[pfSense-discussion] Detailled syslog format.

Wed, 26 Mar 2008 21:54:20 -0700 

Hi

I'm trying to do some analysing on the raw log format sent to syslog:

2008-03-27 04:32:48.433 +01:00  10.20.30.2:514  local0.info     Mar 27
05:32:39 pf: 036068 rule 74/0(match): pass in on vr1: (tos 0x0, ttl 128,
id 40459, offset 0, flags [DF], proto: TCP (6), length: 48)
10.20.30.104.3848 > 208.67.180.236.80: S, cksum 0x133d (correct),
3737710370:3737710370(0) win 65535 <mss 1460,nop,nop,sackOK> 

2008-03-27 04:34:20.531 +01:00  10.20.30.2:514  local0.info     Mar 27
05:34:11 pf: 92. 202481 rule 122/0(match): block in on vr0: (tos 0x0,
ttl  52, id 60316, offset 0, flags [DF], proto: TCP (6), length: 48)
195.69.130.87.80 > 88.89.90.187.58737: S, cksum 0x24b9 (correct),
2830268228:2830268228(0) ack 1965340180 win 5840 <mss
1460,nop,nop,sackOK> 

2008-03-27 04:34:21.544 +01:00  10.20.30.2:514  local0.info     Mar 27
05:34:12 pf: 399259 rule 122/0(match): block in on vr0: (tos 0x0, ttl
52, id 37849, offset 0, flags [DF], proto: TCP (6), length: 48)
195.69.130.87.80 > 88.89.90.187.52560: S, cksum 0xd882 (correct),
2841978833:2841978833(0) ack 3351844487 win 5840 <mss
1460,nop,nop,sackOK> 

2008-03-27 04:34:21.544 +01:00  10.20.30.2:514  local0.info     Mar 27
05:34:12 pf: 399827 rule 122/0(match): block in on vr0: (tos 0x0, ttl
52, id 35836, offset 0, flags [DF], proto: TCP (6), length: 48)
195.69.130.87.80 > 88.89.90.187.64369: S, cksum 0x2bb6 (correct),
2840432129:2840432129(0) ack 3463784558 win 5840 <mss
1460,nop,nop,sackOK> 

2008-03-27 04:40:00.944 +01:00  10.20.30.2:514  local0.info     Mar 27
05:39:51 pf: 338. 530700 rule 74/0(match): pass in on vr1: (tos 0x0, ttl
128, id 49367, offset 0, flags [DF], proto: TCP (6), length: 48)
10.20.30.104.4299 > 66.35.250.150.80: S, cksum 0x8e53 (correct),
3051086764:3051086764(0) win 65535 <mss 1460,nop,nop,sackOK> 

and I wonder where to find documentation on the log format. I'm
especially puzzled by the header 

92. 202481 rule 122/0(match):

I guess that the rule 122/0 is a reference to the underlying filterset
pfSense generates but how do I see that set ?
What are the two other numbers ? As you see above the first number is
not always present ?

Thanks
Claus

Reply via email to