OneFirewall Syslog / CEF Log Format
OneFirewall emits operational and security events using the CEF (Common Event Format) standard.These logs are designed to be consumed by external monitoring systems, SIEMs, and log collectors. All events are forwarded over syslog (UDP) and follow a consistent, structured format.
1. Log Structure Overview
Each log entry consists of two main parts:- CEF Header – fixed, pipe-delimited metadata used for classification
- CEF Extension – space-separated key=value pairs with event details
2. CEF Header Format
Header Fields
| Field | Description | Example |
|---|---|---|
Version | CEF version | 0 |
Vendor | Event vendor | OneFirewall |
Product | Application / service | OFA-SRV |
Device Version | Build or release identifier | '2025-12-18' |
Signature | Event type identifier | APP_STATUS, NET_EVENT |
Name | Event category | Application |
Severity | Numeric severity (0–10) | 3 |
3. CEF Extension Format
The extension contains space-separated key=value pairs.Common Extension Fields
| Field | Description |
|---|---|
rt | Event timestamp (UTC, ISO-8601) |
level | Log level (INFO, WARN, etc.) |
hostname | Host producing the event |
clientip | Client IP address |
user | User responsible for the action |
member | Tenant / organization |
msg | Human-readable message |
IPv4, decision, ofa_score).
4. Event Types & Examples
4.1 Application Lifecycle (APP_STATUS)
Emitted when the application starts or changes operational state.
4.2 Agent Management (NEW_AGENT, AGENT_DELETED)
Tracks creation and deletion of agents.
New agent created
4.3 IPv4 List Generation (IPV4_LIST)
Generated when IPv4 reputation lists are produced for enforcement or integrations.
4.4 Feedback Updates (FEEDBACK_UPDATED)
Indicates updates to feedback, scoring, or intelligence linked to an agent.
4.5 Network Events (NET_EVENT)
Represents observed or processed network traffic, optionally enriched with OneFirewall intelligence.
network event
4.5.1 How Reads
A network event corresponds to a single network flow captured and analyzed by OneFirewall and is structured into three main sections.CEF Header
As outlined aboveCEF Extension
As outlined aboveCEF Extension Message
The CEF extension includes a msg variable containing space-separated key=value data, as shown in the table below.| Field | Type | Description |
|---|---|---|
firewall | string | Firewall name or unique identifier |
action | string | Action taken by the firewall (e.g. allow, block) |
service | string | Service or application name |
src_ip | ip | Source IP address |
dst_ip | ip | Destination IP address |
port | integer | Destination port number |
ofa_action | string | Action determined by OneFirewall (allow or block) |
ofa_risk | string | Risk level assigned by OneFirewall (e.g. LOW, MEDIUM, HIGH) |
ofa_score | integer | OneFirewall threat/crime score |
ofa_ip | ip | IP address associated with the score (source or destination, depending on traffic direction) |
ofa_members | integer | Number of members who reported the threat actor |
ofa_first_seen | datetime | First time the IP or actor was observed |
ofa_last_seen | datetime | Most recent event recorded |
ofa_reports | integer | Total number of reports for the threat actor |
ofa_geo_asn | string | Autonomous System Number (ASN) |
ofa_geo_domain | string | Domain associated with the IP address |
ofa_geo_country | string | Country of origin |
ofa_sources | string | Comma-separated list of sources reporting the threat actor |
ofa_intel | string | Comma-separated list of intelligence tags or indicators |
ofa_mitre | string | Comma-separated list of MITRE ATT&CK technique IDs |
When OneFirewall has no available information, all ofa_ fields will be empty.
4.6 Policy & Decision Changes (PUT_DECISION)
Logs policy or enforcement decisions applied to IP addresses.
5. Summary
- Logs follow CEF 0 for SIEM compatibility
- The CEF header enables classification and severity mapping
- The CEF extension carries structured, searchable metadata
- Event types are consistent and human-readable
- Additional enrichment fields are appended as data becomes available