OneFirewall Syslog / CEF Log Format

OneFirewall emits operational and security events using the CEF (Common Event Format) standard.
These logs are designed to be consumed by external monitoring systems, SIEMs, and log collectors. All events are forwarded over syslog (UDP) and follow a consistent, structured format.

1. Log Structure Overview

Each log entry consists of two main parts:

CEF Header – fixed, pipe-delimited metadata used for classification
CEF Extension – space-separated key=value pairs with event details

2. CEF Header Format

CEF:<Version>|<Vendor>|<Product>|<Device Version>|<Signature>|<Name>|<Severity>|

Header Fields

Field	Description	Example
`Version`	CEF version	`0`
`Vendor`	Event vendor	`OneFirewall`
`Product`	Application / service	`OFA-SRV`
`Device Version`	Build or release identifier	`'2025-12-18'`
`Signature`	Event type identifier	`APP_STATUS`, `NET_EVENT`
`Name`	Event category	`Application`
`Severity`	Numeric severity (0–10)	`3`

3. CEF Extension Format

The extension contains space-separated key=value pairs.

Common Extension Fields

Field	Description
`rt`	Event timestamp (UTC, ISO-8601)
`level`	Log level (`INFO`, `WARN`, etc.)
`hostname`	Host producing the event
`clientip`	Client IP address
`user`	User responsible for the action
`member`	Tenant / organization
`msg`	Human-readable message

Additional fields may be included depending on the event type (e.g. IPv4, decision, ofa_score).

4. Event Types & Examples

4.1 Application Lifecycle (`APP_STATUS`)

Emitted when the application starts or changes operational state.

CEF:0|OneFirewall|OFA-SRV|'2025-10-12'|APP_STATUS|Application|3|
rt=2025-10-12T01:21:56.184Z level=INFO hostname=192.168.0.2 clientip=NA user=NA member=NA msg='APP STARTED'

4.2 Agent Management (`NEW_AGENT`, `AGENT_DELETED`)

Tracks creation and deletion of agents. New agent created

CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|NEW_AGENT|Application|3|
rt=2025-10-12T00:22:37.234Z level=INFO hostname=192.168.0.2 [email protected] member='OneFirewall Alliance LTD' msg='New agent created'

Agent deleted

CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|AGENT_DELETED|Application|3|
rt=2025-10-12T00:31:32.529Z level=INFO hostname=192.168.0.2 [email protected] member='OneFirewall Alliance LTD' msg='Agent with OFA_dgH3Ti3z deleted'

4.3 IPv4 List Generation (`IPV4_LIST`)

Generated when IPv4 reputation lists are produced for enforcement or integrations.

CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|IPV4_LIST|Application|3|
rt=2025-10-12T00:33:43.999Z level=INFO hostname=192.168.0.2 [email protected] member='OneFirewall Alliance LTD'
msg='IPv4 list generated for score=150, agid=OFA_cBzsXacP and plugin=fortinet' tot_size=22874

4.4 Feedback Updates (`FEEDBACK_UPDATED`)

Indicates updates to feedback, scoring, or intelligence linked to an agent.

CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|FEEDBACK_UPDATED|Application|3|
rt=2025-10-12T00:48:13.075Z level=INFO hostname=192.168.0.2 [email protected] member='OneFirewall Alliance LTD'
msg='Feedback updated for agid=OFA_cBzsXacP'

4.5 Network Events (`NET_EVENT`)

Represents observed or processed network traffic, optionally enriched with OneFirewall intelligence. Basic network event

CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|NET_EVENT|Application|3|
rt=2025-10-12T00:53:56.430Z level=INFO hostname=192.168.0.2
msg='IPv4 94.22.73.32 -> 192.168.0.1'

Enriched firewall event

CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|NET_EVENT|Application|3|
rt=2025-10-12T01:04:30.980Z level=INFO hostname=192.168.0.2
msg='fortinet/Allow/org1 94.22.73.32->192.168.0.1:443 ofa_score=0 ofa_ip=94.22.73.32 members=1'

4.6 Policy & Decision Changes (`PUT_DECISION`)

Logs policy or enforcement decisions applied to IP addresses.

CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|PUT_DECISION|Application|3|
rt=2025-10-12T01:16:57.741Z level=INFO hostname=192.168.0.2 [email protected] member='OneFirewall Alliance LTD'
decision=BLOCK IPv4=1.0.138.92

5. Summary

Logs follow CEF 0 for SIEM compatibility
The CEF header enables classification and severity mapping
The CEF extension carries structured, searchable metadata
Event types are consistent and human-readable
Additional enrichment fields are appended as data becomes available

This format enables straightforward ingestion into platforms such as Splunk, Elastic, Microsoft Sentinel, and other syslog-compatible collectors.

Get Started

Essentials

Releases

Case Studies

WCF Agent

Products

Updates

OneFirewall System Events

OneFirewall Syslog / CEF Log Format

1. Log Structure Overview

2. CEF Header Format

Header Fields

3. CEF Extension Format

Common Extension Fields

4. Event Types & Examples

4.1 Application Lifecycle (`APP_STATUS`)

4.2 Agent Management (`NEW_AGENT`, `AGENT_DELETED`)

4.3 IPv4 List Generation (`IPV4_LIST`)

4.4 Feedback Updates (`FEEDBACK_UPDATED`)

4.5 Network Events (`NET_EVENT`)

4.6 Policy & Decision Changes (`PUT_DECISION`)

5. Summary

Get Started

Essentials

Releases

Case Studies

WCF Agent

Products

Updates

​OneFirewall Syslog / CEF Log Format

​1. Log Structure Overview

​2. CEF Header Format

​Header Fields

​3. CEF Extension Format

​Common Extension Fields

​4. Event Types & Examples

​4.1 Application Lifecycle (APP_STATUS)

​4.2 Agent Management (NEW_AGENT, AGENT_DELETED)

​4.3 IPv4 List Generation (IPV4_LIST)

​4.4 Feedback Updates (FEEDBACK_UPDATED)

​4.5 Network Events (NET_EVENT)

​4.6 Policy & Decision Changes (PUT_DECISION)

​5. Summary

OneFirewall Syslog / CEF Log Format

1. Log Structure Overview

2. CEF Header Format

Header Fields

3. CEF Extension Format

Common Extension Fields

4. Event Types & Examples

4.1 Application Lifecycle (`APP_STATUS`)

4.2 Agent Management (`NEW_AGENT`, `AGENT_DELETED`)

4.3 IPv4 List Generation (`IPV4_LIST`)

4.4 Feedback Updates (`FEEDBACK_UPDATED`)

4.5 Network Events (`NET_EVENT`)

4.6 Policy & Decision Changes (`PUT_DECISION`)

5. Summary