firewall.sangfor
Introduction
The tags beginning with firewall.sangfor
identify events generated by Sangfor Technologies.
Valid tags and data tablesÂ
The full tag must have 4 levels. The first two are fixed as firewall.sangfor
. The third level identifies the type of events sent. The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Sangfor Application Control |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
Logs generated by Sangfor Technologies must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rule below:
Source port - Any available port
Source data -
(fwlog: Log type: (service\/)?[a|A]pplication [c|C]ontrol.*)
Target tag -
firewall.sangfor.app_control.event
Target message -
D1
Stop processing - ✓
No 3rd-party mechanism is used. No collector is needed.
Vendor docs
Learn more about how to configure this vendor events here.
Table structure
These are the fields displayed in this table:
firewall.sangfor.app_control.event
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
machine |
| Â |
log_type |
| Â |
policy_name |
| Â |
user |
| Â |
source_ip4 |
| Â |
source_ip6 |
| Â |
source_port |
| Â |
destination_ip4 |
| Â |
destination_ip6 |
| Â |
destination_port |
| Â |
app_category |
| Â |
application |
| Â |
action |
| Â |
hostchain |
|  ✓ |
tag |
|  ✓ |
rawMessage |
|  ✓ |