The beginning of each line in the log file is the same as it is for other logger levels within Asterisk.
[Feb 11 07:57:03] SECURITY[23736] res_security_log.c: <...>
The part of the log entry identified by \<...\> is where the security event content resides. The security event content is a comma separated list of key value pairs. The key is the information element type, and the value is a quoted string that contains the associated meta data for that information element. Any embedded quotes within the content are escaped with a backslash.
INFORMATION_ELEMENT_1="IE1 content",INFORMATION_ELEMENT_2="IE2 content"
The following table includes potential information elements and what the associated content looks like:
- IE: SecurityEvent
Content: This is the security event sub-type.
Values: FailedACL, InvalidAccountID, SessionLimit, MemoryLimit, LoadAverageLimit, RequestNotSupported, RequestNotAllowed, AuthMethodNotAllowed, ReqBadFormat, UnexpectedAddress, ChallengeSent, ChallengeResponseFailed, InvalidPassword
- IE: Severity
Content: This is the relatively severity of the security event.
Values: Informational, Error
- IE: EventVersion
Content: This is a numeric value that indicates when updates are made to the content of the event.
Values: Monotonically increasing integer, starting at 1
- IE: Service
Content: This is the Asterisk service that generated the event.
Values: TEST, SIP, PJSIP, AMI
- IE: Module
Content: This is the Asterisk module that generated the event.
Values: chan_sip
- IE: AccountID
Content: This is a string used to identify the account associated with the event. In most cases, this would be a username.
- IE: SessionID
Content: This is a string used to identify the session associated with the event. The format of the session identifier is specific to the service. In the case of SIP, this would be the Call-ID.
- IE: SessionTV
Content: The time that the session associated with the SessionID started.
Values: <seconds><microseconds> since epoch
- IE: ACLName
Content: This is a string that identifies which named ACL is associated with this event.
- IE: LocalAddress
Content: This is the local address that was contacted for the related event.
Values: <Address Family>/<Transport>/<Address>/<Port>
Examples: -> IPV4/UDP/192.168.1.1/5060 -> IPV4/TCP/192.168.1.1/5038
- IE: RemoteAddress
Content: This is the remote address associated with the event.
Examples: -> IPV4/UDP/192.168.1.2/5060 -> IPV4/TCP/192.168.1.2/5038
- IE: ExpectedAddress
Content: This is the address that was expected to be the remote address.
Examples: -> IPV4/UDP/192.168.1.2/5060 -> IPV4/TCP/192.168.1.2/5038
- IE: EventTV
Content: This is the timestamp of when the event occurred.
Values: <seconds><microseconds> since epoch
- IE: RequestType
Content: This is a service specific string that represents the invalid request
- IE: RequestParams
Content: This is a service specific string that represents relevant parameters given with a request that was considered invalid.
- IE: AuthMethod
Content: This is a service specific string that represents an authentication method that was used or requested.
- IE: Challenge
Content: This is a service specific string that represents the challenge provided to a user attempting challenge/response authentication.
- IE: Response
Content: This is a service specific string that represents the response received from a user attempting challenge/response authentication.
- IE: ExpectedResponse
Content: This is a service specific string that represents the response that was expected to be received from a user attempting challenge/response authentication.