FireFlow syslog messages

FireFlow automatically sends Syslog messages for all history items, including changes made to change requests, comments, and replies, as well as for each status update in a FireFlow change request.

No additional configuration is required to save FireFlow Syslog messages locally.

FireFlow syslog message syntax

FireFlow automatically writes messages to the local syslog daemon using the local0 ID.

These messages are located in the /var/log/messages directory, which requires root permissions to access.

All FireFlow syslog messages start with a standard syslog prefix, including the event date and time, and the FireFlow machine name.

This prefix is followed by a CEF standard bar-delimited message, using the following syntax:

CEF:0|DeviceVendor|DeviceProduct|DeviceVersion|ID|Name|Severity|Extension

where:

  • DeviceVendor is always set to AlgoSec.

  • DeviceProduct is always set to FireFlow.

  • DeviceVersion. Indicates the FireFlow version string. For example v1.1-b13.

  • Name / ID. Both indicate the message type, and therefore they are the same.

  • Severity. Indicates the messages severity, as a number between 0-10.

  • Extension. Detailed message information in the following format:

    ticket=<ticketID> by_user=<user> msg=<message>

    Where:

    • ticketId is the change request ID.
    • user is the user or the email address of the requestor, including the FireFlow system.
    • message describes the event that triggered the message.

FireFlow syslog message examples

The following are examples of FireFlow syslog messages:

Jul 13 00:13:42 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 [email protected] msg=Ticket created

Jul 13 00:13:42 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=FireFlow_System msg=Outgoing email recorded

Jul 13 00:38:32 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Taken

Jul 13 00:38:32 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Status changed from 'new' to 'plan'

Jul 13 00:38:40 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Source 1.1.1.1 added

Jul 13 00:38:41 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Destination 3.3.3.3 added

Jul 13 00:38:41 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Service smtp added

Jul 13 00:38:41 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Change Action allow added

Jul 13 00:38:57 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=ned msg=Status changed from 'plan' to 'check'

Jul 13 00:48:52 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=FireFlow_System msg=Firewall Last Report afa-3 added

Jul 13 00:48:52 localhost CEF:0|AlgoSec|FireFlow|v1.1-b13|Log|Log|0|ticket=1 by_user=FireFlow_System msg=Firewall Last Report Date 2009-07-13 04:47:32 added