Log event

Every log event consists of pre-defined parts. Each logging method such as a logging to a file or syslog and related log event formatting such as RFC5424 or RFC3164 will produce a different output form of the log event and its parts.

Example of a log event formatted for file output:

2017-01-17T03:03:47.365Z seacat-gw[20367] WARN: [h=1.2.3.4 p=32707] A peer connection failed

Note: The format of the log event depends on the transport configuration (file, syslog) and formatting configuration (RFC5424, RFC3164).

Timestamp Component Name Process ID Log Level Structured Data Message
2017-01-17T03:03:47.365Z seacat-gw 20367 WARN h=1.2.3.4 p=32707 Incoming connection accepted

Timestamp

The date and time of the log event in UTC timezone with at least millisecond precision (3 decimal places). Internally it is represented as a floating point number in a double precision respectively as a Unix timestamp.

Example of a RFC3339 format of the log event timestamp: 2017-04-28T13:19:26.680Z

Note: Some log event formats (e.g., RFC3164) translate the log event timestamp into a local time of the machine.

Component name

A name of the SeaCat component that produced a log event.

Example: seacat-gw

Process ID

An integer PID of the SeaCat component that produced a log event.

Example: 20367

Log level

A log level of an event. Log levels are related to the severity of events to allow filtering and a quick orientation.

Example: WARN

Log Level Syslog level Description
FATAL 2 / crit FATAL events signalize unrecoverable failure that prevents a continuation of the service. These events require an immediate operator attention. When FATAL event occurs, Client Connection is lost and SeaCat Server is likely not able to automatically recover from the fatal state.
ERROR 3 / err ERROR events signalize activity that has a potential to affect accessibility or availability. Automatic recovery of majority of the ERROR events is implemented.
WARN 4 / warning WARN events affect primary SeaCat Server functions. Events marked as WARN informs that some settings are not optimally configured, or some recoverable issues occur. These events are mostly related to one particular Client Connection where only one Client is affected.
AUDIT 5 / notice AUDIT events are suited for Security Information and Event Monitoring (SIEM) integration. These events are a primary source of security-related information. It informs about Client activity no matter if it is good or bad. AUDIT level provides monitoring of Client activity.
INFO 6 / info INFO events that are worth to know (e.g. for a top-level message from SeaCat Server or Client activity). There is no need for reaction.
DEBUG 7 / debug DEBUG events provide detailed internal activity description. These types of events are prepared for fine-tuning of a SeaCat Server settings or issues findings. Disabled by default, must be turned on by -v command-line argument.
TRACE 7 / debug TRACE events is used only during the debugging sessions and provides a very detailed insight into an internal process flow of the SeaCat Server. Disabled by default, must be turned on.

Structured data

Structured data part can contain zero, one, or multiple structured data element. A structured data element consists of a name and parameter name-value pairs.

Structured data names are defined wihtin l@47278 namespace. l@47278 is from http://oidref.com/1.3.6.1.4.1.47278, TeskaLabs 'SMI Network Management Private Enterprise Code', maintained by IANA.

Example: eventSource="Application" eventID="1011" h="1.2.3.4" p="32707"

Frequently used names

Names with length up to 3 characters are reserved for abbreviations of frequently used data elements.

Abbr. Full name Description
a audit-type The identification or the audit type log event
d duration A duration in seconds
e error-code A numeric error code
E error-string A textual error message
h host An Internet address of the host or peer, such as IPv4, IPv6 or a hostname
p port An integer number of a network port
r reason A textual reason
i client-id SeaCat Client ID, read more here
t client-tag SeaCat Client Tag, read more here
Svd ssl-verify-depth TLS/SSL depth of certificate verification
Scs ssl-certificate-subject TLS/SSL Certificate Subject
Spf ssl-pubkey-fingerprint TLS/SSL Public Key Fingerprint
hh http-host A name of the HTTP backend application host
hn http-node An integer identification of the HTTP load balancing node
hq http-sequence An integer identification of the HTTP load balancing node connection
hm http-method HTTP method, such as POST, GET, PUT, DELETE and so on
hp http-path The path part of the HTTP request URL
hc http-status-code HTTP status code of a response
ti telemetry-capabilities-id A serial number of capabilities information

Message

A free-form, readable message that provides information about the event. Occasionally, this part contains a new lines, in such a case, new-line is immediately followed by a TAB (\t) character.

Example: Request to a backend

Audit Log

SeaCat Server audit log is a primary source of security-related information about all activities such as client transactions. It is designed for Security Information and Event Monitoring (SIEM) integration to provide excellent visibility to security officers.

It is a part of a log event stream produced by a SeaCat Server.

Audit Log Event Types

Audit log events are classified by log level AUDIT. The type of audit log event is carried in a mandatory structured data element identified by a key a. The type is an short abbreviation of the event name, such as EST or REQ. Audit log event carries additional structured data to provide more information about a given event.

Audit Log Event ACC: Incoming connection accepted for authorization

The ACC audit log event type is emitted when a remote peer wants to establish connection with a SeaCat Gateway. It could be a Client but it can be other traffic including malicious and unauthorized incoming connections. The remote peer is not yet authorized when a ACC event is produced. It is a product of a POSIX accept() call at networking level and it marks a successful competition of a TCP handshake. The TLS authorization will be a next step.

Structured data:

Name Value
a ACC
h An Internet address of the incoming connection.
p A network port of the incoming connection.

Audit Log Event RJT: Incoming connection is rejected

The RJT event type is emitted when incoming connection failed to authorize or is rejected by SeaCat Server for a different reason. This event identifies potential unwanted traffic from the Public Network.

Structured data:

Name Value
a RJT
t Client tag
h An Internet address of the incoming connection
p A network port of the incoming connection
r A reason why the incoming connection has been rejected

Typical reasons:

Text Explanation
EOF A peer closed the connection prior SSL handshake
SSL:14094412 SSL_F_SSL3_READ_BYTES / SSL_R_SSLV3_ALERT_BAD_CERTIFICATE Client certificate is signed by CA that is not trusted by this gateway
SSL:1408A0C1 SSL_F_SSL3_GET_CLIENT_HELLO / SSL_R_NO_SHARED_CIPHER No shared cipher. It happens at the SSL negociation step between the client and the gateway. At the SSL negociation step, the gateway send a cipher suite (i.e. the list of accepted encryption algorythm) to the client. The client have to choose an encryption algorythm and then encrypt all next communication using it. The "no shared cipher" error means the client supports none of the encryption algorythms proposed by the server. As a result, the connection is rejected. Likely reason is that client is not a SeaCat.
SSL:1408A10B SSL_F_SSL3_GET_CLIENT_HELLO / SSL_R_WRONG_VERSION_NUMBER SSLv3, TLSv1, TLSv1.1 client
SSL:1408F10B SSL_F_SSL3_GET_RECORD / SSL_R_WRONG_VERSION_NUMBER SSLv2 client
SSL:14094418 SSL_F_SSL3_READ_BYTES / SSL_R_TLSV1_ALERT_UNKNOWN_CA
SYSERR:* A peer connection caused a system error

Note: See chapter about decoding OpenSSL error codes SSL:* reasons below.

Audit Log Event EST: Client connection is established

The EST audit log event is emitted when Client passes TLS authorization successfully and the secure client connection is established. Client can be in authorized or anonymous mode.

Structured data:

Name Value
a EST
t Client tag
h An Internet address of the incoming connection
p A network port of the incoming connection

Audit Log Event CLS: A incoming connection has been closed

The CLS audit log event is emitted when Client Connection is closed by a remote peer or by a server. The reason can be for example timeout or a failed authorization.

Structured data:

Name Value
a CLS
t Client tag
h An Internet address of the incoming connection
p A network port of the incoming connection

Audit Log Event CSR: Certificate Signing Request

The CSR audit log event type is emitted when Certificate Signing Request (CSR) from Client is received by SeaCat Server. This activity is a part of on-boarding sequence of a new Client and also a part of Client Certificate renewal procedure. Received CSR is stored in a Certificate Management subsystem and eventually approved or rejected. When approved, a new Client Certificate is created and Client picks it up.

The CSR is defined by PKCS #10 in RFC5967.

Structured data:

Name Value
a CSR
t Client tag
h An Internet address of the incoming connection
p A network port of the incoming connection

Audit Log Event REQ: HTTP Request

The REQ audit log event is emitted when a connected Client requests any HTTP/HTTPS source from Application Backend. The event provides a detailed information about HTTP method, Application Backend target, the status code of Application Backend response and the duration of the reply.

Structured data:

Name Value
a REQ
t Client tag
hm HTTP method, such as POST, GET, PUT, DELETE and so on
hp The path part of the HTTP request URL
hh A name of the HTTP backend application host
hn An integer identification of the HTTP load balancing node
hq An integer identification of the HTTP load balancing node connection
hc HTTP status code of a response
d A duration (in seconds) the waiting for a response

hh hn and hq identifies the HTTP connection pipeline. For more info see HTTP Pipelining.

Audit Log Event TLCAP: Telemetry capabilities received

The REQ audit log event is emitted when a connected Client submits its capabilities information. Capabilities information is stored with a client and contains detailed information about a client capabilities.

Structured data:

Name Value
a TLCAP
t Client tag
ti A serial number of capabilities information

Audit Log Event SOCKSREQ: Socket connection requested

The SOCKSREQ audit log event is emitted when a socket connection is requested from an application backend.

Structured data:

Name Value
a SOCKSREQ
t Client tag
p Requested port

Audit Log Event SOCKSREQ: Socket connection requested

The SOCKSREQ audit log event is emitted when a socket connection is requested from an application backend.

Structured data:

Name Value
a SOCKSREQ
t Client tag
p Requested port

Audit Log Event SOCKSACC: Socket connection accepted

The SOCKSACC audit log event is emitted when a socket connection is accepted by a SeaCat Client.

Structured data:

Name Value
a SOCKSACC
t Client tag

Audit Log Event SOCKSRJT: Socket connection rejected

The SOCKSRJT audit log event is emitted when a socket connection is rejected by a SeaCat Client.

Structured data:

Name Value
a SOCKSRJT
t Client tag

Audit Log Event SOCKSCLS: Socket connection rejected

The SOCKSCLS audit log event is emitted when a socket connection is closed by a SeaCat Client.

Structured data:

Name Value
a SOCKSCLS
t Client tag

OpenSSL error codes

OpenSSL error codes are reported in a following form: 1408A10B, it is a hexadecimal value. It is a product of OpenSSL macro ERR_PACK. The error code is structured in a following way: LLFFFRRR.

  • LL defines a library (aka module) of OpenSSL
  • FFF defines a OpenSSL function
  • RRR is a reason code

FFF and RRR parts can be translated into a decimal value and searched in a ssl/ssl.h file in OpenSSL.

Example

Error code: 1408A0C1.
LL = 14
FFF = 08A
RRR = 0C1

$ grep `printf "%d\n" 0x08A` ssl/ssl.h
...
# define SSL_F_SSL3_GET_CLIENT_HELLO                      138

$ grep `printf "%d\n" 0x0C1` ssl/ssl.h
...
# define SSL_R_NO_SHARED_CIPHER                           193

Found a mistake? Please contact us.