SK (Sockets Connections) journal entries
This table provides the format of the SK (Sockets Connections) journal entries.
Offset | Field | Format | Description | ||
---|---|---|---|---|---|
JE | J4 | J5 | |||
1 | 1 | Heading fields common to all entry types. See Standard heading fields for audit journal entries QJORDJE5 Record Format (*TYPE5) and Standard heading fields for audit journal entries QJORDJE4 Record Format (*TYPE4) for field listing. | |||
224 | 610 | Entry type | Char(1) |
|
|
225 | 611 | Local IP Address3 | Char(15) | The local IP address. | |
240 | 626 | Local port | Char(5) | The local port. | |
245 | 631 | Remote IP Address3 | Char(15) | The remote IP address. | |
260 | 646 | Remote port | Char(5) | The remote port. | |
265 | 651 | Socket Descriptor | Bin(5) | The socket descriptor. | |
269 | 655 | Filter Description | Char(10) | The mail filter specified. | |
279 | 665 | Filter Data Length | Bin(4) | The length of the filter data. | |
281 | 667 | Filter Data1 | Char(514) | The filter data. | |
795 | 1181 | Address Family | Char(10) | The address family.
|
|
805 | 1191 | Local IP address | Char(46) | The local IP address. | |
851 | 1237 | Remote IP address 2 | Char(46) | The remote IP address | |
897 | 1283 | MAC address | Char(32) | The MAC address of the requesting client. | |
929 | 1315 | Host name | Char(255) | The host name of the requesting client. | |
1570 | Secure version | Char(10) | The security protocol including the specific version level, if
available, used for the connection. The possible protocol prefixes include: TLS, DTLS, SSL, IKE,
IPSEC, SSH. A specific example would be "TLSV1.2" if the connection is protected by System SSL/TLS using TLSv1.2. An entry for a non-operating system connection may contain a raw version value such as "0401" if the system inspection code encounters a version it doesn't understand. |
||
1580 | Secure properties | CHAR(100) | The secure properties used for the connection. When entry type (J5 offset 610) is S this field varies based on the secure version field (J5 offset 1570). Where possible this field contains one or more space separated character strings describing the cryptographic algorithms and key sizes used for the connection. The algorithms and key sizes are presented in a character format associated with the secure version field. A TLSv1.2 entry may look like this: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_
SHA384 ECDSA_SHA512 SECP521R1" An entry for a non-operating system connection may contain a protocol's internal algorithm representation values such as "C054 0703 29" if the system inspection code encounters unknown values. When entry type (J5 offset 610) is X this field contains a string that represents the TLS error code. |
||
1680 | Secure information | Char(100) | Additional information for the secure connection.
When entry type (J5 offset 610) is X this field contains a string that describes the failure. When entry type (J5 offset 610) is S this field may contain additional attributes for the secure connection. For example, for IPSEC connections it contains the VPN Connection Name. |
||
|