Does anyone knows when exactly did FTD changed remote syslog messages format? Up to 6.2.3, the syslog had the following pattern (as received by a remote syslog aggregator):
Spoiler (Highlight to read) # Dec 29 20:56:43 ftd ftd SFIMS: Protocol: TCP, SrcIP: 1.1.1.1, OriginalClientIP: ::, DstIP: 192.168.0.1, SrcPort: 46738, DstPort: 4499, TCPFlags: 0x0, IngressZone: outside, EgressZone: inside, DE: Primary Detection Engine (804d7116-e739-11e7-9737-d91fc4a628c8), Policy: My Intrusion Prevention Policy, ConnectType: Start, AccessControlRuleName: Outside to Inside blocked, AccessControlRuleAction: Block, Prefilter Policy: My Prefilter Policy, UserName: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
# Dec 29 20:56:43 ftd ftd SFIMS: Protocol: TCP, SrcIP: 1.1.1.1, OriginalClientIP: ::, DstIP: 192.168.0.1, SrcPort: 46738, DstPort: 4499, TCPFlags: 0x0, IngressZone: outside, EgressZone: inside, DE: Primary Detection Engine (804d7116-e739-11e7-9737-d91fc4a628c8), Policy: My Intrusion Prevention Policy, ConnectType: Start, AccessControlRuleName: Outside to Inside blocked, AccessControlRuleAction: Block, Prefilter Policy: My Prefilter Policy, UserName: No Authentication Required, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Whereas as noticed on v6.7, the logs are now on a different format:
Spoiler (Highlight to read) # Jan 10 04:40:09 ftd 2021-01-10T09:40:09Z %FTD-6-430002: EventPriority: Low, DeviceUUID: 3036f6fa-2388-11eb-b52e-cdcb 9421f4fb, FirstPacketSecond: 2021-01-10T09:40:09Z, ConnectionID: 0, AccessControlRuleAction: Block, SrcIP: 1.1.1.1, DstIP: 192.168.0.1, SrcPort: 54713, DstPort: 3389, Protocol: tcp, IngressInterface: outside, EgressInterface: Inside, IngressZone: outside, EgressZone: inside, IngressVRF: Global, EgressVRF: Global, ACPolicy: My Policy, AccessControlRuleName: Deny Outside to Inside, Prefilter Policy: Prefilter Policy, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: No Rules Active
# Jan 10 04:40:09 ftd 2021-01-10T09:40:09Z %FTD-6-430002: EventPriority: Low, DeviceUUID: 3036f6fa-2388-11eb-b52e-cdcb 9421f4fb, FirstPacketSecond: 2021-01-10T09:40:09Z, ConnectionID: 0, AccessControlRuleAction: Block, SrcIP: 1.1.1.1, DstIP: 192.168.0.1, SrcPort: 54713, DstPort: 3389, Protocol: tcp, IngressInterface: outside, EgressInterface: Inside, IngressZone: outside, EgressZone: inside, IngressVRF: Global, EgressVRF: Global, ACPolicy: My Policy, AccessControlRuleName: Deny Outside to Inside, Prefilter Policy: Prefilter Policy, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 0, ResponderBytes: 0, NAPPolicy: No Rules Active
Since we had no devices in test or production running any versions in between 6.2.3 and v6.7, we don’t truly know for sure, but looking for clues as we want to document internally when did this happened.
Thanks.