Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Documentation Log

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 316 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fouc
      last edited by stephenw10

      Hi,
      I use PFSENSE 2.5.1

      I am working on the normalization of PFSENSE logs with Logpoint
      Where can I find the documentation for the charon log format?

      Here is an excerpt below:

      <30>Jun 15 05:45:12 charon[11004]: 13[ENC] <con200000|26> parsed INFORMATIONAL_V1 request 1346183274 [ HASH N(DPD) ]
<30>Jun 15 05:45:12 charon[11004]: 13[ENC] <con100000|27> parsed INFORMATIONAL_V1 request 2429602079 [ HASH N(DPD_ACK) ]
<30>Jun 15 05:45:14 charon[11004]: 13[ENC] <con200000|26> parsed QUICK_MODE request 3751679232 [ HASH SA No ID ID ]
<30>Jun 15 05:45:14 charon[11004]: 13[ENC] <con200000|26> parsed QUICK_MODE request 3751679232 [ HASH ]
<30>Jun 15 05:45:14 charon[11004]: 11[ENC] <con200000|26> parsed INFORMATIONAL_V1 request 1623226177 [ HASH D ]
<30>Jun 15 05:45:09 charon[11004]: 11[NET] <con200000|26> received packet: from 2.2.2.2[500] to 2.2.2.2[500] (92 bytes)
<30>Jun 15 05:45:12 charon[11004]: 13[NET] <con200000|26> sending packet: from 2.2.2.2[500] to 2.2.2.2[500] (92 bytes)
<30>Jun 15 05:45:12 charon[11004]: 13[ENC] <con200000|26> generating INFORMATIONAL_V1 request 3402240727 [ HASH N(DPD_ACK) ]
<30>Jun 15 05:45:12 charon[11004]: 13[ENC] <con100000|27> generating INFORMATIONAL_V1 request 2481495885 [ HASH N(DPD) ]
<30>Jun 15 05:45:08 charon[11004]: 13[IKE] <con100000|27> sending DPD request
<30>Jun 15 05:45:14 charon[11004]: 13[CFG] <con200000|26> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
<30>Jun 15 05:45:14 charon[11004]: 13[IKE] <con200000|26> detected rekeying of CHILD_SA con200000{107}
<30>Jun 15 05:45:14 charon[11004]: 13[IKE] <con200000|26> received 4294967295000 lifebytes, configured 0
<30>Jun 15 05:45:14 charon[11004]: 13[IKE] <con200000|26> CHILD_SA con200000{109} established with SPIs cd3d0ca3_i bbf32638_o and TS 2.2.2.2/0|/0 === 2.2.2.2/24|/0
<30>Jun 15 05:45:14 charon[11004]: 11[IKE] <con200000|26> closing CHILD_SA con200000{107} with SPIs cd7304b0_i (10409248 bytes) 0f236d7a_o (57922936 bytes) and TS 2.2.2.2/0|/0 === 2.2.2.2/24|/0
<30>Jun 15 05:45:14 charon[11004]: 11[IKE] <con200000|26> received DELETE for ESP CHILD_SA with SPI 0f236d7a

      Thank you

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        The logs are straight from Strongswan so maybe:
        https://wiki.strongswan.org/projects/strongswan/wiki/Loggerconfiguration

        Though I don't see any specifics there. There are existing log parsers for strongswan though as it's widely used. You might look at those.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.