Skip to main content

OneFirewall Syslog / CEF Log Format

OneFirewall emits operational and security events using the CEF (Common Event Format) standard.
These logs are designed to be consumed by external monitoring systems, SIEMs, and log collectors.
All events are forwarded over syslog (UDP) and follow a consistent, structured format.

1. Log Structure Overview

Each log entry consists of two main parts:
  1. CEF Header – fixed, pipe-delimited metadata used for classification
  2. CEF Extension – space-separated key=value pairs with event details

2. CEF Header Format

Header Fields


3. CEF Extension Format

The extension contains space-separated key=value pairs.

Common Extension Fields

Additional fields may be included depending on the event type (e.g. IPv4, decision, ofa_score).

4. Event Types & Examples

4.1 Application Lifecycle (APP_STATUS)

Emitted when the application starts or changes operational state.

4.2 Agent Management (NEW_AGENT, AGENT_DELETED)

Tracks creation and deletion of agents. New agent created
Agent deleted

4.3 IPv4 List Generation (IPV4_LIST)

Generated when IPv4 reputation lists are produced for enforcement or integrations.

4.4 Feedback Updates (FEEDBACK_UPDATED)

Indicates updates to feedback, scoring, or intelligence linked to an agent.

4.5 Network Events (NET_EVENT)

Represents observed or processed network traffic, optionally enriched with OneFirewall intelligence. network event

4.5.1 How Reads

A network event corresponds to a single network flow captured and analyzed by OneFirewall and is structured into three main sections.
CEF Header
As outlined above
CEF Extension
As outlined above
CEF Extension Message
The CEF extension includes a msg variable containing space-separated key=value data, as shown in the table below.
When OneFirewall has no available information, all ofa_ fields will be empty.

4.6 Policy & Decision Changes (PUT_DECISION)

Logs policy or enforcement decisions applied to IP addresses.

5. Summary

  • Logs follow CEF 0 for SIEM compatibility
  • The CEF header enables classification and severity mapping
  • The CEF extension carries structured, searchable metadata
  • Event types are consistent and human-readable
  • Additional enrichment fields are appended as data becomes available
This format enables straightforward ingestion into platforms such as Splunk, Elastic, Microsoft Sentinel, and other syslog-compatible collectors.