strongSwan
strongSwan IPsec VPN logs showing IKE negotiations, tunnel setup, rekey events and SA lifecycle changes.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (27)
| Field | Type |
|---|---|
strongSwan.msg Full human-readable syslog message as emitted by the charon daemon. | text_general |
strongSwan.subsys Subsystem or module tag (e.g. IKE, ENC, NET) indicating which component logged the message. | string |
strongSwan.child_sa.name Identifier of the Child SA in logs, typically the connection name followed by the SA index (before the '|' in <name|uid>). | string |
strongSwan.child_sa.uid Numeric unique ID of the Child SA (after the '|' in <name|uid>). | plong |
strongSwan.child_sa.spi Array of Security Parameter Indices (SPIs) for the Child SA-used by the IPsec peer to select cryptographic state. | string [] |
strongSwan.new_child_sa.name Name of the newly created Child SA after rekeying, following the same naming convention as `child_sa.name`. | string |
strongSwan.new_child_sa.uid Numeric unique ID of the new Child SA after rekeying. | plong |
strongSwan.new_child_sa.spi Array of SPIs for the new Child SA post-rekey. | string [] |
strongSwan.ike_sa.name Identifier(s) of the IKE SA-typically connection name and SA index-used for negotiating CHILD_SA. | string [] |
strongSwan.ike_sa.uid Numeric unique ID(s) of the IKE SA instance(s). | plong [] |
strongSwan.src Source IP address of the IKE or Child SA endpoint. | string |
strongSwan.srcPort Source UDP port (e.g., 500 or 4500) used for the IKE exchange. | pint |
strongSwan.dst Destination IP address of the IKE or Child SA endpoint. | string |
strongSwan.dstPort Destination UDP port used for the IKE exchange. | pint |
strongSwan.reason Free-form text giving the reason for an error or informational event. | text_general |
strongSwan.bytesIn Total number of bytes received under this SA. | plong |
strongSwan.bytesOut Total number of bytes sent under this SA. | plong |
strongSwan.srcUser Identity (e.g., FQDN, UPN) of the source peer, as negotiated in IKE_AUTH. | string |
strongSwan.dstUser Identity of the destination peer, as negotiated in IKE_AUTH. | string |
strongSwan.localTS Array of local traffic selectors (IP/CIDR ranges) for this SA. | string [] |
strongSwan.remoteTS Array of remote traffic selectors for this SA. | string [] |
strongSwan.reqId Numeric request ID used internally to correlate IKEv1 or IKEv2 exchanges. | plong |
strongSwan.newReqId New request ID assigned after a re-auth or rekey operation. | string |
strongSwan.parsed Boolean indicating whether the log line was successfully parsed by the ingest pipeline. | boolean |
strongSwan.reqType Type of IKE request (e.g., IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA). | string |
strongSwan.reqParam Additional parameters passed with the request (e.g., authentication or config payloads). | string [] |
strongSwan.proposals Array of negotiated encryption/authentication proposals for the SA. | string [] |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.