Setting overlay traffic logging for an Airwall Gateway

Airwall Gateways log overlay traffic from local device to local device, and you can set the log level per Airwall Gateway. Use this setting in conjunction with remote syslog to log a summary of overlay traffic flow from an Airwall Gateway.

Note: In version 4.0.x and later, Airwall and Conductor events can be reported in CSV format to cloud storage on AWS or Azure or as syslog messages to a remote syslog facility. This feature no longer requires direct communication between the Airwalls and the log processing facility.
  1. Open the page for an Airwall Gateway and go to Diagnostics > Data capture.
  2. Beside Data plane event logging, click the pencil icon to select the log level: Global default (Info), Trace, Debug, Info, Warn, or Error.
  3. You can filter the output through a security information and event management (SIEM) tool.

Example

Here is an example of the FLOWLOG messages that you see in the remote syslog server you set up in the Conductor. 

root@aw300v-B1D3ACB87C8B:~# grep FLOWLOG /var/log/messages 
                Aug 23 16:38:04 aw300v-B1D3ACB87C8B openhip: [INFO] FLOWLOG: flow_key=[-1, 2001:14:2ca2:24f7:4bd1:28d8:de5d:ddf8, 4a:06:6a:5d:dd:f8, 01:00:5e:00:00:fb, 0, 0x800, 1.93.221.248, 224.0.0.251] action=TX_FLOOD_LOCAL age=253 packets=13 bytes=4955 
                Aug 23 16:38:11 aw300v-B1D3ACB87C8B openhip: [INFO] FLOWLOG: flow_key=[-1, 2001:14:2ca2:24f7:4bd1:28d8:de5d:ddf8, 4a:06:6a:5d:dd:f8, 4a:06:6a:20:73:5d, 0, 0x800, 1.93.221.248, 10.192.204.105] action=TX_PG 2 age=247 packets=11 bytes=870 
                Aug 23 16:38:11 aw300v-B1D3ACB87C8B openhip: [INFO] FLOWLOG: flow_key=[2, ::, 4a:06:6a:20:73:5d, 4a:06:6a:20:73:5d, 0, 0x800, 10.192.204.105, 1.93.221.248] action=TX_HIT_ROUTED 2001:14:2ca2:24f7:4bd1:28d8:de5d:ddf8 age=247 packets=9 bytes=1710

Here are the fields included after flow_key (these are the same as the output for airsh policy details):

  • PGID – Ingress port group ID
  • PEER_HIT – Ingress peer Airwall Edge Service HIT
  • MAC SRC – Source Ethernet MAC address
  • MAC DST – Destination Ethernet MAC address
  • ETH EtherType
  • VLAN – VLAN ID (if 802.1q VLAN tag is present, otherwise 0)
  • IP SRC – Source IP address
  • IP DST – Destination IP address
  • Action – The action the Airwall Edge Service is performing on this flow
  • AGE – Age of flow (either since first packet, or first packet after the last policy change
  • Packets - The number of packets processes in this flow
  • Bytes - The total number of bytes in Ethernet frames in this flow