SA Cfg: Supported CEF Meta Keys

Document created by RSA Information Design and Development Employee on Mar 22, 2017Last modified by RSA Information Design and Development Employee on Sep 26, 2017
Version 2Show Document
  • View in full screen mode

This topic describes the Common Event Format (CEF) meta keys that Security Analytics global audit logging supports. 

Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:

  • Include the CEF headers in the template.
  • Use only the extensions and custom extensions in a (Key=Value) format from the meta key table below.
  • Ensure that the extensions and custom extensions are in the key=${string}<space>key=${string} format. 

For third-party syslog servers, you can define your own format (CEF or non-CEF).

Procedures related to this table are described in Define a Template for Global Audit Logging and Configure Global Audit Logging.

Supported Common Event Format (CEF) Meta Keys

The following table describes the CEF Syslog meta keys that Security Analytics global audit logging supports. The Datetime and Hostname fields in the Syslog Prefix are not configurable and not included in the template, but they are prepended to every log message by default. The CEF Header is required to conform to the CEF standard and for any CEF parser. The Extensions and Custom Extensions are optional. The 10.5 Default Audit CEF Template contains many of the fields in this table. You can add any of the Extensions and Custom Extensions listed to the global audit logging template that you define. 

CEF FieldStringDescriptionSA Meta Keys

Index in
Log Decoder

Syslog Prefix    
DatetimeNot ConfigurableSyslog Header date timeevent.time.strTransient
HostnameNot ConfigurableSyslog Header hostnamealias.hostNone
CEF Header The CEF Header fields are required to conform to the CEF standard and for any CEF parser.   
CEF:VersionCEF:0CEF Header--STATIC--N/A
DeviceVendor${deviceVendor}The product vendor, RSA-N/A
DeviceProduct${deviceProduct}The product family. This is always Security Analytics Audit.productTransient
DeviceVersion${deviceVersion}Host/Service versionversionTransient
Signature ID${category}Identifier of the audit event. It specifies the the category of the audit event.event.typeNone
Name${operation}Description of the eventevent.descNone
Severity${severity}Severity of the audit eventseverityTransient
deviceExternalId${deviceExternalId}Unique ID of the host or service generating the audit eventhardware.idTransient
deviceFacility${deviceFacility}Syslog facility used when writing the event to syslog daemon. For example, authpriv.cs.devfacilityCustom
deviceProcessName${deviceProcessName}Name of the executable corresponding to dvcpidprocessNone
dpt${destinationPort}Destination Portip.dstportNone
dst${destinationAddress}Destination IP Addressip.dstNone
dvcpid${deviceProcessId}ID of the process generating the event, which is the process ID of the Security Analytics serviceprocess.idTransient
msg${text}Free text, extra information, or actual description for the eventmsgTransient
outcome${outcome}Outcome of the operation performed corresponding to the audit eventresultTransient
proto${transportProtocol}Network protocol usedprotocolTransient
requestClientApplication${userAgent}Browser detail of the user accessing the pageuser.agentTransient
rt${timestamp}Time at which the event is reportedevent.timeNone
sourceServiceName${sourceService}The service that is responsible for generating this eventservice.nameTransient
spt${sourcePort}Source Portip.srcportTransient
spriv${userRole}User role permissions assignment. For example:
admin.owner, appliance.manage,
connections.manage, everyone, logs.manage, services.manage,
sys.manage, users.manage
src${sourceAddress}Source IP Addressip.srcNone
suser${identity}Identity of the logged on user responsible for generating the audit eventuser.dstNone
Custom Extensions    
deviceService${deviceService}Service responsible for generating the eventcs.devserviceCustom
parameters${parameters}API and Operation parameters, which capture specific parameters about a queryindex
paramKey${key}A configuration item key. It is the config param for which the audit event is captured.

For example: /sys/config/stat.interval

paramValue${value}A configuration value. It is the value captured during the update.cs.valueCustom
userGroup${userGroup}Role assignment. For example:
Administrators, Analysts, MalwareAnalysts,
Malware_Analysts, Operators,
referrerURL${referrerUrl}The parent URL that refers to the current URLurlTransient
sessionId${sessionId}Session or connection identifierlog.session.idTransient

Note: Use all of the extensions in the following format: 
deviceProcessName=${deviceProcessName} outcome=${outcome}
Include a <space> between a value and a tagname.

By default, all meta keys are not indexed. In the above table, the Index in Log Decoder column shows the state of the flags keyword (Transient, None, and Custom). If a key is set to Transient, it is parsed but not stored in the database. If it is set to None, it is indexed and stored in the database. A key listed as "Custom" does not exist in the table-map.xml file and, therefore, it is not stored or parsed at all.

"Maintain the Table Map Files" provides instructions for verifying and updating the table mappings. "Edit a Service Index File" provides information on updating the custom index file on the Concentrator.

You are here
Table of Contents > References > Global Audit Logging Configurations Panel > Supported CEF Meta Keys