on Mar 22, 2017This topic describes the Common Event Format (CEF) meta keys that Security Analytics global audit logging supports.
Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:
- Include the CEF headers in the template.
- Use only the extensions and custom extensions in a (Key=Value) format from the meta key table below.
- Ensure that the extensions and custom extensions are in the key=${string}<space>key=${string} format.
For third-party syslog servers, you can define your own format (CEF or non-CEF).
Procedures related to this table are described in Define a Template for Global Audit Logging and Configure Global Audit Logging.
Supported Common Event Format (CEF) Meta Keys
The following table describes the CEF Syslog meta keys that Security Analytics global audit logging supports. The Datetime and Hostname fields in the Syslog Prefix are not configurable and not included in the template, but they are prepended to every log message by default. The CEF Header is required to conform to the CEF standard and for any CEF parser. The Extensions and Custom Extensions are optional. The 10.5 Default Audit CEF Template contains many of the fields in this table. You can add any of the Extensions and Custom Extensions listed to the global audit logging template that you define.
| CEF Field | String | Description | SA Meta Keys | Index in |
|---|---|---|---|---|
| Syslog Prefix | ||||
| Datetime | Not Configurable | Syslog Header date time | event.time.str | Transient |
| Hostname | Not Configurable | Syslog Header hostname | alias.host | None |
| CEF Header | The CEF Header fields are required to conform to the CEF standard and for any CEF parser. | |||
| CEF:Version | CEF:0 | CEF Header | --STATIC-- | N/A |
| DeviceVendor | ${deviceVendor} | The product vendor, RSA | - | N/A |
| DeviceProduct | ${deviceProduct} | The product family. This is always Security Analytics Audit. | product | Transient |
| DeviceVersion | ${deviceVersion} | Host/Service version | version | Transient |
| Signature ID | ${category} | Identifier of the audit event. It specifies the the category of the audit event. | event.type | None |
| Name | ${operation} | Description of the event | event.desc | None |
| Severity | ${severity} | Severity of the audit event | severity | Transient |
| Extensions | ||||
| deviceExternalId | ${deviceExternalId} | Unique ID of the host or service generating the audit event | hardware.id | Transient |
| deviceFacility | ${deviceFacility} | Syslog facility used when writing the event to syslog daemon. For example, authpriv. | cs.devfacility | Custom |
| deviceProcessName | ${deviceProcessName} | Name of the executable corresponding to dvcpid | process | None |
| dpt | ${destinationPort} | Destination Port | ip.dstport | None |
| dst | ${destinationAddress} | Destination IP Address | ip.dst | None |
| dvcpid | ${deviceProcessId} | ID of the process generating the event, which is the process ID of the Security Analytics service | process.id | Transient |
| msg | ${text} | Free text, extra information, or actual description for the event | msg | Transient |
| outcome | ${outcome} | Outcome of the operation performed corresponding to the audit event | result | Transient |
| proto | ${transportProtocol} | Network protocol used | protocol | Transient |
| requestClientApplication | ${userAgent} | Browser detail of the user accessing the page | user.agent | Transient |
| rt | ${timestamp} | Time at which the event is reported | event.time | None |
| sourceServiceName | ${sourceService} | The service that is responsible for generating this event | service.name | Transient |
| spt | ${sourcePort} | Source Port | ip.srcport | Transient |
| spriv | ${userRole} | User role permissions assignment. For example: admin.owner, appliance.manage, connections.manage, everyone, logs.manage, services.manage, storedproc.execute, storedproc.manage, sys.manage, users.manage | privilege | Transient |
| src | ${sourceAddress} | Source IP Address | ip.src | None |
| suser | ${identity} | Identity of the logged on user responsible for generating the audit event | user.dst | None |
| Custom Extensions | ||||
| deviceService | ${deviceService} | Service responsible for generating the event | cs.devservice | Custom |
| parameters | ${parameters} | API and Operation parameters, which capture specific parameters about a query | index | Transient |
| paramKey | ${key} | A configuration item key. It is the config param for which the audit event is captured. For example: /sys/config/stat.interval | cs.key | Custom |
| paramValue | ${value} | A configuration value. It is the value captured during the update. | cs.value | Custom |
| userGroup | ${userGroup} | Role assignment. For example: Administrators, Analysts, MalwareAnalysts, Malware_Analysts, Operators, PRIVILEGED_CONNECTION_ AUTHORITY, SOC_Managers | group | None |
| referrerURL | ${referrerUrl} | The parent URL that refers to the current URL | url | Transient |
| sessionId | ${sessionId} | Session or connection identifier | log.session.id | Transient |
Note: Use all of the extensions in the following format:
deviceProcessName=${deviceProcessName} outcome=${outcome}
Include a <space> between a value and a tagname.
By default, all meta keys are not indexed. In the above table, the Index in Log Decoder column shows the state of the flags keyword (Transient, None, and Custom). If a key is set to Transient, it is parsed but not stored in the database. If it is set to None, it is indexed and stored in the database. A key listed as "Custom" does not exist in the table-map.xml file and, therefore, it is not stored or parsed at all.
"Maintain the Table Map Files" provides instructions for verifying and updating the table mappings. "Edit a Service Index File" provides information on updating the custom index file on the Concentrator.