When Sending Session Logs from SSL Visibility to a Remote Syslog Server, What do the Fields Mean?

search cancel

When Sending Session Logs from SSL Visibility to a Remote Syslog Server, What do the Fields Mean?

book

Article ID: 168879

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

When sending Session Logs from the SSL Visibility appliance to a remote syslog server, the format is as follows.

Dec 15 11:09:55 SSLV3800 ssldata[3934]: [A:81000064] 1450195794 1.2.3.4:49307 -> 5.6.7.8:443 TLS1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA www.google.com rule:6 resign Success(0x0)

Field	Description
Dec 15 11:09:55	System time
SSLV3800	Hostname
ssldata[3934]:	Process[Process ID]
[A:81000064]	[Segment:SSLV Flow ID]
1450195794	Display Time (Unix Timestamp)
1.2.3.4:49307	SrcIP:SrcPort
5.6.7.8:443	DstIP:DstPort
TLS1.0	SSL/TLS Version
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	Cipher Suite
www.google.com	Domain Name
rule:6	Rule Match Index
resign	Action
Success(0x0)	Message/Error(Hex Value)

NOTE: SSLV 3.9.4.1 added two additional fields; matched category and certificate fingerprint. Example syslog entry:

Sep 14 12:22:19 sslv-hostname Sep 14 12:22:19 hostname ssldata[4256]: [A:86161d82] 1473870139 1.1.1.1:4824 -> 2.2.2.2:443 TLS1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 www.gambling.com Gambling cert fp: xx:xx:xx:xx:xx:xx:xx:50:3f:dd: xx:xx:xx:xx:xx:xx:xx:xx:11 rule:1 cut Success(0x0)

Matched category is 'Gambling'.
Certificate fingerprint is 'cert fp: xx:xx:xx:xx:xx:xx:xx:50:3f:dd: xx:xx:xx:xx:xx:xx:xx:xx:11'

Feedback

thumb_up Yes

thumb_down No