AFA analysis syslog messages

AFA generates syslog messages for each analysis run, as well as additional information and administrative syslog messages as needed.

AFA analysis syslog message reference

The following table provides a basic description of the syslog messages generated for AFA analysis and links to more details below.

Message type Description
Start and Start Refresh syslog messages Indicate that an AFA analysis has begun
Findings syslog messages Summarize the analysis results
End syslog messages

Indicate the completion of an analysis process, regardless of status

ReportData syslog messages

Provide details for a specific report

Info syslog messages

Contain additional details about report findings, such as changes in policies

Admin syslog messages Indicate a situation that requires administrative attention

Tip: Both the report and firewall parameters appear in all syslog messages issued for a report being generated, and can be used to identify all related messages for the report.

Start and Start Refresh syslog messages

Start messages indicate that an AFA analysis has begun, identifying the unique job-name assigned.

If you are refreshing an existing report, the event name and ID is Start Refresh instead of Start.

Severity level: 1.

Syntax:

Start syslog messages have the following syntax:

CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|Start|Start|1|<Domain>|
report=<report_name> firewall=<device_name>

Start messages include the following parameters:

  • report. The name assigned to the new report. For example, afa-3928.
  • firewall. The name of the device being analyzed.

Findings syslog messages

Findings messages summarize the analysis results, and are sent when the report is ready.

If a failure occurred and no report was generated, no message is sent.

Severity level: Depends on the status message. For details, see Severity.

Syntax:

CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|Findings|Findings|<Domain>|
<Severity>|report=<report_name> firewall=<device_name> status=<status> msg=<details>

Findings messages include the following parameters:

  • report. The name assigned to the new report. For example, afa-3928.
  • firewall. The name of the device being analyzed.
  • status. A description of the status found, such as:

    Status Description Severity
    No changes

    The device policy has not changed since the previous analysis.

    1
    Changes

    Changes in the device policy were detected, but no new risk items were flagged.

    3
    New risks

    Changes in the device policy were detected, and additional risk items were flagged.

    This is the most sever status code that AFA produces.

    5
    Manual run

    The report was initiated manually, and is not scheduled.

    This may occur when an administrator is testing a new configuration or scenario.

    1
  • msg. A short, free-text summary of any risks found. For example: 1 high, 2 medium.

End syslog messages

End messages are always sent when an analysis process completes, regardless of the status.

Severity level: Depends on the analysis status. For details, see AFA analysis syslog messages.

Syntax:

CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|End|End|<Severity>|<Domain>|
report=<report_name> firewall=<device_name> status=<status> url=<report URL>

End messages include the following parameters:

  • report. The name assigned to the new report. For example, afa-3928.
  • firewall. The name of the device being analyzed.
  • status. One of the following:

    Status Description Severity
    Success

    Analysis completed successfully.

    1
    Failure

    Analysis failed to complete.

    7
  • url. The URL of the report generated. For example: url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-570

    Tip: This URL contains equal signs (=) and leading backslashes (\). Before using this URL as a hyperlink, you'll need to strip out the backslashes.

ReportData syslog messages

ReportData syslog messages are sent for each new report generated, and contain details about the report's contents.

Severity level: 0

Syntax:

CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|ReportData|ReportData|<Domain>|0|report=<report_name> firewall=<device_name> {<report data>}

ReportData messages include the following parameters:

  • report. The name assigned to the new report. For example, afa-3928.
  • firewall. The name of the device being analyzed.
  • report data. Includes details from the report for the device analyzed, such as the number of risks of various severity, security rating scores, number of duplicate objects, number of covered rules, and so on. For details, see Sample ReportData message.

Info syslog messages

Info messages contain additional details about report findings, including a list of any detected risks, changes in the policy, and so on.

Severity: 0

Syntax:

CEF:0|AlgoSec|Firewall Analyzer|<AFA‑Version>|Info|Info|0|<Domain>| report=<report_name> firewall=<device_name> msg=<details>

Info messages include the following parameters:

  • report. The name assigned to the new report. For example, afa-3928.

  • firewall. The name of the device being analyzed.

  • msg. Contains the additional details.

    For example: Start data collection or Summary: <risk-level> <count> <risk code> <title>

Admin syslog messages

Admin messages indicate a situation that requires administrative attention.

Severity: 7

Syntax:

CEF:0|AlgoSec|Firewall Analyzer|<AFA-Version>|Admin|Admin|7|<Domain>|msg=<details>

Admin messages include the following parameters:

  • msg. Contains details about the situation. For example: Low disk space or Over 95% of the disk space is in use

Sample AFA syslog messages

The following examples show syslog messages as they would look in the local /var/log/messages file.

Each message occupies a single line in the file.

Sample normal report message sequence, no changes found

May 15 17:00:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Start|Start|1|NONE|report=sally-570 firewall=ALGO_CLMay 15 17:00:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-570 firewall=ALGO_CL msg=Start data collectionMay 15 17:00:28 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Findings|Findings|1|NONE|report=sally-570 firewall=ALGO_CL status=No changesMay 15 17:00:38 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|End|End|1|NONE|report=sally-570 firewall=ALGO_CL status=Success url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-570

Sample normal report message sequence, manual run

May 15 17:06:07 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Start|Start|1|NONE|report=sally-572 firewall=192_168_2_52May 15 17:06:08 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-572 firewall=192_168_2_52 msg=Start data collectionMay 15 17:06:51 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Findings|Findings|1|NONE|report=sally-572 firewall=192_168_2_52 status=Manual run msg=1 suspected high risks, 1 medium risks.May 15 17:06:51 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-572 firewall=192_168_2_52 msg=Summary: susp_high 1 F08 Insecure external access to router 2May 15 17:06:51 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-572 firewall=192_168_2_52 msg=Summary: medium 2 R01 "From somewhere to Any allow Any service" rules 2May 15 17:06:56 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|End|End|1|NONE|report=sally-572 firewall=192_168_2_52 status=Success url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-572

Sample ReportData message

CEF:0|AlgoSec|Firewall Analyzer|v2018.1.800-b281|ReportData|ReportData|0|NONE|report=afa-12345 firewall=QWERTYUIOPOIU01 {"NERC Level":"Fair","Number of Low Risks":"4","Device IP":"10.20.140.551","ISO27001 Level":"Fair","NIST_800-41 Level":"Fair","NERC Score":"70","SOX Level":"Fair","SOX Score":"66","PCI Score":"65","GLBA Score":"73","NIST_800-53 Score":"70","BASEL Level":"Fair","Number of Unused Rules":null,"NIST_800-171 Score":"72","Number of Medium Risks":"9","Device Groups":[],"ASD_ISM Score":"62","Number of High Risks":"0","HIPAA Level":"Fair","Number of Duplicate Objects":"206","Number of Special Case Rules":"6","Security Rating Score":"86","Number of Disabled Rules":"4","GLBA Level":"Fair","NIST_800-53 Level":"Fair","ISO27001 Score":"68","TRM Level":"Fair","TRM Score":"74","PCI Level":"Fair","Device Brand":"Check Point","HIPAA Score":"73","NIST_800-171 Level":"Fair","GDPR Level":"Fair","Domain Name":0,"ASD_ISM Level":"Fair","Highest Risk Level":"Suspected_High","Number of Covered Rules":"3","Rule Count":"100","Number of Suspected High Risks":"2","Device Id":"QWERTYUIOPOIU01","GDPR Score":"68","Report Date":"20190622T224914+0300","NIST_800-41 Score":"62","BASEL Score":"66"}

Sample analysis failure message, manual run

May 16 11:14:01 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Start|Start|1|NONE|report=sally-577 firewall=afrMay 16 11:14:01 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-577 firewall=afr msg=Start data collectionMay 16 11:14:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Info|Info|0|NONE|report=sally-577 firewall=afr msg=Data collection failedMay 16 11:14:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|End|End|7|NONE|report=sally-577 firewall=afr status=Failure url=https://192.168.2.8/~sally/algosec/php/Login.php?type\=firewall&report\=sally-577

Sample admin message

May 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=Low disk space on the AFA server (under 200 MB)May 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=Backup of AFA configuration failedMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=Low disk space on AlgoSec server

Sample admin message, High Availability clusters

May 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service started on PrimaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service stopped on PrimaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service started on SecondaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Service stopped on SecondaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Secondary is downMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Secondary is upMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Version mismatch errorMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Split brain errorMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Sync too slowMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Manual hand-over performedMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - appliance manually removed from HA clusterMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - HA parameters setMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Primary appliance initialized successfully by secondaryMay 16 11:24:02 algosec-dev5 CEF:0|AlgoSec|Firewall Analyzer|v6.1-b55|Admin|Admin|7|NONE|msg=AlgoSec HA - Secondary appliance initialized successfully by primary

 

â See also: