mbox uses Linux kernel firewall (iptables) to track access logs. so the log format is inline with standard iptables log format.
Taking an example below (CMG logs sent to LOG):
-----------
[106049.329054] mboxfw-permit:IN=br0 OUT=eth0 PHYSIN=eth2 MAC=00:90:0b:34:b4:7f:00:90:0b:3e:05:0c:08:00 SRC=172.16.3.2 DST=49.128.58.70 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=3868 DF PROTO=TCP SPT=63308 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=
------------
106049.329054 : this is the time of event (in unix format) but it shows readable correctly in GUI and reports.
(Translated time is: 12/5/2016, 12:01:39 AM)
IN=br0: inbound logical interface/network, where user traffic comes in
OUT=eth0: outbound interface/network, where user traffic leaves
PHYSIN=eth2: physical inbound interface, where user traffic comes in (eth2 is part of a bridge group br0)
MAC=00:90:0b:34:b4:7f: destination MAC address
MAC=00:90:0b:3e:05:0c: source MAC address
Type=08:00: ethernet frame (carried an IPv4 datagram)
SRC=172.16.3.2: source IPv4 address
DST=49.128.58.70: destination IPv4 address
LEN=52: size of packet (bytes)
TOS=0x00 The Type of Service of the IP packet.
PREC=0x00 The Precedence of the IP packet.
ID=64564 The id of the IP packet.
PROTO=TCP protocol used
SPT=63308 source port
DPT=22 destination port (PROTO=TCP, with DPT=22, it means SSH application)
So if we interpret above log in a layman term, it will be as below (ignoring other minor details):
"At 12/5/2016, 12:01:39 AM, user 172.16.3.2 (with MAC=00:90:0b:3e:05:0c) coming from local network/eth2 tried to connect to remote server 49.128.58.70 using SSH application."