Sangfor Next-Generation Firewall Log Structure, Sample Logs

Newbie780851 Lv1Posted 17 Jan 2024 18:41

Last edited by Dhanush 29 Jan 2024 14:38.

Hi, Does all the Sangfor Next Generation Firewall logs are in same format..?
I found some logs in internet which looks different from each other

Jul 13 17:04:31 sangforiad-0cca ac-online-user: [logout_log][user_name:stecustomersupport] [ip:] [mac:8c-60-4f-90-c6-c1] [offline_time:2022-07-13 17:04:31] [action:logout] [detail:Force user to log out]

Apr 12 12:59:39 localhost fwlog: Log type: application control, policy name: QUIC, user:null, Src IP:, Src port:00000, Dst IP:, Dst port: 000, App category: net, application: WhatsApp, action: allow

I have to audit my network so, I need sample logs so that I can able to write regex pattern and extract the fields out of it.

Kindly provide me some sample logs for
        System > Logs
        Monitoring > Logs
        Security > Logs.

Tammee Ong has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

For the official Sangfor NGFW documentation about the log types and log formats, you may refer to the below document.

Syslog Format.xlsx

14.01 KB, Downloads: 88

Is this answer helpful?
jerome_itable Lv3Posted 23 Jan 2024 16:45
You're right, Sangfor NGAF logs can have different formats depending on the source and category. Here are some sample logs for different sections to help you write regex patterns:

System > Logs:

    System information:

Apr 12 11:59:39 localhost syslog: System information: CPU usage 80%, RAM usage 60%, Disk usage 40%

    Alert events:

Jul 13 17:04:31 sangforiad-0cca syslog: Alert detected: High CPU usage on firewall, exceeding 85% threshold

    Configuration changes:

May 15 10:20:32 localhost syslog: Configuration changed: Added new firewall rule for blocking port 22

Monitoring > Logs:

    Traffic logs:

Jul 13 17:04:31 sangforiad-0cca monitor: Source IP:, Destination IP:, Protocol: TCP, Port: 443, Action: Allowed

    Resource usage:

Apr 12 12:59:39 localhost monitor: Interface eth0: Inbound traffic 100 Mbps, Outbound traffic 20 Mbps

    Session logs:

May 15 10:20:32 localhost monitor: New session established: Source IP:, Destination IP:, Protocol: UDP, Duration: 10 minutes

Security > Logs:

    Firewall events:

Jul 13 17:04:31 sangforiad-0cca security: Firewall rule triggered: Block outbound traffic to port 25 from

    Intrusion detection:

Apr 12 12:59:39 localhost security: Intrusion detected: ICMP flood attack from


May 15 10:20:32 localhost security: Anti-virus scan detected: File "C:\Windows\System32\virus.exe" is infected with Trojan.Win32.Agent.a

These are just a few examples, and the actual format of the logs can vary depending on your Sangfor NGAF version and configuration. However, they should give you a good starting point for writing regex patterns to extract the desired fields.

Here are some additional tips for writing regex patterns:

    Use tools like Regex101 or RegexBuddy to test your patterns.
    Start with simple patterns and gradually add complexity.
    Consider using named capturing groups to extract specific parts of the log message.
    Be aware of edge cases and potential variations in the log format.
Farina Ahmed Posted 23 Jan 2024 17:40
The log structure in Sangfor Next-Generation Firewall (NGFW) may vary based on the specific log type and configuration. Typically, logs are categorized into System, Monitoring, and Security logs. System logs may include information about system events, while Monitoring logs provide insights into network traffic and usage. Security logs focus on events related to firewall security, such as policy violations or intrusion attempts. Sample logs for System might include details on system events or changes, Monitoring logs could display information about network traffic, and Security logs might show incidents like blocked connections or detected threats. To create regex patterns for log analysis, it's advisable to consult the official Sangfor NGFW documentation for the specific log types you are interested in, as the log format can vary based on the firmware version and configuration settings.
Enrico Vanzetto Lv3Posted 23 Jan 2024 19:08
Hi! Sangfor Next-Generation Firewall (NGFW) is capable of generating logs in various formats, including CSV, syslog, or JSON, capturing critical events for network auditing. These logs include information such as firewall rule matches, denied connections, allowed connections, NAT translations, VPN connection details, intrusion prevention system (IPS) alerts, URL filtering, application control, user authentication, system events, and more.

You can find sample logs for Sangfor NGFW in the documentation provided by the firewall vendors. The sample logs can vary based on the specific firewall brand and the type of events being logged
Tayyab0101 Lv2Posted 23 Jan 2024 19:35
The sample logs can vary based on the specific firewall brand and the type of events being logged.
depending on the type it may vary to different locations.
mdamores Lv3Posted 25 Jan 2024 10:34
log entries might vary depending on the model, firmware version, type of logs, and security events being recorded. you may refer to the sample log entries based on the category provided.
log sample.png
Pat Lv4Posted 29 Jan 2024 11:25
System Logs:

Focus on device operations, health, and configuration changes.
Example: "Aug 05 12:33:55 SANGFOR-NGAF[10000]: System startup completed."
Format: Timestamp, source, log code, message.
Monitoring Logs:

Track network activity, traffic flows, and resource utilization.
Example: "Dec 22 20:14:52 FW-Monitor[64658]: Interface eth0, TxBytes: 12345678, RxBytes: 98765432."
Format: Timestamp, source, module, category, value.
Security Logs:

Record security events, alerts, and potential threats.
Example: "Jul 18 01:00:00 NGAF[9876]: Attack detected! Source IP:, Target IP:, Attack type: DDoS."
Format: Timestamp, source, module, severity, event details.
Sample Logs:


"Feb 10 10:20:35 SANGFOR-NGAF[12345]: Interface eth1 shutdown due to overheating."
"Mar 15 15:45:00 NGFW-Manager[7890]: Policy rule 'Web filtering' updated."

"Oct 20 06:00:00 FW-Traffic[33456]: Top destination IP:, Bytes Tx: 567890, Bytes Rx: 123456."
"Nov 25 18:30:00 CPU-Monitor[54321]: CPU utilization reached 90% on core 2."

"Apr 01 22:15:00 IPS[87654]: Malicious traffic blocked! Source IP:, Threat ID: XYZ-123."
"May 31 08:00:00 Virus-Scan[90123]: Infected file detected! File path: /home/user/virus.exe, Virus name: ABC-456."
RegiBoy Lv5Posted 29 Jan 2024 11:31
Depending on the model, firmware version, log type, and security events being logged, the number of entries may change. For the specified category, you can consult the example log entries.
Donsadam Posted 29 Jan 2024 11:33
Can you tell me what is the versions of the device you are using? Sangfor NGAF has different format and you can also customize it.
Rica Cortez Lv2Posted 29 Jan 2024 11:35
You are correct; the format of Sangfor NGAF logs varies based on the source and category. To assist you in creating regex patterns, the following sample logs are provided for various sections:

Logs under System:

Details of the system:

Apr. 12 11:59:39 localhost syslog: System data: 80% CPU, 60% RAM, 40% Hard drive

Alert incidents:

July 13 at 17:04:31 sangforiad-0cca syslog: Warning: Excessive CPU utilization on firewall, over 85% limit

Configuration modifications

May 15, 10:20:32 localhost syslog: New firewall rule added to prevent port 22 configuration

I Can Help:


Moderator on This Board


Started Topics




Started Topics




Started Topics




Started Topics



Board Leaders