firewallLogsFormatSchema

Source for the firewall logs document

JSON Example

{
    "@timestamp": "string",
    "logType": "string",
    "enterpriseLogicalId": "string",
    "edgeName": "string",
    "ruleId": "string",
    "edgeLogicalId": "string",
    "actionTaken": "string",
    "sessionId": "number",
    "segmentLogicalId": "string",
    "inputInterface": "string",
    "protocol": "number",
    "sourceIp": "string",
    "destinationIp": "string",
    "sourcePort": "number",
    "destinationPort": "number",
    "destination": "string",
    "domainName": "string",
    "firewallPolicyName": "string",
    "segmentName": "string",
    "extensionHeader": "string",
    "application": "string",
    "sessionDurationSecs": "number",
    "bytesSent": "number",
    "bytesReceived": "number",
    "closeReason": "string",
    "signatureId": "number",
    "verdict": "string",
    "signature": "string",
    "category": "string",
    "ruleVersion": "number",
    "attackSource": "string",
    "attackTarget": "string",
    "severity": "number",
    "idsAlert": "number",
    "ipsAlert": "number"
}

string

@timestamp

Required

Firewall logs event timestamp

string

logType

Required

Type of the requested logs

string

enterpriseLogicalId

Required

Unique identifier of the customer for which logs are being requested

string

edgeName

Required

Name of the edge that generated the log

string

ruleId

Required

Unique identifier that identifies a firewall rule

string

edgeLogicalId

Required

Unique identifier for the edge

string

actionTaken

Optional

Action that was performed on the packets when the condition of the rule met (applies to the flow the packet is part of)

number As float As float

sessionId

Optional

Unique session or flow ID

string

segmentLogicalId

Optional

Unique identifier of the segment which the flow is part of

string

inputInterface

Optional

Interface name through which the packets of the flow entered the edge (applies only to the flows which was initiated from the LAN side. Empty string in case of overlay inbound flows)

number As float As float

protocol

Optional

L4 protocol of the flow

string

sourceIp

Optional

Source IP of the packets

string

destinationIp

Optional

Destination IP for the packets

number As float As float

sourcePort

Optional

Source port number of the session

number As float As float

destinationPort

Optional

Destination port number of the session

string

destination

Optional

Name of the remote-end device of the session

string

domainName

Optional

Domain name of the destination IP address

string

firewallPolicyName

Optional

Name of the firewall policy applied to the session

string

segmentName

Optional

Name of the segment to which the session belongs to

string

extensionHeader

Optional

Includes the extension header details in case of IPv6 session

string

application

Optional

Application the firewall rule was applied. It could be of "Any" or an application that was selected with Differentiated Services Code Point (DSCP) flag to apply a specific firewall rule

number As float As float

sessionDurationSecs

Optional

Duration for which the session has been active

number As float As float

bytesSent

Optional

Amount of data sent in bytes in the session

number As float As float

bytesReceived

Optional

Amount of data received in bytes in the session

string

closeReason

Optional

Reason for the session closureseReason

number As float As float

signatureId

Optional

Suricata signature ID

string

verdict

Optional

Tells allowed or blocked in case of IDPS rules

string

signature

Optional

Signature name/title

string