mbox uses Linux kernel firewall (iptables) to track access logs. so the log format is inline with standard iptables log format.

Taking an example below (CMG logs sent to LOG):

-----------

[106049.329054] mboxfw-permit:IN=br0 OUT=eth0 PHYSIN=eth2 MAC=00:90:0b:34:b4:7f:00:90:0b:3e:05:0c:08:00 SRC=172.16.3.2 DST=49.128.58.70 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=3868 DF PROTO=TCP SPT=63308 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=

------------

106049.329054 : this is the time of event (in unix format) but it shows readable correctly in GUI and reports.

(Translated time is: 12/5/2016, 12:01:39 AM)

IN=br0: inbound logical interface/network, where user traffic comes in

OUT=eth0: outbound interface/network, where user traffic leaves

PHYSIN=eth2: physical inbound interface, where user traffic comes in (eth2 is part of a bridge group br0)

MAC=00:90:0b:34:b4:7f: destination MAC address

MAC=00:90:0b:3e:05:0c: source MAC address

Type=08:00: ethernet frame (carried an IPv4 datagram)

SRC=172.16.3.2: source IPv4 address

DST=49.128.58.70: destination IPv4 address

LEN=52: size of packet (bytes)

TOS=0x00 The Type of Service of the IP packet.

PREC=0x00 The Precedence of the IP packet.

ID=64564 The id of the IP packet.

PROTO=TCP protocol used

SPT=63308 source port

DPT=22 destination port (PROTO=TCP, with DPT=22, it means SSH application)

So if we interpret above log in a layman term, it will be as below (ignoring other minor details):

"At 12/5/2016, 12:01:39 AM, user 172.16.3.2 (with MAC=00:90:0b:3e:05:0c) coming from local network/eth2 tried to connect to remote server 49.128.58.70 using SSH application."