Aviatrix Log Formats

The Aviatrix Controller and all of its managed gateways can be configured to forward their logs to well known log management systems. This section describes Aviatrix log keywords that can be identified by log management systems for further analysis.

Aviatrix Log Keywords

The following types of Aviatrix log keywords can be identified by the Log Management System for further analysis:

AviatrixVPNSession:

This log is for gateways that have VPN enabled.

Logs with this prefix come from the Controller and contain information such as the VPN username, the VPN gateway IP address and name where the user connects to, client virtual IP address, connection duration, total received bytes, total transmitted bytes, and login and logout time. Two logs will be generated for each VPN connection. One is when the connection is established, the other when it is disconnected.

Example logs:

Connect Log:

Aug 17 22:07:39 ip-172-31-46-24 cloudx_cli: AviatrixVPNSession:
User=demo, Status=active, Gateway=demo, GatewayIP=52.52.76.149,
VPNVirtualIP=192.168.0.6, PublicIP=N/A, Login=2016-08-17 22:07:38, Logout=N/A,
Duration=N/A, RXbytes=N/A, TXbytes=N/A

Disconnect log:

Aug 17 22:26:37 ip-172-31-46-24 cloudx_cli: AviatrixVPNSession:
User=demo, Status=disconnected, Gateway=demo,
GatewayIP=52.52.76.149, VPNVirtualIP=192.168.0.6, PublicIP=N/A,
Login=2016-08-17 22:07:38, Logout=2016-08-17 22:26:37, Duration=0:0:18:59,
RXbytes=2.1 MB, TXbytes=9.03 MB

AviatrixUser:

This log is for gateways that have VPN enabled.

Logs with this prefix come from each VPN gateway managed by the Controller. The log contains the information for the TCP session, such as inbound and outbound interface, source IP address, destination IP address, TTL value, protocol name, and packet length. The log record is for each packet that passes through the VPN connection from the client to the destination.

Two example logs:

Aug 17 22:15:47 ip-10-100-0-60 kernel: [14167.983249]
***AviatrixUser***:IN= OUT=eth0 SRC=192.168.0.6 DST=68.67.154.85 LEN=64
TOS=0x00 PREC=0x00 TTL=63 ID=28916 DF PROTO=TCP SPT=50428 DPT=443
WINDOW=65535 RES=0x00 SYN URGP=0

Aug 17 22:15:47 ip-10-100-0-60 kernel: [14167.968275]
***AviatrixUser***:IN= OUT=eth0 SRC=192.168.0.6 DST=10.100.0.2 LEN=66
TOS=0x00 PREC=0x00 TTL=254 ID=13309 PROTO=UDP SPT=64775 DPT=53 LEN=46

AviatrixLicenseVPNUsers:

This log is for gateways that have VPN enabled.

Logs with this prefix come from the Controller and can be used to monitor the license usage of active vpn users connected to all vpn gateways.

One example log:

Sep 25 23:40:19 ip-10-40-0-133 cloudxd: AviatrixLicsenseVPNUsers: users=2

There is a typo in some versions (as noted in the above example) that incorrectly shows this entry as AviatrixLicsenseVPNUsers instead of AviatrixLicenseVPNUsers.

AviatrixRule:

You need to configure security policies to see AviatrixRule log.

Logs with this prefix come from each gateway managed by the Controller. Any packet that triggers the security policy rule will generate a log record of this type with the first 100 bytes of the packet. It contains the information such as gateway IP address, inbound and outbound interface, MAC address, TTL value, protocol name, source IP address, destination IP address and packet length.

An example for a deny rule event is shown below. The log event prefix is "AvxRl gw1 D:", where the gateway name is gw1, "D" represents Drop.

2019-04-10T23:33:47.217018+00:00 ip-10-240-0-44 kernel: [ 4976.320353] AvxRl gw1 D:IN=eth0 OUT=eth0 MAC=02:bd:e5:4f:d0:e2:02:d8:14:81:fc:48:08:00 SRC=10.240.1.60 DST=10.230.1.23 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45312 DF PROTO=ICMP TYPE=8 CODE=0 ID=2833 SEQ=1

Another example for an accept rule event is shown below. The log event prefix is "AvxRl StatefulGW2 A:", where the gateway name is StatefulGW2, "A" represents Accept.

2019-04-10T23:34:47.602166+00:00 ip-10-240-0-44 kernel: [ 5036.705845] AvxRl StatfulGW2 A:IN=eth0 OUT=eth0 MAC=02:bd:e5:4f:d0:e2:02:d8:14:81:fc:48:08:00 SRC=10.240.1.60 DST=10.230.1.23 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=48453 DF PROTO=ICMP TYPE=8 CODE=0 ID=2834 SEQ=1

AviatrixGwMicroSegPacket:

You need to configure Distributed Firewalling micro-segmentation policies to see AviatrixGwMicrosegPacket logs.

Logs with this prefix come from your configured Distributed Firewalling micro-segmentation policies. These logs contain the following information:

  • timestamp

  • source IP

  • destination IP

  • protocol (for example, ICMP or TCP)

  • port number

  • if a policy is enforced

  • if a policy was allowed or denied

  • gateway name

  • policy ID

A micro-segmentation log example is shown below:

2022-05-25T15:57:43.088860+00:00 ip-10-4-179-71 /usr/local/bin/avx-gw-state-sync[1168]: 2022/05/25 15:57:43 AviatrixGwMicrosegPacket:
POLICY=54ea65c4-313e-4b3d-8db3-1ecc4f0981db SRC_MAC=16:06:11:d7:a1:11 DST_MAC=16:54:ec:50:09:17 IP_SZ=84 SRC_IP=10.4.187.253 DST_IP=10.5.144.38
PROTO=ICMP SRC_PORT=0 DST_PORT=0 DATA=0x ACT=PERMIT ENFORCED=true

AviatrixGwNetStats:

Logs with this prefix come from each gateway managed by the Controller. These logs are sampled every minute and give details about gateway network interface.

Two example logs:

2020-06-09T17:29:31.372628+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats:
timestamp=2020-06-09T17:29:31.371791 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160
interface=eth0 total_rx_rate=10.06Kb total_tx_rate=12.77Kb total_rx_tx_rate=2.85Kb
total_rx_cum=207.16MB total_tx_cum=1.2MB total_rx_tx_cum=208.36

2020-06-12T08:30:09.297478+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwNetStats:
timestamp=2020-06-12T08:30:09.296752 name=test public_ip=10.23.183.116.fifo private_ip=172.31.78.160
interface=eth0 total_rx_rate=8.84Kb total_tx_rate=8.45Kb total_rx_tx_rate=17.29Kb
total_rx_cum=4.63MB total_tx_cum=6.8MB total_rx_tx_cum=11.44MB

AviatrixGwSysStats:

Logs with this prefix come from each gateway managed by the Controller. These logs are sampled every minute and give details about gateway memory, cpu and disk load.

Two example logs:

2020-06-09T17:29:31.372822+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats:
timestamp=2020-06-09T17:29:31.371791 name=test cpu_idle=68
memory_free=414640 memory_available=1222000 memory_total=1871644
disk_total=16197524 disk_free=10982084

2020-06-12T08:22:09.295660+00:00 GW-test-10.23.183.116 perfmon.py: AviatrixGwSysStats:
timestamp=2020-06-12T08:22:09.294333 name=test cpu_idle=99
memory_free=919904 memory_available=1264792 memory_total=1871644
disk_total=16197524 disk_free=11409716

AviatrixFQDNRule

You need to configure FQDN allow lists in order to see these logs.

Logs with this prefix come from each gateway managed by the Controller. Domain name filtering can be configured per gateway via Controller. And every time a gateway tries to access a domain name, it will check if the domain name passes the configured filters. If it does, access will be allowed with the state as MATCHED, otherwise it will be discarded with state as NO_MATCH.

Two example logs:

2019-12-12T04:33:46.892381+00:00 ip-172-32-0-6 avx-nfq: AviatrixFQDNRule2[CRIT]nfq_ssl_handle_client_hello() L#281  Gateway=spoke1-fqdn S_IP=172.32.1.144 D_IP=52.218.234.41 hostname=aviatrix-download.s3-us-west-2.amazonaws.com state=MATCHED  Rule=*.amazonaws.com;1

2019-12-12T04:36:53.173210+00:00 ip-172-32-0-6 avx-nfq: AviatrixFQDNRule1[CRIT]nfq_ssl_handle_client_hello() L#281  Gateway=spoke1-fqdn S_IP=172.32.1.144 D_IP=98.137.246.7 hostname=www.yahoo.com state=NO_MATCH drop_reason=NOT_WHITELISTED

AviatrixTunnelStatusChange

Logs with this prefix come from the Controller whenever a tunnel status changes. old_state means old state of the tunnel, and new_state is the new changed state of tunnel.

Example log:

2019-11-30T15:44:52.718808+00:00 ip-172-32-0-226 cloudxd: AviatrixTunnelStatusChange: src_gw=oregon-transit(AWS us-west-2) dst_gw=100.20.53.124(NA NA) old_state=Down new_state=Up

AviatrixCMD

Logs with this prefix come from the Controller whenever a CLI command is issued. It contains information on the CLI command that was issued, the results of the execution, reason a message if there is a failure and who issued the command.

Example log:

2019-11-19T20:13:44.585942+00:00 ip-172-32-0-226 cloudxd: AviatrixCMD: action=USERCONNECT_UPGRADE_TO_VERSION, argv=['--rtn_file', '/run/shm/rtn957594707', 'userconnect_upgrade_to_version', 'upgrade-status', ''], result=Success, reason=, username=admin

2019-11-19T18:01:59.796230+00:00 ip-172-32-0-226 cloudxd: AviatrixCMD: action=TRANSIT_SPOKE_LIST, argv=['--rtn_file', '/run/shm/rtn2091225061', 'transit_spoke_list', '--spoke_only'], result=Success, reason=, username=admin

AviatrixBGPOverlapCIDR

Log messages with this prefix come from the Controller whenever it detects overlapping CIDRs between on-prem learned and Spoke VPC CIDRs.

Example log:

2018-09-24T20:28:58.330708+00:00 ip-172-31-23-128 cloudxd: AviatrixBGPOverlapCIDR: Time Detected: 2018-09-24 20:28:58.329881

Spoke/Manual CIDRs ['10.0.0.0/8'] have a conflict with BGP Learned CIDRs [u'10.2.0.0/16', u'30.2.0.0/16'] in VPC vpc-782bb21f on connection vgw-bgp-ha.

AviatrixBGPRouteLimitThreshold

Log messages with this prefix come from the Controller whenever it detects that total BGP routes exceed the 80 routes. (AWS VGW has a total 100 route limit.)

Example log:

2018-09-24T20:24:50.600144+00:00 ip-172-31-23-128 cloudxd: AviatrixBGPRouteLimitThreshold: This message is alerting you that the VGW listed below currently has 89 routes, which is approaching the VGW route limits (100). You can reduce the number of routes on VGW both from on-prem side and on Aviatrix Transit gateway by enabling Route Summarization feature.

Time Detected: 2018-09-24 20:24:50.599822

Connection Name: vgw-bgp-ha
VGW Id: vgw-0942b724a5150bc6a

AviatrixGuardDuty

Log messages with this prefix come from the Controller whenever it receives an alert message from AWS GuardDuty.

Example log:

2018-09-23T00:00:50.369963-07:00 ip-172-31-89-197 cloudxd: AviatrixGuardDuty: Account [aws], Region [us-east-1], Instance ID [i-0a675b03fafedd3f2], at 2018-09-23T02:05:35Z, 163.172.7.97 is performing SSH brute force attacks against i-0a675b03fafedd3f2.  Please tighten instance security group to avoid UnauthorizedAccess:EC2/SSHBruteForce threat.

2018-09-23T00:00:50.332066-07:00 ip-172-31-89-197 cloudxd: AviatrixGuardDuty: Account [aws], Region [us-east-1], Instance ID [i-0a675b03fafedd3f2], at 2018-09-23T06:35:40Z, Unprotected port on EC2 instance i-0a675b03fafedd3f2 is being probed. Please tighten instance security group to avoid Recon:EC2/PortProbeUnprotectedPort threat.

AviatrixFireNet

Log messages with this prefix come from the Controller whenever a firewall instance state changes.

Example log:

2019-11-19T09:38:40.070080-08:00 ip-172-31-93-101 cloudxd: AviatrixFireNet: Firewall i-021f23187b8ac81c9~~tran-fw-1 in FireNet VPC vpc-0f943cd05455358ac~~cal-transit-vpc-1 state has been changed to down.

2019-11-19T09:39:03.066869-08:00 ip-172-31-93-101 cloudxd: AviatrixFireNet: Firewall i-021f23187b8ac81c9~~tran-fw-1 in FireNet VPC vpc-0f943cd05455358ac~~cal-transit-vpc-1 state has been changed to unaccessible.

2019-11-19T09:40:12.878075-08:00 ip-172-31-93-101 cloudxd: AviatrixFireNet: Firewall i-021f23187b8ac81c9~~tran-fw-1 in FireNet VPC vpc-0f943cd05455358ac~~cal-transit-vpc-1 state has been changed to up.

AviatrixVPNVersion

Log messages with this prefix come from the Controller whenever it rejects an Aviatrix VPN client connection.

Example log:

2020-02-07T11:38:48.276150-08:00 Controller-52.204.188.212 cloudxd: AviatrixVPNVersion:  The VPN connection was rejected as it did not satisfy the minimum version requirements. Current version: AVPNC-2.4.10 Required minimum version: AVPNC-2.5.7 . The rejected VPN user name is tf-aws-52-tcplb-user1

AviatrixGatewayStatusChanged

These log messages will be seen from the Controller’s syslogs when a gateway’s status changes

Example log:

2020-03-29T00:09:13.201669+00:00 ip-10-88-1-63 cloudxd: AviatrixGatewayStatusChanged: status=down gwname=EMEA-ENG-VPNGateway