syslog
I can't find anything that says if the firewall is using UDP or TCP port 514. Can anyone confirm which one it is?
Also, are the logs space-separated or comma-separated?
Thanks.
0
Sign In to comment.
I can't find anything that says if the firewall is using UDP or TCP port 514. Can anyone confirm which one it is?
Also, are the logs space-separated or comma-separated?
Thanks.
Comments
Hi @itCOdtQ
They're sent via UDP.
-Each log message is a new message -- multiple messages aren't sent in the same syslog packet.
-Fields in the log line are space seperated.
Here's a copy/paste from my firewall's syslog traffic pulled via tcpdump:
[truncated]Syslog message: LOCAL1.WARNING: Apr 4 10:43:28 M400 firewall: msg_id="3000-0148" Deny External Firebox 40 tcp 20 238 src ip dest ip 48887 993 offset 5 S 2990431059 win 65535 geo_src="NLD" geo_dst="USA" (Unhan
1000 1... = Facility: LOCAL1 - reserved for local use (17)
.... .100 = Level: WARNING - warning conditions (4)
Message: Apr 4 10:43:28 M400 firewall: msg_id="3000-0148" Deny External Firebox 40 tcp 20 src ip.dest ip 48887 993 offset 5 S 2990431059 win 65535 geo_src="NLD" geo_dst="USA" (Unhandled External Packet-00)
Syslog timestamp (RFC3164): Apr 4 10:43:28
Syslog hostname: M400
Syslog process id: firewall
Syslog message id: : msg_id="3000-0148" Deny External Firebox 40 tcp 20 src ip.dest ip 48887 993 offset 5 S 2990431059 win 65535 geo_src="NLD" geo_dst="USA" (Unhandled External Packet-00)
(I've removed the source and destination IPs from this message, but this is just to give you an idea.)
-James Carson
WatchGuard Customer Support