AnsweredAssumed Answered

Basic reports for SO Linux, Unix, Windows, Solaris ...

Question asked by Omar Garcia Gilio on May 25, 2018

Hello

I need to make some basic report rules for many SO (mostly linux and WIndows), so I was thinking to use 'event.cat.name' meta, because I guess this meta exist for all SOs logs. So I was wondering:

 

Is there a list of all possible values of this meta?


How this meta is generated? Because I can't see it on the device's parser.


Is it correct suppose that this meta is generated for all SOs log? And have the same value between them? Eg: All event of user successful logins (no matter the device type) have <event.cat.name = 'user.activity.successful logins'>

 

Is there other metakey that works better than "event.cat.name" for this kind of reports?

 

My goal is crete reports like: successful logins, Login fail, user changes, ect.

Outcomes