Fields for IPv6 logging entries
-
I can match the first fields based on the IPv4 documentation, but after destination port I get these:
0,S,3736485016,,64240,,mss;nop;wscale;nop;nop;sackOK
That first one, 0, would be DataLength for IPv4, but since it's 0, it could be the same for IPv6 but figured I'd ask to be sure.
Could someone give me the names for these fields? Mind the double comma's, those are empty fields but still require a name :).
Thanks in advance!
-
https://docs.netgate.com/pfsense/en/latest/monitoring/filter-log-format-for-pfsense-2-2.html
-
Sorry but that page is not correct, unless I misunderstand it. I can't seem to get the correct field names in order for different log entries.
I need the exact field order for each log message for regular expressions for log parsing.
I've exported a part of my log to excel and I'm trying to match it to field names.
-
Oke how about this? I haven't looked at ICMP yet but IPv4 and 6 should be almost correct:
Updated:
IPv4 TCP
regular expression:^filterlog:\s+.*,(in|out),4,.*,tcp,.*$Column Headers:
RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,OptionsIPv4 UDP
regular expression:^filterlog:\s+.*,(in|out),4,.*,udp,.*$RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,SourcePort,DestPort,DataLengthIPv6 TCP
regular expression:^filterlog:\s+.*,(in|out),6,.*,TCP,.*$RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLength,TCPFlags,Sequence,ACK,Window,URG,OptionsIPv6 UDP
regular expression:^filterlog:\s+.*,(in|out),6,.*,UDP,.*$RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,SourcePort,DestPort,DataLengthIPv4 ICMP Echo
regular expression:^filterlog:\s+.*,(in|out),4,.*,icmp,.*,(request|reply),.*$RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,ID,Offset,Flags,ProtocolID,Protocol,Length,SourceIP,DestIP,ICMP_Type,ICMP_ID,ICMP_SequenceIPv6 ICMP
regular expression:^filterlog:\s+.*,(in|out),6,.*,ICMPv6,.*$RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFldPlease correct where I am wrong and fill in the question marks if you can. There's an empty field on ICMPv6, I called it "UnknownFld", because, uh, I don't know what it is
.Thanks!
PS. If these fields are correct, you may want to update your wiki documentation with it.
-
@securvark said in Fields for IPv6 logging entries:
IPv6 ICMP
regular expression: ^filterlog:\s+.,(in|out),6,.,ICMPv6,.*$RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,TOS,ECN,TTL,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFld
Sorry for replying to an old thread - but I found this useful just now when setting up my Graylog extractors.
I did spot an error - pointing it out in case someone else comes across this post in the future.
IPv6 ICMP should be:
RuleNumber,SubRuleNumber,Anchor,Tracker,Interface,Reason,Action,Direction,IPVersion,Class,FlowLabel,HopLimit,Protocol,ProtocolID,Length,SourceIP,DestIP,UnknownFldHere is an example log entry from a ping6 through the firewall (with the IPv6 addresses obfuscated for my privacy):
197,,,1657748622,igb1,match,pass,in,6,0x00,0x50900,55,ICMPv6,58,64,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,eeee:eeee:eeee:eeee:eeee:eeee:eeee:eeee,
