Security Log File Format

The beginning of each line in the log file is the same as it is for other logger levels within Asterisk.

    [Feb 11 07:57:03] SECURITY[23736] res_security_log.c: <...>

The part of the log entry identified by $<$...$>$ is where the security event content resides. The security event content is a comma separated list of key value pairs. The key is the information element type, and the value is a quoted string that contains the associated meta data for that information element. Any embedded quotes within the content are escaped with a backslash.

    INFORMATION_ELEMENT_1="IE1 content",INFORMATION_ELEMENT_2="IE2 content"

The following table includes potential information elements and what the associated content looks like:

IE: SecurityEvent
Content: This is the security event sub-type.
Values: FailedACL, InvalidAccountID, SessionLimit, MemoryLimit, LoadAverageLimit,
        RequestNotSupported, RequestNotAllowed, AuthMethodNotAllowed,
        ReqBadFormat, UnexpectedAddress, ChallengeResponseFailed,
        InvalidPassword

IE: EventVersion
Content: This is a numeric value that indicates when updates are made to the
         content of the event.
Values: Monotonically increasing integer, starting at 1

IE: Service
Content: This is the Asterisk service that generated the event.
Values: TEST, SIP, AMI

IE: Module
Content: This is the Asterisk module that generated the event.
Values: chan_sip

IE: AccountID
Content: This is a string used to identify the account associated with the
         event.  In most cases, this would be a username.

IE: SessionID
Content: This is a string used to identify the session associated with the
         event.  The format of the session identifier is specific to the
         service.  In the case of SIP, this would be the Call-ID.

IE: SessionTV
Content: The time that the session associated with the SessionID started.
Values: <seconds>-<microseconds> since epoch

IE: ACLName
Content: This is a string that identifies which named ACL is associated with
         this event.

IE: LocalAddress
Content: This is the local address that was contacted for the related event.
Values: <Address Family>/<Transport>/<Address>/<Port>
Examples:
     -> IPV4/UDP/192.168.1.1/5060
     -> IPV4/TCP/192.168.1.1/5038

IE: RemoteAddress
Content: This is the remote address associated with the event.
Examples:
     -> IPV4/UDP/192.168.1.2/5060
     -> IPV4/TCP/192.168.1.2/5038

IE: ExpectedAddress
Content: This is the address that was expected to be the remote address.
Examples:
     -> IPV4/UDP/192.168.1.2/5060
     -> IPV4/TCP/192.168.1.2/5038

IE: EventTV
Content: This is the timestamp of when the event occurred.
Values: <seconds>-<microseconds> since epoch

IE: RequestType
Content: This is a service specific string that represents the invalid request

IE: RequestParams
Content: This is a service specific string that represents relevant parameters
         given with a request that was considered invalid.

IE: AuthMethod
Content: This is a service specific string that represents an authentication
         method that was used or requested.

IE: Challenge
Content: This is a service specific string that represents the challenge
         provided to a user attempting challenge/response authentication.

IE: Response
Content: This is a service specific string that represents the response
         received from a user attempting challenge/response authentication.

IE: ExpectedResponse
Content: This is a service specific string that represents the response
         that was expected to be received from a user attempting
         challenge/response authentication.



lmadsen 2010-10-21