how to interpret mbox firewall logs
mbox uses Linux kernel firewall (iptables) to track access logs. so the log format is inline with standard iptables log format.
Taking an example below (CMG logs sent to LOG):
[106049.329054] mboxfw-permit:IN=br0 OUT=eth0 PHYSIN=eth2 MAC=00:90:0b:34:b4:7f:00:90:0b:3e:05:0c:08:00 SRC=172.16.3.2 DST=188.8.131.52 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=3868 DF PROTO=TCP SPT=63308 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=
106049.329054 : this is the time of event (in unix format) but it shows readable correctly in GUI and reports.
(Translated time is: 12/5/2016, 12:01:39 AM)
IN=br0: inbound logical interface/network, where user traffic comes in
OUT=eth0: outbound interface/network, where user traffic leaves
PHYSIN=eth2: physical inbound interface, where user traffic comes in (eth2 is part of a bridge group br0)
MAC=00:90:0b:34:b4:7f: destination MAC address
MAC=00:90:0b:3e:05:0c: source MAC address
Type=08:00: ethernet frame (carried an IPv4 datagram)
SRC=172.16.3.2: source IPv4 address
DST=184.108.40.206: destination IPv4 address
LEN=52: size of packet (bytes)
TOS=0x00 The Type of Service of the IP packet.
PREC=0x00 The Precedence of the IP packet.
ID=64564 The id of the IP packet.
PROTO=TCP protocol used
SPT=63308 source port
DPT=22 destination port (PROTO=TCP, with DPT=22, it means SSH application)
So if we interpret above log in a layman term, it will be as below (ignoring other minor details):
"At 12/5/2016, 12:01:39 AM, user 172.16.3.2 (with MAC=00:90:0b:3e:05:0c) coming from local network/eth2 tried to connect to remote server 220.127.116.11 using SSH application."