Traffic Log Time Stamps

by panagent on ‎12-20-2011 10:05 AM - edited on ‎05-03-2016 01:10 PM by (8,243 Views)

When creating a security policy, there is the option to log the session information at session start or session end and the logs will be generated accordingly.

Screen Shot 2015-06-24 at 8.37.34 PM.png

 

In the example log below, the security policy is configured to log at session end. This session began at Start Time 2015/06/22 04:27:41. Generated Time is when the logger received the logged session information at the end of the session at 2015/06/22 04:32:00.

Receive Time is the logging time stamp 2015/06/21 23:27:12. This time is based on what is seen as the local Panorama time.

Screen Shot 2015-06-24 at 9.23.41 PM.png

 

Specific information regarding the timers is provided below:

  • Generated Time: This is when the log is first generated. For traffic start log, it will be at session start. For traffic end log, it is Start time + Elapsed Time. For Threat log, it is when we detect a threat (DP).
  • Start Time: Session Start Time (DP)
  • Receive Time: The time when the log is received by management server for log forwarding (MP). If the log is forwarded to Panorama, Panorama updates the Receive time to its local time.
  • Elapsed Time (sec): This is the session duration in seconds since Start Time (measured by DP).

 

Additionally, sessions that time out due to lack of activity (as opposed to FIN/RST) will have the session timeout added to the Elapsed time value.

Below is an example log entry of a timed-out session with a 3600 second idle timeout value set:

Session start: 22:12:04
Generated Time: 00:56:40
Elapsed time: 6276

 

Session Start - Generated Time = 2 hours, 44 minutes, 36 seconds (9876 seconds)
Discrepancy between Elapsed time & actual time: 3600 seconds

 

Based upon this example log the session went idle and timed out after 3600 seconds. So the elapsed time when the session was active was 6276 seconds. The log was generated when the session timed out.

 

owner: ekampling

Comments
by u11278
on ‎04-17-2012 07:25 AM

Related to this topic, why is log at session start disabled by default?   Why is this?  Does this mean the log entry will only show when the session ended?  I am coming from an ASA background, so I am used to seeing in the logs a connection being built, and a connection terminating.

by npare
on ‎07-09-2012 04:04 PM

The default behavior is to log at session end because the application name is likely to change during the session. For example, if someone goes on facebook facebook, logging at the start would show the application as Web-Browsing which is not the best match. Logging at session end would show facebook instead with is a more accurate application name. On the other hand, when troubleshooting connection issues, it might be better to log at session start. There really isn't a "best" option here, but for most scenarios, logging at session end provides more accurate information.

by JMLOPEZ
on ‎02-23-2015 02:53 AM

Related to your definition of time stamps concepts, how can you explain these examples of type "end" with end reason "tcp-fin"

Example 1:

Example 2:

Example 3:

It seems that these examples don't match your explanations.

What is the finished time of the session? Start + Elapsed? Generated time?

Thanks,

Joseph

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors