Set overlay traffic logging for an Airwall Gateway

Airwall Gateways log overlay traffic from local device to local device, and you can set the log level and frequency per Airwall Gateway. Use this setting in conjunction with remote syslog to log a summary of overlay traffic flow from an Airwall Gateway.

Tech Preview: This feature is currently included as a tech preview, and features and formatting may change. Logging is currently sent over a separate channel from HIP or MAP, and the log format is not currently stable.
Supported Airwall Edge Services
All v3.1.0 Airwall Gateways
All v3.1.0 Airwall Agents and Servers

Set overlay logging

  1. Open the page for an Airwall Gateway and go to Diagnostics > Data capture.
  2. On the right, scroll down to Airwall log level > Data plane event logging.
  3. Next to Overlay network activity, select the pencil to edit settings.
  4. Edit the options for overlay network activity logging:
    • Log level – Select the log level at which traffic is logged. You may need to also adjust the logging level elsewhere in your log pipeline. For example, Airwall Gateways default to suppressing log messages with a severity less than INFO.
    • Time interval – Enter the number of seconds before logging additional device activity for a flow. To disable, select 0. To use the system default, leave blank.
    • Packet interval – Enter the number of packets before logging additional device activity for a flow. To disable, select 0. To use the system default, leave blank.
  5. You can filter the output through a security information and event management (SIEM) tool.

Example

Here’s an example of the FLOWLOG messages that you’ll see in the remote syslog server you set up in the Conductor. 

root@aw300v-B1D3ACB87C8B:~# grep FLOWLOG /var/log/messages 
Aug 23 16:38:04 aw300v-B1D3ACB87C8B openhip: [INFO] FLOWLOG: flow_key=[-1, 2001:14:2ca2:24f7:4bd1:28d8:de5d:ddf8, 4a:06:6a:5d:dd:f8, 01:00:5e:00:00:fb, 0, 0x800, 1.93.221.248, 224.0.0.251] action=TX_FLOOD_LOCAL age=253 packets=13 bytes=4955 
Aug 23 16:38:11 aw300v-B1D3ACB87C8B openhip: [INFO] FLOWLOG: flow_key=[-1, 2001:14:2ca2:24f7:4bd1:28d8:de5d:ddf8, 4a:06:6a:5d:dd:f8, 4a:06:6a:20:73:5d, 0, 0x800, 1.93.221.248, 10.192.204.105] action=TX_PG 2 age=247 packets=11 bytes=870 
Aug 23 16:38:11 aw300v-B1D3ACB87C8B openhip: [INFO] FLOWLOG: flow_key=[2, ::, 4a:06:6a:20:73:5d, 4a:06:6a:20:73:5d, 0, 0x800, 10.192.204.105, 1.93.221.248] action=TX_HIT_ROUTED 2001:14:2ca2:24f7:4bd1:28d8:de5d:ddf8 age=247 packets=9 bytes=1710

Here are the fields included after flow_key (these are the same as the output for airsh policy details):

  • PGID – Ingress port group ID
  • PEER_HIT – Ingress peer Airwall Edge Service HIT
  • MAC SRC – Source Ethernet MAC address
  • MAC DST – Destination Ethernet MAC address
  • ETH EtherType
  • VLAN – VLAN ID (if 802.1q VLAN tag is present, otherwise 0)
  • IP SRC – Source IP address
  • IP DST – Destination IP address
  • Action – The action the Airwall Edge Service is performing on this flow
  • AGE – Age of flow (either since first packet, or first packet after the last policy change
  • Packets - The number of packets processes in this flow
  • Bytes - The total number of bytes in Ethernet frames in this flow