Default Log Format / ensure using a parameter="value" format eveywhere
Hello,
I'm "playing" a lot with my Firebox Logs actually and i'm very upset by the Log format provided by my firewalls, it's so inconsistent ;-((
It's so difficult to integrate into a SIEM (Splunk for example) because field extraction is not easy when name of the important field is not provided when using a remote syslog server.
Why don't you provide a way to send logs using a parameter="value" format for each field ? This can be enabled (not by default) in the Traffic monitor + ensure any string containing space character is sent between quotes also (example : if you use an interface name with space into it...i know, it's bad, but sometime you didn't choose it initially...)
Please add it to your roadmap to help us win some time during integration and analysis of our logs.
Thanks
Florent
Comments
example of something that could be useful in terms of log format :
Apr 27 13:04:59 172.21.70.254 Apr 27 13:04:59 host="myfirewall.mycorp.lan" process="firewall:" msg_id="3000-0148" disposition="Deny" src_int="MY-SUPER-INTERNAL-INTERFACE-NAME" dst_int="MY STUPID EXTERNAL INTERFACE NAME" 52 pr="tcp" 20 127 src_ip="10.10.10.10" dst_ip="10.0.0.244" src_port="63404" dst_port="4116" offset 8 S 3679024395 win 61690 src_user="username@mycompany.lan" rule_name="Any from Internal By Default.deny"
another new issue since beginning of May, some fields are nos separated by multiple "space" instead of only 1.
Don't know if it's due to the new month or due to our recent upgrade to the latest version :
May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148"
2 spaces after the 2 "May" word now; only 1 previously ;-((