The format of syslog messages for NAT flow logging in SR OS adheres to RFC 3164, The BSD Syslog Protocol:
<PRI> <HEADER><MSG>
where:
<PRI> (the ‟<” and ‟>” are included in the syslog message) is the configured facility*8+severity (as described in the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide and RFC 3164).
<HEADER> defines the MMM DD HH:MM:SS <hostname>. Two characters always appear for the day (DD) field. Single-digit days are preceded with a space character. Time is recorded as local time (and not UTC). The time zone designator is not shown in this example, but each event has its own timestamp where the time-zone designator is shown.
<MSG> defines the <log-prefix>: <seq> <application [<subject>]: <message>\n
where:
<log-prefix> is an optional 32-character string of text (default = 'TMNX') as configured in the log-prefix command.
<seq> is the log event sequence number (always preceded by a colon and a space char).
The [<subject>] field may be empty resulting in []:
<message> display a custom message relevant to the log event.
\n is the standard ASCII new line character (hex 0A).
Table: Syslog message fields for NAT flow logging shows the syslog message fields for NAT flow logging.
| Field name | Value | Comments |
|---|---|---|
PRI
|
|
|
Timestamps |
MMM DD HH:MM:SS |
|
<hostname> |
The IP address of the SR OS system that is generating the message. |
|
<log-prefix> |
Configurable. This can be used as a field to differentiate between the vendors. For example, NOK(ia) in log-prefix indicates that this is a log format from a Nokia node so the operator can apply parsing logic accordingly. |
|
<seq> |
Sequence numbers can be used for tracking if loss in transit occurs. |
|
<application> |
NAT |
The application that generated the log. |
[<subject>]: |
MDA ID |
The BB-ISA on which the event occurred. |
<message> |
This is a custom part with specific information related to the event itself. |
The message portion contains information relevant to the respective log event, even if this information is already repeated outside of the message (for example, timestamp). The fields in the message part are separated by a single whitespace for easier parsing and are placed in the order shown Table: Message fields .
| Field name | Value | Presence | Comments |
|---|---|---|---|
NAT type |
LSN44 NAT64 |
M(andatory) |
|
Event name |
SADD SDEL |
M |
SADD – session added event SDEL – session deleted event |
Timestamp |
<TimeStamp>: <Year> <Mon> <Day> <hh:mm:ss:cs> <TZ>, Year is 4-digit, Mon is 3-letter abbreviation, TZ is a 1-5 character time-zone designator. |
M |
Because events can be combined in the same syslog message, each event is uniquely timestamped with the local time (not UTC), including the time zone designator. During daylight saving’s time (summer), the time zone designator is replaced by the DST designator, which is configurable. |
Protocol ID |
1, 6, 17 |
M |
ICMP, UDP, TCMP |
Inside router |
0 to 2147483650 |
M |
0 represents Base 1 to 2147483650 represents VPRNs |
Source IP address |
IPv4 address in LSN44 and IPv6 address in NAT64 |
M |
|
Source port or ICMP identifier |
0 to 65535 |
M |
|
Outside router |
0 to 2147483650 |
M |
|
Outside (post NAT) IP address |
IPv4 address |
M |
|
Outside (post NAT) port or ICMP identifier |
0 to 65535 |
M |
|
Foreign IP address |
IPv4 address |
O(ptional) |
This is the original destination IPv4 address. |
Foreign port or ICMP identifier |
0 to 65535 |
O |
|
Destination IP address |
IPv4 address |
O |
It represents the translated destination IP address. |
Nat-policy |
<name> |
O |
|
Sub-ID |
<sub-name> |
O |
‟-” if requested by the configuration (includes the sub-id statement) but the sub-aware NAT is not enabled. Otherwise, the sub-ID in the sub-aware NAT. |