DLF Schema for Firewall service The firewall schema can be used for three types of logs: packet filtering firewall, intrusion detection system events and packet accounting devices. The time of the event. What action was associated with that packet. Either denied or permitted. The procotol of the packet. Common protocols are TCP, UDP or ICMP. This should be the IP protocol not higer-level application protocol. The source ip address on the packet. The source port (in the case of the TCP or UDP) protocol. This should be the ICMP type when the protocol is ICMP. The hostname associated with the source IP. The receiving interface. That should be the network interface on which the packet was received. That field should contains the logical name or type of the interface. The hardware address of the receiving interface. That's the MAC address in the case of an ethernet device. The destination ip address on the packet. The destination port (in the case of the TCP or UDP) protocol. This should be the ICMP code when the protocol is ICMP. The hostname associated with the destination IP. The sending interface. That should be the network interface on which the packet was sent (i.e. the outgoing interface). The packet length (that is the header and payload length). This should be the total length of the stream when the event represent multiple packets, for example, in the case of packet accounting done on streams. The rule that triggered that packet to be logged, denied, permitted, etc. A message associated with that packet. This could be an attack signature detected by a Network Intrusion Detection System or anything of similar nature. The number of packets described by this event. This will be 1 in the case of a single packet. It can be higher in the case where multiple packets are compressed into one event. Remember that the length values should reflect the length of all those packets.