SK (Sockets Connections) journal entries

This table provides the format of the SK (Sockets Connections) journal entries.

Table 1. SK (Sockets Connections) journal entries. QASYSKJ4/J5 Field Description File
Offset Field Format Description
JE J4 J5
  1 1     Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) for field listing.
  224 610 Entry type Char(1)
A
Accept
C
Connect
D
DHCP address assigned
F
Filtered mail
Start of changeIEnd of change
Start of changeInbound UDP trafficEnd of change
Start of changeOEnd of change
Start of changeOutbound UDP trafficEnd of change
P
Port unavailable
R
Reject mail
Start of changeS4End of change
Start of changeSuccessful secure connectionEnd of change
U
DHCP address not assigned
Start of changeXEnd of change
Start of changeFailed System SSL/TLS connectionEnd of change
  225 611 Local IP Address3 Char(15) The local IP address.
  240 626 Local port Char(5) The local port.
  245 631 Remote IP Address3 Char(15) The remote IP address.
  260 646 Remote port Char(5) The remote port.
  265 651 Socket Descriptor Bin(5) The socket descriptor.
  269 655 Filter Description Char(10) The mail filter specified.
  279 665 Filter Data Length Bin(4) The length of the filter data.
  281 667 Filter Data1 Char(514) The filter data.
  795 1181 Address Family Char(10) The address family.
*IPV4
Internet Protocol Version 4
*IPV6
Internet Protocol Version 6
  805 1191 Local IP address Char(46) The local IP address.
  851 1237 Remote IP address 2 Char(46) The remote IP address
  897 1283 MAC address Char(32) The MAC address of the requesting client.
  929 1315 Host name Char(255) The host name of the requesting client.
    Start of change1570End of change Start of changeSecure versionEnd of change Start of changeChar(10)End of change Start of changeThe security protocol including the specific version level, if available, used for the connection. The possible protocol prefixes include: TLS, DTLS, SSL, IKE, IPSEC, SSH.

A specific example would be "TLSV1.2" if the connection is protected by System SSL/TLS using TLSv1.2. An entry for a non-operating system connection may contain a raw version value such as "0401" if the system inspection code encounters a version it doesn't understand.

End of change
    Start of change1580End of change Start of changeSecure propertiesEnd of change Start of changeCHAR(100)End of change Start of changeThe secure properties used for the connection.

When entry type (J5 offset 610) is S this field varies based on the secure version field (J5 offset 1570). Where possible this field contains one or more space separated character strings describing the cryptographic algorithms and key sizes used for the connection. The algorithms and key sizes are presented in a character format associated with the secure version field. A TLSv1.2 entry may look like this:

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_
SHA384 ECDSA_SHA512 SECP521R1"

An entry for a non-operating system connection may contain a protocol's internal algorithm representation values such as "C054 0703 29" if the system inspection code encounters unknown values.

When entry type (J5 offset 610) is X this field contains a string that represents the TLS error code.

End of change
    Start of change1680End of change Start of changeSecure informationEnd of change Start of changeChar(100)End of change Start of changeAdditional information for the secure connection.

When entry type (J5 offset 610) is X this field contains a string that describes the failure.

When entry type (J5 offset 610) is S this field may contain additional attributes for the secure connection. For example, for IPSEC connections it contains the VPN Connection Name.

End of change
1
This is a variable length field. The first two bytes contain the length of the field.
2
When the entry type is D, this field contains the IP address that the DHCP server assigned to the requesting client.
3
These fields only support IPv4 addresses.
Start of change4End of change
Start of changeWhen entry type is S, secure connection means a secure protocol was used, not that the algorithms used are considered secure. A system operator needs to review the secure version field and the secure properties field to determine the level of security.End of change