Collecting Logs from CFW
LTS can collect logs from Cloud Firewall (CFW). For details, see Log Settings.
Structuring Template Details of CFW Traffic Logs
- CFW traffic log example
Table 1 Structuring template example Template Name
Example Log
CFW traffic logs
{"src_port":"60968","to_c_pkts":4,"to_s_bytes":352,"to_c_bytes":1082,"direction":"in2out","bytes":1434,"dst_ip":"100.85.222.231","to_s_pkts":5,"src_ip":"100.95.156.206","dst_host":"www.test1.com","end_time":1695818474000,"protocol":"TCP","dst_port":"80","app":"HTTP","start_time":1695818472000,"vsys":"1","log_type":"internet","packets":9,"dst_region_name":"Chinese Mainland","src_region_name":"Bulgaria","src_region_id":"BG","dst_region_id":"CN","src_vpc":"d644a32b-5c68-4925-bce6-58528da01df0","dst_vpc":"e9ec6dd9-241d-46d5-ae55-47f8c829674f"}
- Structuring fields and description
Table 2 Structuring fields Field
Example
Description
Type
src_port
60968
Source IP address.
string
to_c_pkts
4
Number of packets sent from the server to the client.
long
to_s_bytes
352
Number of bytes sent from the client to the server.
long
to_c_bytes
1082
Number of bytes sent from the server to the client.
long
direction
in2out
Traffic direction.
- out2in: inbound
- in2out: outbound
string
bytes
1434
Number of bytes of the protected traffic.
long
dst_ip
100.85.222.231
Destination IP address.
string
to_s_pkts
5
Number of packets sent from the client to the server.
5ong
src_ip
100.95.156.206
Source IP address.
string
dst_host
www.test1.com
Destination domain name.
string
end_time
1695818474000
Stream end time.
long
protocol
TCP
Protocol type.
string
dst_port
80
Destination port number.
string
app
HTTP
Application type.
string
start_time
1695818472000
Stream start time.
long
vsys
1
Firewall protection direction.
string
log_type
internet
Log type.
- internet: Internet border traffic log
- nat: NAT border traffic log
- vpc: inter-VPC traffic log
string
packets
9
Number of packets in the protected traffic.
long
dst_region_name
Chinese Mainland
Destination region name.
string
src_region_name
Bulgaria
Source region name.
string
src_region_id
BG
Source region ID.
string
dst_region_id
CN
Destination region ID.
string
src_vpc
d644a32b-5c68-4925-bce6-58528da01df0
ID of the VPC that the source IP address belongs to.
string
dst_vpc
e9ec6dd9-241d-46d5-ae55-47f8c829674f
ID of the VPC that the destination IP address belongs to.
string
Structuring Template Details of CFW Attack Logs
- CFW attack log example
Table 3 Structuring template example Template Name
Example Log
CFW attack logs
{"attack_rule":"Apache Flink Directory Traversal Vulnerability (CVE-2020-17519)","vsys":"1","source":"predefined","dst_ip":"100.85.222.231","action":"deny","src_port":"51090","attack_rule_id":"331978","direction":"in2out","src_ip":"100.95.156.206","dst_port":"80","log_type":"internet","attack_type":"Vulnerability Exploit Attack","app":"HTTP","event_time":1696652275000,"level":"CRITICAL","packet":"R0VUIC9qb2JtYW5hZ2VyL2xvZ3MvLi4lMjUyZi4uJTI1MmYuLiUyNTJmLi4lMjUyZi4uJTI1MmYuLiUyNTJmLi4lMjUyZi4uJTI1MmYuLiUyNTJmLi4lMjUyZi4uJTI1MmYuLiUyNTJmZXRjJTI1MmZwYXNzd2QgSFRUUC8xLjENClVzZXItQWdlbnQ6IGN1cmwvNy4yOS4wDQpIb3N0OiAxMDAuODUuMjIyLjIzMQ0KQWNjZXB0OiAqLyoNCg0K","protocol":"TCP","dst_region_name":"Chinese Mainland","src_region_name":"Chinese Mainland","dst_region_id":"CN","src_region_id":"CN"}
- Structuring fields and description
Table 4 Structuring fields Field
Example
Description
Type
attack_rule
Apache Flink Directory Traversal Vulnerability (CVE-2020-17519)
Defense rule that works for the detected attack.
string
vsys
1
Firewall protection direction.
string
source
predefined
Defense for the detected attack.
- 0: basic protection
- 1: virtual patch
string
dst_ip
100.85.222.231
Destination IP address.
string
action
deny
Response action of CFW.
- permit
- deny
string
src_port
51090
Source port number.
string
attack_rule_id
331978
ID of the defense rule that works for the detected attack.
string
direction
in2out
Traffic direction.
- out2in: inbound
- in2out: outbound
string
src_ip
100.95.156.20
Source IP address.
string
dst_port
80
Destination port number.
string
log_type
internet
Log type.
string
attack_type
Vulnerability Exploit Attack
Type of the attack.
- Vulnerability exploit
- Vulnerability scan
- Trojan
- Worms
- Phishing
- Web attacks
- Application DDoS
- Buffer overflow
- Password attacks
- Access control
- Hacking tools
- Hijacking
- Protocol exception
- Spam
- Spyware
- DDoS flood
- Suspicious DNS activities
- Other suspicious behaviors
string
app
HTTP
Application type.
string
event_time
1696652275000
Attack time.
long
level
CRITICAL
Level of detected threats.
- CRITICAL
- HIGH
- MIDDLE
- LOW
string
packet
R0VUIC9qb2JtYW5hZ2VyL2xvZ3MvLi4lMjUyZi4uJTI1MmYuLiUyNTJmLi4lMjUyZi4uJTI1MmYuLiUyNTJmLi4lMjUyZi4uJTI1MmYuLiUyNTJmLi4lMjUyZi4uJTI1MmYuLiUyNTJmZXRjJTI1MmZwYXNzd2QgSFRUUC8xLjENClVzZXItQWdlbnQ6IGN1cmwvNy4yOS4wDQpIb3N0OiAxMDAuODUuMjIyLjIzMQ0KQWNjZXB0OiAqLyoNCg0K
Number of packets in the protected traffic.
string
protocol
TCP
Protocol type.
string
dst_region_name
Chinese Mainland
Destination region name.
string
src_region_name
Chinese Mainland
Source region name.
string
dst_region_id
CN
Destination region ID.
string
src_region_id
CN
Source region ID.
string
Structuring Template Details of CFW Access Logs
- CFW access control log example
Table 5 Structuring template example Template Name
Example Log
CFW access control logs
{"src_port":"47934","protocol":"TCP","dst_port":"80","app":"HTTP","action":"permit","direction":"in2out","rule_id":"d5ad0364-b615-4ca3-ac59-30298cc511d6","vsys":"1","dst_ip":"100.95.152.37","log_type":"internet","hit_time":1695854983000,"src_ip":"100.95.149.249","dst_region_name":"Chinese Mainland","src_region_name":"Chinese Mainland","dst_host":"repo.huaweicloud.com","dst_region_id":"CN","src_region_id":"CN"}
- Structuring fields and description
Table 6 Structuring fields Field
Example
Description
Type
src_port
47934
Source port number.
string
protocol
TCP
Protocol type.
string
dst_port
80
Destination port number.
string
app
HTTP
Application type.
string
action
permit
Response action of the firewall.
- permit
- deny
string
direction
out2in
Traffic direction.
- out2in: inbound
- in2out: outbound
string
rule_id
d5ad0364-b615-4ca3-ac59-30298cc511d6
ID of the triggering rule.
string
vsys
1
Firewall protection direction.
string
dst_ip
100.95.152.37
Destination IP address.
string
log_type
internet
Log type.
- internet: Internet border traffic log
- nat: NAT border traffic log
- vpc: inter-VPC traffic log
string
hit_time
1695854983000
Time of access.
long
src_ip
100.95.149.249
Source IP address.
string
dst_region_name
Chinese Mainland
Destination region name.
string
src_region_name
Chinese Mainland
Source region name.
string
dst_host
repo.huaweicloud.com
Destination domain name.
string
dst_region_id
CN
Destination region ID.
string
src_region_id
CN
Source region ID.
string
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot