> ## Documentation Index > Fetch the complete documentation index at: https://docs.onefirewall.com/llms.txt > Use this file to discover all available pages before exploring further. # OneFirewall System Events # OneFirewall Syslog / CEF Log Format OneFirewall emits operational and security events using the **CEF (Common Event Format)** standard.\ These logs are designed to be consumed by external monitoring systems, SIEMs, and log collectors. All events are forwarded over **syslog (UDP)** and follow a consistent, structured format. *** ## 1. Log Structure Overview Each log entry consists of **two main parts**: 1. **CEF Header** – fixed, pipe-delimited metadata used for classification 2. **CEF Extension** – space-separated key=value pairs with event details *** ## 2. CEF Header Format ``` CEF:||||||| ``` ### Header Fields | Field | Description | Example | | ---------------- | --------------------------- | ------------------------- | | `Version` | CEF version | `0` | | `Vendor` | Event vendor | `OneFirewall` | | `Product` | Application / service | `OFA-SRV` | | `Device Version` | Build or release identifier | `'2025-12-18'` | | `Signature` | Event type identifier | `APP_STATUS`, `NET_EVENT` | | `Name` | Event category | `Application` | | `Severity` | Numeric severity (0–10) | `3` | *** ## 3. CEF Extension Format The extension contains **space-separated key=value pairs**. ### Common Extension Fields | Field | Description | | ---------- | -------------------------------- | | `rt` | Event timestamp (UTC, ISO-8601) | | `level` | Log level (`INFO`, `WARN`, etc.) | | `hostname` | Host producing the event | | `clientip` | Client IP address | | `user` | User responsible for the action | | `member` | Tenant / organization | | `msg` | Human-readable message | Additional fields may be included depending on the event type (e.g. `IPv4`, `decision`, `ofa_score`). *** ## 4. Event Types & Examples ### 4.1 Application Lifecycle (`APP_STATUS`) Emitted when the application starts or changes operational state. ``` CEF:0|OneFirewall|OFA-SRV|'2025-10-12'|APP_STATUS|Application|3| rt=2025-10-12T01:21:56.184Z level=INFO hostname=192.168.0.2 clientip=NA user=NA member=NA msg='APP STARTED' ``` *** ### 4.2 Agent Management (`NEW_AGENT`, `AGENT_DELETED`) Tracks creation and deletion of agents. **New agent created** ``` CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|NEW_AGENT|Application|3| rt=2025-10-12T00:22:37.234Z level=INFO hostname=192.168.0.2 user=user@example.com member='OneFirewall Alliance LTD' msg='New agent created' ``` **Agent deleted** ``` CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|AGENT_DELETED|Application|3| rt=2025-10-12T00:31:32.529Z level=INFO hostname=192.168.0.2 user=user@example.com member='OneFirewall Alliance LTD' msg='Agent with OFA_dgH3Ti3z deleted' ``` *** ### 4.3 IPv4 List Generation (`IPV4_LIST`) Generated when IPv4 reputation lists are produced for enforcement or integrations. ``` CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|IPV4_LIST|Application|3| rt=2025-10-12T00:33:43.999Z level=INFO hostname=192.168.0.2 user=user@example.com member='OneFirewall Alliance LTD' msg='IPv4 list generated for score=150, agid=OFA_cBzsXacP and plugin=fortinet' tot_size=22874 ``` *** ### 4.4 Feedback Updates (`FEEDBACK_UPDATED`) Indicates updates to feedback, scoring, or intelligence linked to an agent. ``` CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|FEEDBACK_UPDATED|Application|3| rt=2025-10-12T00:48:13.075Z level=INFO hostname=192.168.0.2 user=user@example.com member='OneFirewall Alliance LTD' msg='Feedback updated for agid=OFA_cBzsXacP' ``` *** ### 4.5 Network Events (`NET_EVENT`) Represents observed or processed network traffic, optionally enriched with OneFirewall intelligence. **network event** ``` CEF:0|OneFirewall|OFA-SRV|'2026-01-12'|NET_EVENT|Application|3|rt=2026-01-14T00:56:06.280Z level=INFO hostname=mac clientip=undefined user=dev.team2@onefirewall.com member='OneFirewall Alliance LTD' msg='firewall=fortinet action=Allow service=serv1 src_ip=103.40.61.98 dst_ip=10.1.1.19 port=443 ofa_action=allow ofa_risk=low ofa_score=527 ofa_ip=103.40.61.98 ofa_members=25 ofa_first_seen=2025-10-06T14:21:06.000Z ofa_last_seen=2026-01-14T00:18:42.000Z ofa_reports=2725 ofa_geo_asn=AS133700 ofa_geo_domain= ofa_geo_country=India ofa_sources=cloud-provider-it,financial-service-it,honeynet-activity-gb,automotive-nl,security-provider-us,Transportation-it,threat-intel-de,tech-hub-it,cyber-threat-alliance-us,software-house-gb,security-provider-es ofa_intel=ddos-source,ssh-brute-force-i ofa_mitre=T1046,T1595,T1566,T1110' ``` #### 4.5.1 How Reads A network event corresponds to a single network flow captured and analyzed by OneFirewall and is structured into three main sections. ##### CEF Header As outlined above ##### CEF Extension As outlined above ##### CEF Extension Message The CEF extension includes a msg variable containing space-separated key=value data, as shown in the table below. | Field | Type | Description | | ----------------- | ---------- | -------------------------------------------------------------------------------------------- | | `firewall` | `string` | Firewall name or unique identifier | | `action` | `string` | Action taken by the firewall (e.g. `allow`, `block`) | | `service` | `string` | Service or application name | | `src_ip` | `ip` | Source IP address | | `dst_ip` | `ip` | Destination IP address | | `port` | `integer` | Destination port number | | `ofa_action` | `string` | Action determined by OneFirewall (`allow` or `block`) | | `ofa_risk` | `string` | Risk level assigned by OneFirewall (e.g. `LOW`, `MEDIUM`, `HIGH`) | | `ofa_score` | `integer` | OneFirewall threat/crime score | | `ofa_ip` | `ip` | IP address associated with the score (source or destination, depending on traffic direction) | | `ofa_members` | `integer` | Number of members who reported the threat actor | | `ofa_first_seen` | `datetime` | First time the IP or actor was observed | | `ofa_last_seen` | `datetime` | Most recent event recorded | | `ofa_reports` | `integer` | Total number of reports for the threat actor | | `ofa_geo_asn` | `string` | Autonomous System Number (ASN) | | `ofa_geo_domain` | `string` | Domain associated with the IP address | | `ofa_geo_country` | `string` | Country of origin | | `ofa_sources` | `string` | Comma-separated list of sources reporting the threat actor | | `ofa_intel` | `string` | Comma-separated list of intelligence tags or indicators | | `ofa_mitre` | `string` | Comma-separated list of MITRE ATT\&CK technique IDs | > When OneFirewall has no available information, all ofa\_ fields will be empty. *** ### 4.6 Policy & Decision Changes (`PUT_DECISION`) Logs policy or enforcement decisions applied to IP addresses. ``` CEF:0|OneFirewall|OFA-SRV|'2025-12-18'|PUT_DECISION|Application|3| rt=2025-10-12T01:16:57.741Z level=INFO hostname=192.168.0.2 user=user@example.com member='OneFirewall Alliance LTD' decision=BLOCK IPv4=1.0.138.92 ``` *** ## 5. Summary * Logs follow **CEF 0** for SIEM compatibility * The **CEF header** enables classification and severity mapping * The **CEF extension** carries structured, searchable metadata * Event types are consistent and human-readable * Additional enrichment fields are appended as data becomes available This format enables straightforward ingestion into platforms such as Splunk, Elastic, Microsoft Sentinel, and other syslog-compatible collectors.