (not by default) in the Traffic monitor + ensure any string containing space character is sent between quotes also (example : if you use an interface name with space into it...i know, it's bad, but sometime you didn't choose it initially...)

Please add it to your roadmap to help us win some time during integration and analysis of our logs.




  • Options

    example of something that could be useful in terms of log format :
    Apr 27 13:04:59 Apr 27 13:04:59 host="myfirewall.mycorp.lan" process="firewall:" msg_id="3000-0148" disposition="Deny" src_int="MY-SUPER-INTERNAL-INTERFACE-NAME" dst_int="MY STUPID EXTERNAL INTERFACE NAME" 52 pr="tcp" 20 127 src_ip="" dst_ip="" src_port="63404" dst_port="4116" offset 8 S 3679024395 win 61690 src_user="username@mycompany.lan" rule_name="Any from Internal By Default.deny"

  • Options

    another new issue since beginning of May, some fields are nos separated by multiple "space" instead of only 1.
    Don't know if it's due to the new month or due to our recent upgrade to the latest version :

    May 3 16:35:02 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148"

    2 spaces after the 2 "May" word now; only 1 previously ;-((

Sign In to comment.