Skip to main content
Skip table of contents

Network Traffic Events

Vendor Documentation


Rule NameRule TypeClassificationCommon Event
Network Traffic EventsBase Rule
Packet ForwardedSub RuleInformationForwarding Data
Packet DroppedSub RuleWarningRequest Dropped
Management PacketSub RuleInformationManagement Pack Received
No Packet AssociatedSub RuleInformationGeneral Information Log Message

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhthm SchemaData TypeSchema Description
sn<serialnumber>NumberIndicates the device serial number
timeN/AN/AReports the time of event
fwN/AN/AIndicates the WAN IP Address
pri<severity>NumberDisplays the event priority level (0=emergency, 7=debug)
c<vmid>NumberIndicates the legacy category number (Note: SonicOS/X does not currently send new category information)
gcatN/AN/ADisplay event group category when using Enhanced Syslog
mN/AN/AProvides the message ID number
srcMac<smac>Text/StringSource MAC Address
IP Address
Indicates the source IP address, and optionally, port, network interface, and resolved name
srcZoneN/AN/ADisplays source zone
natSrc<snatip>IP AddressDisplays the NAT’ed source IP address
dstMac<dmac>Text/StringDestination MAC Address
IP Address
Destination IP address, and optionally, port, network interface, and resolved name
dstZoneN/AN/ADisplays destination zone
natDst<dnatip>IP AddressDisplays the NAT’ed destination IP address
usr<login>Text/StringDisplays the user name (“user” is the tag used by WebTrends)
proto<protname>Text/StringDisplays the protocol information (rendered as “proto=[protocol]” or just “[proto]/[service]”)
sent<bytesout>NumberDisplays the number of bytes sent within connection
rcvd<bytesin>NumberIndicates the number of bytes received within connection
sess<session>Text/StringApplies to Syslogs with an associated user session being tracked by the UTM
rule<policy>Text/StringUsed to identify a policy or a rule associated with an event
app<object>NumberIndicates the application for the applied Syslog. Only displays when Flow Reporting is enabled
appName<objectname>Text/StringIndicates the non-signature Application Name that matches the Application ID “app” or “f” of the Syslog; Only displays when Flow Reporting is enabled
msg<vendorinfo>Text/StringDisplays the message which is composed of either or both a predefined message and a dynamic message containing a string %s or numeric %d argument
n<quantity>NumberIndicates the number of times event occurs

The explicit action performed on network traffic (packets) encountered by the firewall based on built-in or user-configured policies that may allow or drop packets.

Possible values are:

    • forward - packet is forwarded due to a matching policy or rule set
    • drop - packet is dropped due to a matching policy or rule set
    • mgmt - packet is a management packet, management policy will be applied
    • NA - not associated with a packet, firewall action is Not Applicable

Indicates that a flow underwent inspection by Deep Packet Inspection.

Possible values for dpi are:

    • 1 = DPI inspection occurred
    • 0 = no DPI inspection
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.