FireFlow syslog messages

FireFlow automatically sends Syslog messages for all history items, including changes made to change requests, comments, and replies, as well as for each status update in a FireFlow change request.

No additional configuration is required to save FireFlow Syslog messages locally.

In this topic:

FireFlow syslog message syntax

FireFlow automatically writes messages to the local syslog daemon using the local0 ID.

These messages are located in the /var/log/messages directory, which requires root permissions to access.

All FireFlow syslog messages start with a standard syslog prefix, including the event date and time, and the FireFlow machine name.

This prefix is followed by a CEF standard bar-delimited message, using the following syntax:

CEF:0|DeviceVendor|DeviceProduct|DeviceVersion|ID|Name|Severity|Extension

where:

  • DeviceVendor is always set to AlgoSec.

  • DeviceProduct is always set to FireFlow.

  • DeviceVersion. Indicates the FireFlow version string. For example v1.1-b13.

  • Name / ID. Both indicate the message type, and is equal to eachother.

  • Severity. Indicates the messages severity, as a number between 0-10.

  • Extension. Detailed message information in the following format:

    ticket=<ticketID> by_user=<user> msg=<message>

    Where:

    • ticketId is the change request ID.
    • user is the user or the email address of the requestor, including the FireFlow system.
    • message describes the event that triggered the message.

Back to top

FireFlow syslog message examples

The following are examples of FireFlow syslog messages:

Jul 13 00:13:42 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=requestor@company.com msg=Ticket created

Jul 13 00:13:42 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=FireFlow_System msg=Outgoing email recorded

Jul 13 00:38:32 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Taken

Jul 13 00:38:32 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Status changed from 'new' to 'plan'

Jul 13 00:38:40 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Source 1.1.1.1 added

Jul 13 00:38:41 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Destination 3.3.3.3 added

Jul 13 00:38:41 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Service smtp added

Jul 13 00:38:41 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Action allow added

Jul 13 00:38:57 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Status changed from 'plan' to 'check'

Jul 13 00:48:52 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=FireFlow_System msg=Firewall Last Report afa-3 added

Jul 13 00:48:52 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=FireFlow_System msg=Firewall Last Report Date 2009-07-13 04:47:32 added

Back to top