Flow Syslog Format

Flow syslogs are sent in text format to a log server.

Example Flow Syslog in type3 format

Table 1 Log syntax

Scenario

Log Syntax

NAT444

<PRI> VERSION TIMESTAMP HOSTNAME APPNAME - MSGTYPE [L4 PRIVATEIP - PUBLICIP PRIVATEPORT PUBLICPORT -]

NAT64

<PRI> VERSION TIMESTAMP HOSTNAME APPNAME - MSGTYPE [L4 - PRIVATEIP PUBLICIP PRIVATEPORT PUBLICPORT -]
Table 2 Description of log syntax fields

Field

Description

PRI

Priority. The value is fixed to 134.

VERSION

Version number. The value is fixed to 1.

TIMESTAMP

Timestamp of a packet and the format is YEAR MONTH DAY HOUR:MINUTE:SECOND.

HOSTNAME

IP address of a device sending flow syslogs.

APPNAME

Name of a device sending flow syslogs.

MSGTYPE
Message ID in the format of device-type:message-type.
  • Device type: NAT444or NAT64
  • Message type: SessionbasedA or SessionbasedW
NOTE:
  • In a flow table creation scenario, the message type must be set to SessionbasedA.
  • In a flow table aging scenario, the message type must be set to SessionbasedW.

L4
ID of an application:
  • 1: ICMP
  • 6: TCP
  • 17: UDP
  • 58: ICMPv6

PRIVATEIP
  • For NAT444, the value of this field is a private IPv4 address.
  • For NAT64, the value of this field is a private IPv6 address.

PUBLICIP

Public IPv4 address after NAT is implemented.

PRIVATEPORT

Private port.

NOTE:

For an ICMP packet, the value of this field is the value of the Identifier field in the packet header.

PUBLICPORT

Public port number after NAT is implemented.

  • Example NAT444-based flow syslog log in type3 format:

    • <134>1 2020 Jan 17 11:05:55 68.1.1.1 test - NAT444:SessionbasedA [17 10.1.1.2 - 172.16.1.1 0 1025 -]

    • <134>1 2020 Jan 17 11:06:03 68.1.1.1 test - NAT444:SessionbasedW [17 10.1.1.2 - 172.16.1.1 0 1025 -]

  • Example NAT64-based flow syslog log in type3 format:

    • <134>1 2020 Jan 17 17:11:27 10.1.1.1 test - NAT64:SessionbasedA [17 - 2001:DB8:1::2:2 10.11.11.100 0 2048 -]

    • <134>1 2020 Jan 17 17:11:43 10.1.1.1 test - NAT64:SessionbasedW [17 - 2001:DB8:1::2:2 10.11.11.100 0 2048 -]

Flexible Flow Syslog Format

Table 3 Log syntax

Scenario

Log syntax

Description

NAT444/NAT64

<PRI> VERSION TIMESTAMP HOSTNAME APPNAME – MSGTYPE MSG

The MSG is customized and consists of flexible combinations of fields. A command line is used to determine fields carried in the flow syslog information. The command can also be used to specify the field sequence and separator between fields. The separator between fields can be black space, vertical bar (|), slash (/), or backslash (\).
Table 4 Description of log syntax fields

Field

Description

Data Output Example

timestamp-year

Year in a timestamp (indicates the time when logs were sent).

2015/1/11 15:09

timestamp-month

Month in a timestamp (indicates the time when logs were sent).

2015/1/11 15:09

timestamp-date

Date in a timestamp (indicates the time when logs were sent).

2015/1/11 15:09

timestamp-hour

Hours in a timestamp (indicates the time when logs were sent).

2015/1/11 15:09

timestamp-minute

Minutes in a timestamp (indicates the time when logs were sent).

2015/1/11 15:09

timestamp-second

Seconds in a timestamp (indicates the time when logs were sent).

2015/1/11 15:09

starttime-year

Year in the start time (when a port was assigned or a flow table was created).

time='2015-02-05 11:55:48'

starttime-month

Month in the start time (when a port was assigned or a flow table was created).

time='2015-02-05 11:55:48'

starttime-date

Date in the start time (when a port was assigned or a flow table was created).

time='2015-02-05 11:55:48'

starttime-hour

Hours in the start time (when a port was assigned or a flow table was created).

time='2015-02-05 11:55:48'

starttime-minute

Minutes in the start time (when a port was assigned or a flow table was created).

time='2015-02-05 11:55:48'

starttime-second

Seconds in the start time (when a port was assigned or a flow table was created).

time='2015-02-05 11:55:48'

timestamp-month-en

Month (English letters) in a timestamp.

September 10

timestamp-month- abbreviation

Month (English abbreviation) in a timestamp.

Sep 10

timestamp-second-dec

Seconds (a decimal number) in a timestamp.

1430470249

timestamp-second-hex

Seconds (a hexadecimal number) in a timestamp.

0x54b29217

starttime-month-en

Month (English letters) in the start time.

September 10

starttime-month-abbreviation

Month (English abbreviation) in the start time.

Sep 10

starttime-second-dec

Seconds (a decimal number) in the start time.

1430470249

starttime-second-hex

Seconds (a hexadecimal number) in the start time.

0x54b29217

endtime-second-dec

Seconds (a decimal number) in the end time when a port was released or a flow table aged.

1430470249

endtime-second-hex

Seconds (a hexadecimal number) in the end time when a port was released or a flow table aged.

0x54b29217

host-ip

Device IP address (configured using the nat log host command in a NAT instance).

2.0.0.1

app-name

Configured log server name.

ne40elog

scene

Scenario.

NAT444

source-ip

Source IP address, used only in NAT444 scenarios:

  • A source IP address of a packet in a flow log

192.168.1.2;

destination-ip

Destination IP address.

2.2.2.2

vpn-id

User VPN index.

srcvrfid='0'

session-id

Session ID. The value is the timestamp assigned when a user goes online. The session ID uniquely identifies a user.

sessionid='0x0000000'

Protocol

Packet protocol.

ICMP:1 TCP:6 UDP:17

nat-source-ip

Source IP address after NAT processing is performed.

1.1.1.1

source-port

Source port number.

20

nat-source- port

Public port number after NAT processing.

1024

destination-port

Destination port number.

20

instance-id

Instance ID.

0

pool-id

Address pool ID.

1

slot-id

Slot ID.

1

cpu-id

CPU ID.

0

sequence-hex

Log sequence number, in hexadecimal notation.

sequence='0x0000106f00000002'

sequence-dec

Log sequence number, in decimal notation.

sequence='123456789'

utc

UTC time.

UTC time used to send log information.

local

Local time.

Local time used to send log information.

cgn-ip

Log server's IP address. If a CGN device forwards a log to a local device, this field does not need to be specified. If an intermediate device forwards a log to a local device, this field must be specified.

10.6.6.6

fixed-string

A fixed string.

It can be used to deliver only the location and separator information. The forwarding plane only reads the separator information.

extend-first

Reserved field 1.

Reserved field

extend-second

Reserved field 2.

Reserved field

extend-third

Reserved field 3.

Reserved field

extend-fourth

Reserved field 4.

Reserved field

extend-fifth

Reserved field 5.

Reserved field

Source-ipv6

Source IPv6 address, supported only by NAT64.

2001:db8::1:1

Prefix-length

Prefix length, supported by NAT64.
  • NAT64: The value is fixed at 128.

extend eighth

Reserved field 8.

Reserved field
Example of the flexible NAT64 flow syslog format:
  • 2016-12-24-14|27|28|2016|12|24|14|27|28|December|Dec|27|0x1b|December|Dec|27|0x1b|27|0x1b|10.1.1.1|server|nat64|0.0.0.0|20.20.20.20|0|0x585e85d0|17|60.0.0.0|0|1728|0|0|16384|
Parent Topic: Flow Log Format
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >