IDPS log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

idps

Signature

Name of the triggered IPS signature.

BlackSun Test

Threat Level

Signature threat level.

Available values: from 2 to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@ersthetatica

suser

The username.

user_example (Unknown, if the user is unknown)

act

Action taken by the device according to the configured policies.

accept

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

IDPS Rule Example

msg

Signature threat level and name.

[2] BlackSun

app

Application layer protocol

HTTP

proto

Level 4 protocol used.

TCP or UDP

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

in

Number of transmitted inbound bytes (data transferred from the source to the destination).

231

out

Number of transmitted outbound bytes (data transferred from the destination to the source).

40