This format is a logging format for reporting events related to network traffic. Each record starts with an Event Identifier that specifies the format for the rest of record. The format for event records is fixed and versioned.
The overall format is Comma Separate Values (http://en.wikipedia.org/wiki/Comma-separated_values). If a string value has a double quote (“) in it, it should be escaped as two double quotes (“”). There should be flexibility in handling record formats. Certain transports or logging systems may prefix the records with additional information such as a timestamp. This is outside of this specification. Consumers of these records should ignore anything that appears before the “neds.f5” or equivalent prefix for field 1.
String fields should be limited to a maximum length. This should be configured to the same number for the consumer and producer. A default maximum of 256 characters is suggested. If Unicode text is transported, it should be encoded using UTF8.
Note that this format is being defined with proxy semantics in mind. That means that this format tries to address the fact that network connections often go through a proxy or load balancer on their way to a server. In this case, there is a client side connection and a server side connection. There may be significant differences between these connections.
Consider that in a cacheing scenario, there may not even be a server side connection. In order to get a full picture of network traffic, network proxies need to report traffic handled directly as well as traffic passed on to other servers.
For example, the proxy may compress data on the way to the client and so the client side will have less packets and bytes transmitted. Vendors defining NEDS formats should be clear about whether information is being described for the client side connections or server side connections. Generally the client side is the “primary” connection to be reported on. Nevertheless, some of the fields below may refer to the “server side of the proxy”. Generally these fields may be blank in the case where the connection is handled by the network equipment itself.
Syslog is a valid transport for this format. Further transports may be defined that specify compression or other features.
Note this specification is in “beta” testing and should be considered subject to change until it reaches version 1.0.
Field 1: Event Identifier
The format for this field is "neds.Vendor.Context.Event.Version".
Also, this format is supported: "neds.Vendor.Context.Event.Version.Format".
neds is the literal string ‘neds’.
Vendor is a short string (e.g. ‘f5’).
Context is the protocol or area of interest (conn,http,ssl,etc)
Event is a short string.
Format is a short string (e.g. ‘AES+base64’)
Versions are specific to event and must be incremented when it changes. Only the vendor responsible for originating a version should define a subsequent version. Vendors should add fields to the end of a format so that consumers of earlier formats can try to consume the new format. New versions which are not compatible with early versions in this way should not be introduced without a long warning ahead of time (by publishing the format).
The vendor is 'f5' networks.
The context is the connection level.
The event is 'start'.
The version is 'v1'.
The client connection has been established.
Description: A short string that describes the directional nature of the connection, such as whether it is ‘Inbound’ or ‘Outbound’. This may be blank, which should be considered unknown. Other strings may be configured on a site by site basis (e.g. ‘DMZ’). Users should check with their vendor for support before using arbitrary strings here.
The client connection has been closed.
Description: Identifies the device handling the flow