When Sending Session Logs from SSL Visibility to a Remote Syslog Server, What do the Fields Mean?
Article ID: 168879
Updated On: 10-19-2023
Products
Issue/Introduction
What do the field mappings when sending logs to a Remote Syslog server equate to.
Resolution
When sending Session Logs from the SSL Visibility appliance to a remote syslog server, the format is as follows.
Dec 15 11:09:55 SSLV3800 ssldata[3934]: [A:81000064] 1450195794 10.2.3.4:49307 -> 10.5.6.7:443 TLS1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA www.google.com rule:6 resign Success(0x0)
| Field | Description |
|---|---|
| Dec 15 11:09:55 | System time |
| SSLV3800 | Hostname |
| ssldata[3934]: | Process[Process ID] |
| [A:81000064] | [Segment:SSLV Flow ID] |
| 1450195794 | Display Time (Unix Timestamp) |
| 10.2.3.4:49307 | SrcIP:SrcPort |
| 10.5.6.7:443 | DstIP:DstPort |
| TLS1.0 | SSL/TLS Version |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | Cipher Suite |
| www.google.com | Domain Name |
| rule:6 | Rule Match Index |
| resign | Action |
| Success(0x0) | Message/Error(Hex Value) |
Two additional fields; matched category and certificate fingerprint have also been added.
Example syslog entry:
Sep 14 12:22:19 sslv-hostname Sep 14 12:22:19 hostname ssldata[4256]: [A:86161d82] 1473870139 10.2.3.4:4824 -> 10.5.6.7:443 TLS1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 www.gambling.com Gambling cert fp: xx:xx:xx:xx:xx:xx:xx:50:3f:dd: xx:xx:xx:xx:xx:xx:xx:xx:11 rule:1 cut Success(0x0)
Matched category is 'Gambling'.
Certificate fingerprint is 'cert fp: xx:xx:xx:xx:xx:xx:xx:50:3f:dd: xx:xx:xx:xx:xx:xx:xx:xx:11'
Feedback
