General Event Type Enhancements

In addition to network packet traffic, SunScreen logs can contain session summary events and extended log events. Each of these is represented by a different log record format.

Session summary events contain source and destination information regarding the session (for example, IP addresses and port numbers), plus ending statistics for the session. Extended log events are produced by various program components as previously described. logdump displays these new event types.

logdump allows discrimination of these types from network packet traffic events. The loglvl operator is provided to select network packet traffic, session summaries, authentication, and application events.

Log Record Format

The following is an example of what you type to restrict to network packet traffic events:

% ... loglvl pkt ...

The logiface and logwhy operators imply loglvl pkt.

The following is an example of what you type to restrict to session summary events:

% ... loglvl sess ...

In previous SunScreen releases, the sas_logdump program provided -S and -s options that provided a crude form of the loglvl sess feature. Those options are no longer supported.

The following is an example of what you type to restrict to authentication events:

% ... loglvl auth ...

The following is an example of what you type to restrict to application events:

 % ... loglvl app ...

The filtering mechanisms inherited from snoop related to IP addresses (for example, host, to, from, dst, src, and naked IP addresses and hostnames) have been extended to filter all event types that contain corresponding IP addresses. For example:

% ... from src host ...

matches packet, session, and extended events that originated from the given source host.

Similarly, the filtering mechanisms inherited from snoop related to TCP and UDP ports (for example, port, dstport and srcport) have been extended to filter all event types that relate to the corresponding services. For example:

% ... port svc ...

matches packet, session, and extended events that relate to the given service.

Extended Log Event Enhancements

The extended events added to the SunScreen log contain additional fields as previously described (severity code and program component name). The extended log mechanism has been generalized to allow a wide variety of events to be recorded in the log, both in SunScreen EFS 3.0 and into future releases. Because of the self-described syntax used, virtually any event can conceivably be added to the log in this manner.

logdump allows discrimination of extended events based on their severity code. The logsev operator provides this ability. The operand for logsev is one of the severity pseudonyms emerg, alert, crit, err, warn, note, info, or debug (these same designators are used to restrict the actual logging of these events). For example:

% ... logsev warn ...

matches extended events of a severity warning or greater.

logdump allows discrimination of extended events based on the name of the program component that logged them. The logapp operator performs this restriction. The operand for logapp is a string that is the name of a program component. For example:

% ... logapp ftpp ...

matches extended events for the FTP proxy.

The logsev and logapp operators imply a filter of ( loglvl auth or loglvl app ). All extended log events share some common optional attributes.

These attributes are optional because they only occur in log events where they make sense, but are common in the sense that they are handled in a consistent way. These attributes are: