AWS Network Firewall Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Amazon AWS Network Firewall sample messages when you use the Amazon AWS REST API protocol
Sample 1 - alert logs: The following sample event message shows that a connection is allowed by the firewall.
{"firewall_name":"firewall","availability_zone":"zone","event_timestamp":"1601074865","event": {" timestamp ":"2020-09-25T23:01:05.598481+0000","flow_id":1111111111111111, " event_type ":"alert"," src_ip ":"10.16.197.56"," src_port ":49157, " dest_ip ":"10.16.197.55"," dest_port ":8883," proto ":"TCP","alert" :{" action ":"allowed","signature_id":2,"rev":0,"signature":"","category":"","severity":3}}}
JSA field name |
Highlighted payload field name |
---|---|
Logsource Time |
timestamp |
Event ID |
event_type + action |
Source IP |
src_ip |
Source Port |
src_port |
Destination IP |
dest_ip |
Destination Port |
dest_port |
Protocol |
proto |
Sample 2 - flow logs: The following sample event message shows netflow traffic.
{"firewall_name":"firewall","availability_zone":"useast- 1b","event_timestamp":"1601587565","event": {" timestamp ":"2020-10-01T21:26:05.007515+0000","flow_id":1770453319291727," event_type ": "netflow"," src_ip ":"45.129.33.153"," src_port ":47047," dest_ip ":"172.31.16.139", " dest_port ":16463," proto ":"TCP","netflow":{"pkts":1,"bytes":60,"start": "2020-10-01T21:25:04.070479+0000","end":"2020-10-01T21:25:04.070479+0000","age":0,"min_ttl":241, "max_ttl":241},"tcp":{"tcp_flags":"02","syn":true}}}
JSA field name |
Highlighted payload field name |
---|---|
Logsource Time |
timestamp |
Event ID |
event_type |
Source IP |
src_ip |
Source Port |
src_port |
Destination IP |
dest_ip |
Destination Port |
dest_port |
Protocol |
proto |