AFA analysis syslog messages
AFA generates syslog messages for each analysis run, as well as additional information and administrative syslog messages as needed.
AFA analysis syslog message reference
The following table provides a basic description of the syslog messages generated for AFA analysis and links to more details below.
Message type | Description |
---|---|
Start and Start Refresh syslog messages | Indicate that an AFA analysis has begun |
Findings syslog messages | Summarize the analysis results |
End syslog messages |
Indicate the completion of an analysis process, regardless of status |
ReportData syslog messages |
Provide details for a specific report |
Info syslog messages |
Contain additional details about report findings, such as changes in policies |
Admin syslog messages | Indicate a situation that requires administrative attention |
Tip: Both the report and firewall parameters appear in all syslog messages issued for a report being generated, and can be used to identify all related messages for the report.
Start and Start Refresh syslog messages
Start messages indicate that an AFA analysis has begun, identifying the unique job-name assigned.
If you are refreshing an existing report, the event name and ID is Start Refresh instead of Start.
Severity level: 1.
Syntax:
Start syslog messages have the following syntax:
report=<report_name> firewall=<device_name>
Start messages include the following parameters:
- report. The name assigned to the new report. For example, afa-3928.
- firewall. The name of the device being analyzed.
Findings syslog messages
Findings messages summarize the analysis results, and are sent when the report is ready.
If a failure occurred and no report was generated, no message is sent.
Severity level: Depends on the status message. For details, see Severity.
Syntax:
CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|Findings|Findings|<Domain>|
<Severity>|report=<report_name> firewall=<device_name> status=<status> msg=<details>
Findings messages include the following parameters:
- report. The name assigned to the new report. For example, afa-3928.
- firewall. The name of the device being analyzed.
-
status. A description of the status found, such as:
- msg. A short, free-text summary of any risks found. For example: 1 high, 2 medium.
End syslog messages
End messages are always sent when an analysis process completes, regardless of the status.
Severity level: Depends on the analysis status. For details, see AFA analysis syslog messages.
Syntax:
CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|End|End|<Severity>|<Domain>|
report=<report_name> firewall=<device_name> status=<status> url=<report URL>
End messages include the following parameters:
- report. The name assigned to the new report. For example, afa-3928.
- firewall. The name of the device being analyzed.
-
status. One of the following:
Status Description Severity Success Analysis completed successfully.
1 Failure Analysis failed to complete.
7 -
url. The URL of the report generated. For example: url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-570
Tip: This URL contains equal signs (=) and leading backslashes (\). Before using this URL as a hyperlink, you'll need to strip out the backslashes.
ReportData syslog messages
ReportData syslog messages are sent for each new report generated, and contain details about the report's contents.
Severity level: 0
Syntax:
CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|ReportData|ReportData|<Domain>|0|report=<report_name> firewall=<device_name> {<report data>}
ReportData messages include the following parameters:
- report. The name assigned to the new report. For example, afa-3928.
- firewall. The name of the device being analyzed.
- report data. Includes details from the report for the device analyzed, such as the number of risks of various severity, security rating scores, number of duplicate objects, number of covered rules, and so on. For details, see Sample ReportData message.
Info syslog messages
Info messages contain additional details about report findings, including a list of any detected risks, changes in the policy, and so on.
Severity: 0
Syntax:
CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|Info|Info|0|<Domain>| report=<report_name> firewall=<device_name> msg=<details>
Info messages include the following parameters:
-
report. The name assigned to the new report. For example, afa-3928.
-
firewall. The name of the device being analyzed.
-
msg. Contains the additional details.
For example: Start data collection or Summary: <risk-level> <count> <risk code> <title>
Admin syslog messages
Admin messages indicate a situation that requires administrative attention.
Severity: 7
Syntax:
CEF:0|AlgoSec|Firewall Analyzer|<AFA-Version>|Admin|Admin|7|<Domain>|msg=<details>
Admin messages include the following parameters:
-
msg. Contains details about the situation. For example: Low disk space or Over 95% of the disk space is in use
Sample AFA syslog messages
The following examples show syslog messages as they would look in the local /var/log/messages file.
- Sample normal report message sequence, no changes found
- Sample normal report message sequence, manual run
- Sample ReportData message
- Sample analysis failure message, manual run
- Sample admin message
- Sample admin message, High Availability clusters
Each message occupies a single line in the file.
Sample normal report message sequence, no changes found
May 15 17:00:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Start|Start|1|NONE|report=sally-570 firewall=ALGO_CLMay 15 17:00:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-570 firewall=ALGO_CL msg=Start data collectionMay 15 17:00:28 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Findings|Findings|1|NONE|report=sally-570 firewall=ALGO_CL status=No changesMay 15 17:00:38 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|End|End|1|NONE|report=sally-570 firewall=ALGO_CL status=Success url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-570
Sample normal report message sequence, manual run
May 15 17:06:07 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Start|Start|1|NONE|report=sally-572 firewall=192_168_2_52May 15 17:06:08 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-572 firewall=192_168_2_52 msg=Start data collectionMay 15 17:06:51 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Findings|Findings|1|NONE|report=sally-572 firewall=192_168_2_52 status=Manual run msg=1 suspected high risks, 1 medium risks.May 15 17:06:51 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-572 firewall=192_168_2_52 msg=Summary: susp_high 1 F08 Insecure external access to router 2May 15 17:06:51 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-572 firewall=192_168_2_52 msg=Summary: medium 2 R01 "From somewhere to Any allow Any service" rules 2May 15 17:06:56 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|End|End|1|NONE|report=sally-572 firewall=192_168_2_52 status=Success url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-572
CEF:0|AlgoSec|Firewall Analyzer|v2018.1.800-b281|ReportData|ReportData|0|NONE|report=afa-12345 firewall=QWERTYUIOPOIU01 {"NERC Level":"Fair","Number of Low Risks":"4","Device IP":"10.20.140.551","ISO27001 Level":"Fair","NIST_800-41 Level":"Fair","NERC Score":"70","SOX Level":"Fair","SOX Score":"66","PCI Score":"65","GLBA Score":"73","NIST_800-53 Score":"70","BASEL Level":"Fair","Number of Unused Rules":null,"NIST_800-171 Score":"72","Number of Medium Risks":"9","Device Groups":[],"ASD_ISM Score":"62","Number of High Risks":"0","HIPAA Level":"Fair","Number of Duplicate Objects":"206","Number of Special Case Rules":"6","Security Rating Score":"86","Number of Disabled Rules":"4","GLBA Level":"Fair","NIST_800-53 Level":"Fair","ISO27001 Score":"68","TRM Level":"Fair","TRM Score":"74","PCI Level":"Fair","Device Brand":"Check Point","HIPAA Score":"73","NIST_800-171 Level":"Fair","GDPR Level":"Fair","Domain Name":0,"ASD_ISM Level":"Fair","Highest Risk Level":"Suspected_High","Number of Covered Rules":"3","Rule Count":"100","Number of Suspected High Risks":"2","Device Id":"QWERTYUIOPOIU01","GDPR Score":"68","Report Date":"20190622T224914+0300","NIST_800-41 Score":"62","BASEL Score":"66"}
Sample analysis failure message, manual run
May 16 11:14:01 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Start|Start|1|NONE|report=sally-577 firewall=afrMay 16 11:14:01 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-577 firewall=afr msg=Start data collectionMay 16 11:14:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-577 firewall=afr msg=Data collection failedMay 16 11:14:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|End|End|7|NONE|report=sally-577 firewall=afr status=Failure url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-577
May 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=Low disk space on the AFA server (under 200 MB)May 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=Backup of AFA configuration failedMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=Low disk space on AlgoSec server
Sample admin message, High Availability clusters
May 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service started on PrimaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service stopped on PrimaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service started on SecondaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service stopped on SecondaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Secondary is downMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Secondary is upMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Version mismatch errorMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Split brain errorMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Sync too slowMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Manual hand-over performedMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - appliance manually removed from HA clusterMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - HA parameters setMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Primary appliance initialized successfully by secondaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Secondary appliance initialized successfully by primary
â See also: