Sangfor Next-Generation Firewall Log Structure, Sample Logs

Newbie780851 Lv1Posted 17 Jan 2024 18:41

Last edited by Dhanush 29 Jan 2024 14:38.

Hi, Does all the Sangfor Next Generation Firewall logs are in same format..?
I found some logs in internet which looks different from each other

Jul 13 17:04:31 sangforiad-0cca ac-online-user: [logout_log][user_name:stecustomersupport] [ip:172.16.2.14] [mac:8c-60-4f-90-c6-c1] [offline_time:2022-07-13 17:04:31] [action:logout] [detail:Force user to log out]

Apr 12 12:59:39 localhost fwlog: Log type: application control, policy name: QUIC, user:null, Src IP:0.0.0.0, Src port:00000, Dst IP:0.0.0.0, Dst port: 000, App category: net, application: WhatsApp, action: allow

I have to audit my network so, I need sample logs so that I can able to write regex pattern and extract the fields out of it.

Kindly provide me some sample logs for
        System > Logs
        Monitoring > Logs
        Security > Logs.

Tammee Ong has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

For the official Sangfor NGFW documentation about the log types and log formats, you may refer to the below document.

Syslog Format.xlsx

14.01 KB, Downloads: 327

Is this answer helpful?
babeshuka Lv3Posted 29 Jan 2024 11:42
  
The format are not the same as other because it varies from the versions, model, storage and the customization etc..
Happpy Lv3Posted 29 Jan 2024 11:40
  
Events pertaining to firewall security, such as policy violations or intrusion attempts, are the main emphasis of security logs. Sample system logs may provide information about events or modifications to the system; monitoring logs could indicate network traffic; and security logs could show situations such as threats discovered or connections denied. The official Sangfor NGFW literature for the particular log types you are interested in should be consulted in order to develop regex patterns for log analysis, as the log format might vary depending on the firmware version and configuration settings.
Jigen87 Lv3Posted 29 Jan 2024 11:38
  
Yes, every firewall varies the reporting of syslog. You may want to invest to a central syslog so that the reporting is centralize.
Rica Cortez Lv2Posted 29 Jan 2024 11:35
  
You are correct; the format of Sangfor NGAF logs varies based on the source and category. To assist you in creating regex patterns, the following sample logs are provided for various sections:

Logs under System:

Details of the system:

Apr. 12 11:59:39 localhost syslog: System data: 80% CPU, 60% RAM, 40% Hard drive

Alert incidents:

July 13 at 17:04:31 sangforiad-0cca syslog: Warning: Excessive CPU utilization on firewall, over 85% limit

Configuration modifications

May 15, 10:20:32 localhost syslog: New firewall rule added to prevent port 22 configuration
Donsadam Posted 29 Jan 2024 11:33
  
Can you tell me what is the versions of the device you are using? Sangfor NGAF has different format and you can also customize it.
RegiBoy Lv5Posted 29 Jan 2024 11:31
  
Depending on the model, firmware version, log type, and security events being logged, the number of entries may change. For the specified category, you can consult the example log entries.
Pat Lv4Posted 29 Jan 2024 11:25
  
System Logs:

Focus on device operations, health, and configuration changes.
Example: "Aug 05 12:33:55 SANGFOR-NGAF[10000]: System startup completed."
Format: Timestamp, source, log code, message.
Monitoring Logs:

Track network activity, traffic flows, and resource utilization.
Example: "Dec 22 20:14:52 FW-Monitor[64658]: Interface eth0, TxBytes: 12345678, RxBytes: 98765432."
Format: Timestamp, source, module, category, value.
Security Logs:

Record security events, alerts, and potential threats.
Example: "Jul 18 01:00:00 NGAF[9876]: Attack detected! Source IP: 192.168.1.10, Target IP: 10.0.0.1, Attack type: DDoS."
Format: Timestamp, source, module, severity, event details.
Sample Logs:

System:

"Feb 10 10:20:35 SANGFOR-NGAF[12345]: Interface eth1 shutdown due to overheating."
"Mar 15 15:45:00 NGFW-Manager[7890]: Policy rule 'Web filtering' updated."
Monitoring:

"Oct 20 06:00:00 FW-Traffic[33456]: Top destination IP: 8.8.8.8, Bytes Tx: 567890, Bytes Rx: 123456."
"Nov 25 18:30:00 CPU-Monitor[54321]: CPU utilization reached 90% on core 2."
Security:

"Apr 01 22:15:00 IPS[87654]: Malicious traffic blocked! Source IP: 1.2.3.4, Threat ID: XYZ-123."
"May 31 08:00:00 Virus-Scan[90123]: Infected file detected! File path: /home/user/virus.exe, Virus name: ABC-456."
mdamores Posted 25 Jan 2024 10:34
  
log entries might vary depending on the model, firmware version, type of logs, and security events being recorded. you may refer to the sample log entries based on the category provided.

log sample.png (28.76 KB, Downloads: 277)

log sample.png
Tayyab0101 Lv2Posted 23 Jan 2024 19:35
  
The sample logs can vary based on the specific firewall brand and the type of events being logged.
depending on the type it may vary to different locations.

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders