This topic describes the Common Event Format (CEF) meta keys that NetWitness Platform global audit logging supports. 

Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:

  • Include the CEF headers in the template.
  • Use only the extensions and custom extensions in a (Key=Value) format from the meta key table below.
  • Ensure that the extensions and custom extensions are in the key=%{string}<space>key=%{string} format. 

For third-party syslog servers, you can define your own format (CEF or non-CEF).

Procedures related to this table are described in Define a Template for Global Audit Logging and Configure Global Audit Logging.

Supported Common Event Format (CEF) Meta Keys

The following table describes the CEF Syslog meta keys that NetWitness Platform global audit logging supports. The Datetime and Hostname fields in the Syslog Prefix are not configurable and not included in the template, but they are prepended to every log message by default. The CEF Header is required to conform to the CEF standard and for any CEF parser. The Extensions and Custom Extensions are optional. The Default Audit CEF Template contains many of the fields in this table. You can add any of the Extensions and Custom Extensions listed to the global audit logging template that you define.

CEF FieldStringDescriptionNW Meta Keys

Index in
Log Decoder

Syslog Prefix     
DatetimeNot ConfigurableSyslog Header date timeevent.time.strTransient
HostnameNot ConfigurableSyslog Header hostnamealias.hostNone
CEF Header  The CEF Header fields are required to conform to the CEF standard and for any CEF parser.   
CEF:VersionCEF:0CEF Header--STATIC--N/A
DeviceVendor%{deviceVendor}The product vendor, RSA-N/A
DeviceProduct%{deviceProduct}The product family. This is always NetWitness Platform Audit.productTransient
DeviceVersion%{deviceVersion}Host/Service versionversionTransient
Signature ID%{category}Identifier of the audit event. It specifies the the category of the audit event.event.typeNone
Name%{operation}Description of the eventevent.descNone
Severity%{severity}Severity of the audit eventseverityTransient
deviceExternalId%{deviceExternalId}Unique ID of the host or service generating the audit eventhardware.idTransient
deviceFacility%{deviceFacility}Syslog facility used when writing the event to syslog daemon. For example, authpriv.cs.devfacilityCustom
deviceProcessName%{deviceProcessName}Name of the executable corresponding to dvcpidprocessNone
dpt%{destinationPort}Destination Portip.dstportNone
dst%{destinationAddress}Destination IP Addressip.dstNone
dvcpid%{deviceProcessId}ID of the process generating the event, which is the process ID of the NetWitness Platform serviceprocess.idTransient
msg%{text}Free text, extra information, or actual description for the eventmsgTransient
outcome%{outcome}Outcome of the operation performed corresponding to the audit eventresultTransient
tpt%{transportProtocol}Network protocol usedprotocolTransient
userAgent%{userAgent}Browser detail of the user accessing the pageuser.agentTransient
rt%{timestamp}Time at which the event is reportedevent.timeNone
sourceServiceName%{deviceService}The service that is responsible for generating this eventservice.nameTransient
spt%{sourcePort}Source Portip.srcportTransient
userRole%{userRole}User role permissions assignment. For example:
admin.owner, appliance.manage,
connections.manage, everyone, logs.manage, services.manage,
sys.manage, users.manage
src%{sourceAddress}Source IP Addressip.srcNone
suser%{identity}Identity of the logged on user responsible for generating the audit eventuser.dstNone
Custom Extensions     
params%{parameters}API and Operation parameters, which capture specific parameters about a queryindex
paramKey %{key}A configuration item key. It is the config param for which the audit event is captured.

For example: /sys/config/stat.interval

paramValue%{value}A configuration value. It is the value captured during the meta keyCustom
userGroup%{userGroup}Role assignment. For example:
Administrators, Analysts, MalwareAnalysts,
Malware_Analysts, Operators,
referrerURL%{referrer}The parent URL that refers to the current URLrefererNone
sessionId%{sessionId}Session or connection identifierlog.session.idTransient
remoteAddress%{remoteAddress}Ip address of the destinationip.srcNone
reasonForFailure%{reasonForFailure}reason for failure for the certain action performedresultNone
reason%{reason}Reason for certain action performedresultNone
addRole%{Add.Role}User role Assignmentuser.roleTransient
id%{id}Incident id or host idno meta keyTransient
arguments%{arguments}Value passes between programs or functionsindexTransient
user%{User}Name of the user from the source or destinationuser.dstNone
accountProvider%{AccountProvider}Authentication account for the user. For example, PAM, and PKI.indexTransient
file%{file}Name of the content file used for deploymentfilenameFile
deviceIDs%{deviceIDs}Device id for the particular servicehardware.idTransient
role%{Role}User role assignmentuser.roleTransient
account%{Account}user accountuser.dstNone
addPermission%{Add.Permission}User role permission assignmentpermissionsTransient
key%{Key}Name of a configuration/ruleobj.nameNone
value%{Value}Value of a configuration change. For example, "Value":"HR12". In this example, hours format is changed to 12 meta keyCustom
alert%(alert}Id of the alert, For example, id:5ce457afec6c0f02ffb85acealertTransient
moduleSettings%{ModuleSettings}Message or name of a settingindexTransient
incident%{incident}Id of the incident. For example, INC-313contextNone
action%{action}Action performed by the user. For example, service.stopactionNone
notificationBinding%{NotificationBinding}Type of notification. For example, incident created, alert, incident removedindexTransient
name%{name}name of a configuration or rulealertTransient
enabled%{enabled}Enable the ruleno meta keyCustom
disabled%{disabled}Disable the ruleno meta keyCustom

Note: Use all of the extensions in the following format: 
deviceProcessName=%{deviceProcessName} outcome=%{outcome}
Include a <space> between a value and a tagname.

By default, all meta keys are not indexed. In the above table, the Index in Log Decoder column shows the state of the flags keyword (Transient, None, and Custom). If a key is set to Transient, it is parsed but not stored in the database. If it is set to None, it is indexed and stored in the database. A key listed as "Custom" does not exist in the table-map.xml file and, therefore, it is not stored or parsed at all.

For more information, see the following documentation:

  • The "Maintain the Table Map Files" section in the "Hosts and Services Procedures" topic in the Hosts and Services Getting Started Guide provides instructions for verifying and updating the table mappings.
  • The "Edit a Service Index File" section in the "Hosts and Services Procedures" topic in the Hosts and Services Getting Started Guide provides information on updating the custom index file on the Concentrator.