Traffic Flow Summary Examples

The following topic provides examples of traffic flow summaries in JSON, CEF, and LEEF, and messages that appear in syslog.

JSON

{
  "interval_sec": 600,
  "count": 1,
  "tbi": 73,
  "tbo": 0,
  "pn": "example-daemon",
  "un": "example",
  "src_ip": "xxx.xxx.xx.xxx",
  "dst_ip": "xxx.x.x.xxx",
  "timestamp": "2018-05-23T16:07:12-07:00",
  "dir": "I",
  "proto": 17,
  "dst_port": 5353,
  "state": "T",
  "src_labels": {
    "app": "AppLabel",
    "env": "Development",
    "loc": "Cloud",
    "role": "Web"
  },
  "src_hostname": "test-ubuntu-3",
  "src_href": "/orgs/1/workloads/xxxxxxxx-7741-4f71-899b-d6f495326b3f",
  "dst_labels": {
    "app": "AppLabel",
    "env": "Development",
    "loc": "AppLocation",
    "role": "Database"
  },
  "dst_hostname": "test-ubuntu-2",
  "dst_href": "/orgs/1/workloads/xxxxxxxx-012d-4651-b181-c6f2b269889e",
  "pd": 1,
  "dst_vulns": {
    "count": 8,
    "max_score": 8.5,
    "cve_ids": [
      "CVE-2016-2181",
      "CVE-2017-2241"
    ]
  },
  "fqdn" : "xxx.ubuntu.com",
  "version": 4
}

Syslog

2019-02-11T22:50:15.587390+00:00 level=info host=detest01 ip=100.1.0.1 program=illumio_pce/collector| sec=925415.586 sev=INFO pid=9944 tid=30003240 rid=bb8ff798-1ef2-44b1-b74e-f13b89995520 {"interval_sec":1074,"count":1,"tbi":3608,"tbo":0,"pn":"company-daemon","un":"company","src_ip":"10.0.2.15","dst_ip":"211.0.0.232","class":"M","timestamp":"2019-02-11T14:48:09-08:00","dir":"I","proto":17,"dst_port":5353,"state":"T","src_labels":{"app":"AppName","env":"Development","loc":"Cloud","role":"Web"},"src_hostname":"dev-ubuntu-1","src_href":"/orgs/1/workloads/773f3e81-5779-4753-b879-35a1abe45838","dst_labels":{"app":"AppName","env":"Development","loc":"Cloud2","role":"Web"},"dst_hostname":"dev-ubuntu-1","dst_href":"/orgs/1/workloads/773f3e81-5779-4753-b879-35a1abe45838","pd":0,"dst_vulns":{"count":1,"max_score":3.7,"cve_ids":["CVE-2013-2566","CVE-2015-2808"]},"fqdn":"xxx.ubuntu.com","version":4}

Allowed Flow Summary (pd = 0)

2016-01-12T05:23:30+00:00 level=info host=myhost ip=127.0.0.1 program=illumio_pce/collector| sec=576210.952 sev=INFO pid=25386 tid=16135120 rid=0 {"interval_sec":1244,"count":3,"dbi":180,"dbo":180,"pn":"sshd","un":"root","src_ip":"10.6.0.129","dst_ip":"10.6.0.129","timestamp":"2017-08-16T13:23:57-07:00","dir":"I","proto":6,"dst_port":22,"state":"A","dst_labels":{"app":"test_app_1","env":"test_env_1","loc":"test_place_1","role":"test_access_1"},"dst_hostname":"corp-vm-2","dst_href":"/orgs/1/workloads/5ddcc33b-b6a4-4a15-b600-64f433e4ab33","pd":0,"version":4}

Potentially Blocked Flow Summary (pd = 1)

2016-01-12T05:29:21+00:00 level=info host=myhost ip=127.0.0.1 program=illumio_pce/collector| sec=576561.327 sev=INFO pid=25386 tid=16135120 rid=0 sec=920149.541 sev=INFO pid=1372 tid=30276700 rid=136019d0-f9d8-45f3-ac99-f43dd8015675 {"interval_sec":600,"count":1,"tbi":229,"tbo":0,"src_ip":"172.16.40.5","dst_ip":"172.16.40.255","timestamp":"2017-08-16T14:45:58-07:00","dir":"I","proto":17,"dst_port":138,"state":"T","dst_labels":{"app":"test_app_1","env":"test_env_1","loc":"test_place_1","role":"test_access_1"},"dst_hostname":"corp-vm-2","dst_href":"/orgs/1/workloads/5ddcc33b-b6a4-4a15-b600-64f433e4ab33","pd":1,"version":4}

Blocked Flow Summary (pd = 2)

2016-01-12T05:23:30+00:00 level=info host=myhost ip=127.0.0.1 program=illumio_pce/collector| sec=576210.831 sev=INFO pid=25386 tid=16135120 rid=0 sec=915000.311 sev=INFO pid=1372 tid=30302280 rid=90a01be5-a3c1-44f9-84fd-3c3a5eaec1f8 {"interval_sec":589,"count":1,"src_ip":"10.6.1.89","dst_ip":"10.6.255.255","timestamp":"2017-08-16T13:22:09-07:00","dir":"I","proto":17,"dst_port":138,"dst_labels":{"app":"test_app_1","env":"test_env_1","loc":"test_place_1","role":"test_access_1"},"dst_hostname":"corp-vm-1","dst_href":"/orgs/1/workloads/a83ba658-576b-4946-800a-b39ba2a2e81a","pd":2,"version":4}

Unknown Flow Summary (pd = 3)

2019-06-14T05:33:45.442561+00:00 level=info host=devtest0 ip=127.0.0.1 program=illumio_pce/collector| sec=490425.442 sev=INFO pid=12381 tid=32524120 rid=6ef5a6ac-8a9c-4f46-9180-c0c91ef94759 {"dst_port":1022,"proto":6,"count":20,"interval_sec":600,"timestamp":"2019-06-06T21:03:57Z","src_ip":"10.23.2.7","dst_ip":"10.0.2.15","dir":"O","state":"S","pd":3,"src_href":"/orgs/1/workloads/a0d735ce-c55f-4a38-965f-bf6e98173598","dst_hostname":"workload1","dst_href":"/orgs/1/workloads/a20eb1b5-10a4-419e-b216-8b35c795a01e","src_labels":
{"app":"app","env":"Development","loc":"Amazon","role":"Load Balancer"}
,"version":4}

CEF

CEF:0|Illumio|PCE|2015.9.0|flow_potentially_blocked|Flow Potentially Blocked|3| act=potentially_blocked cat=flow_summary deviceDirection=0 dpt=137 src=someIPaddress dst=someIPaddress proto=udp cnt=1 in=1638 out=0 rt=Jun 14 2018 01:50:14 cn1=120 cn1Label=interval_sec cs2=T cs2Label=state cs6=/orgs/1/workloads/someID cs6Label=dst_href cs4={"app":"CRM","env":"Development","loc":"AppLocation","role":"Web"} cs4Label=dst_labels dhost=connectivity-check.someDomainName cs1={"count":1,"max_score":3.7,"cve_ids": ["CVE-2013-2566","CVE-2015-2808"]} cs1Label=dst_vulns dvchost=someDomainName

Unknown Flow Summary (pd = 3)

2019-06-14T21:02:55.146101+00:00 level=info host=devtest0 ip=127.0.0.1 program=illumio_pce/collector| sec=546175.145 sev=INFO pid=15416 tid=40627440 rid=f051856d-b9ee-4ac8-85ea-4cb857eefa82 CEF:0|Illumio|PCE|19.3.0|flow_unknown|Flow Unknown|1|act=unknown cat=flow_summary deviceDirection=0 dpt=22 src=10.0.2.2 dst=10.0.2.15 proto=tcp cnt=6 in=6 out=6 rt=Jun 14 2019 21:02:25 duser=root dproc=sshd cn1=31 cn1Label=interval_sec cs2=S cs2Label=state dhost=workload1 cs6=/orgs/1/workloads/a20eb1b5-10a4-419e-b216-8b35c795a01e cs6Label=dst_href dvchost=devtest0.ilabs.io msg=
{"trafclass_code":"U"}

LEEF

LEEF:2.0|Illumio|PCE|2015.9.0|flow_blocked|cat=flow_summary devTime=2018-06-14T10:38:53-07:00 devTimeFormat=yyyy-MM-dd'T'HH:mm:ssX proto=udp sev=5 src=someIPaddress dst=someIPaddress dstPort=5353 count=15 dir=I intervalSec=56728 dstHostname=someHostName dstHref=/orgs/1/workloads/someID dstLabels={"app":"CRM","env":"Development","loc":"Cloud","role":"Web"} dstVulns={"count":2,"max_score":3.7} dstFqdn=someDomainName "cve_ids":["CVE-2013-2566","CVE-2015-2808"]}

Unknown Flow Summary (pd = 3)

2019-06-14T19:25:53.524103+00:00 level=info host=devtest0 ip=127.0.0.1 program=illumio_pce/collector| sec=540353.474 sev=INFO pid=9960 tid=36072680 rid=49626dfa-d539-4cff-8999-1540df1a1f61 LEEF:2.0|Illumio|PCE|19.3.0|flow_unknown|cat=flow_summary devTime=2019-06-06T21:03:57Z devTimeFormat=yyyy-MM-dd'T'HH:mm:ssX proto=tcp sev=1 src=10.23.2.7 dst=10.0.2.15 dstPort=1022 count=20 dir=O intervalSec=600 state=S srcHref=/orgs/1/workloads/a0d735ce-c55f-4a38-965f-bf6e98173598 srcLabels=
{"app":"app","env":"Staging","loc":"Azure","role":"API"}
dstHostname=workload1 dstHref=/orgs/1/workloads/a20eb1b5-10a4-419e-b216-8b35c795a01e