The beginning of each line in the log file is the same as it is for other logger levels within Asterisk.
[Feb 11 07:57:03] SECURITY[23736] res_security_log.c: <...>
The part of the log entry identified by ...
is where the security event
content resides. The security event content is a comma separated list
of key value pairs. The key is the information element type, and the value is a
quoted string that contains the associated meta data for that information
element. Any embedded quotes within the content are escaped with a
backslash.
INFORMATION_ELEMENT_1="IE1 content",INFORMATION_ELEMENT_2="IE2 content"
The following table includes potential information elements and what the associated content looks like:
IE: SecurityEvent Content: This is the security event sub-type. Values: FailedACL, InvalidAccountID, SessionLimit, MemoryLimit, LoadAverageLimit, RequestNotSupported, RequestNotAllowed, AuthMethodNotAllowed, ReqBadFormat, UnexpectedAddress, ChallengeResponseFailed, InvalidPassword IE: EventVersion Content: This is a numeric value that indicates when updates are made to the content of the event. Values: Monotonically increasing integer, starting at 1 IE: Service Content: This is the Asterisk service that generated the event. Values: TEST, SIP, AMI IE: Module Content: This is the Asterisk module that generated the event. Values: chan_sip IE: AccountID Content: This is a string used to identify the account associated with the event. In most cases, this would be a username. IE: SessionID Content: This is a string used to identify the session associated with the event. The format of the session identifier is specific to the service. In the case of SIP, this would be the Call-ID. IE: SessionTV Content: The time that the session associated with the SessionID started. Values: <seconds>-<microseconds> since epoch IE: ACLName Content: This is a string that identifies which named ACL is associated with this event. IE: LocalAddress Content: This is the local address that was contacted for the related event. Values: <Address Family>/<Transport>/<Address>/<Port> Examples: -> IPV4/UDP/192.168.1.1/5060 -> IPV4/TCP/192.168.1.1/5038 IE: RemoteAddress Content: This is the remote address associated with the event. Examples: -> IPV4/UDP/192.168.1.2/5060 -> IPV4/TCP/192.168.1.2/5038 IE: ExpectedAddress Content: This is the address that was expected to be the remote address. Examples: -> IPV4/UDP/192.168.1.2/5060 -> IPV4/TCP/192.168.1.2/5038 IE: EventTV Content: This is the timestamp of when the event occurred. Values: <seconds>-<microseconds> since epoch IE: RequestType Content: This is a service specific string that represents the invalid request IE: RequestParams Content: This is a service specific string that represents relevant parameters given with a request that was considered invalid. IE: AuthMethod Content: This is a service specific string that represents an authentication method that was used or requested. IE: Challenge Content: This is a service specific string that represents the challenge provided to a user attempting challenge/response authentication. IE: Response Content: This is a service specific string that represents the response received from a user attempting challenge/response authentication. IE: ExpectedResponse Content: This is a service specific string that represents the response that was expected to be received from a user attempting challenge/response authentication.