Event Log Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
events |
|
|
Origin |
Module where the event occurred. |
admin_console |
|
|
Severity |
The severity of the event. |
Available values:
|
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
suser |
The username. |
Admin |
|
|
cat |
Component where the event occurred. |
console_auth |
|
|
act |
Event type. |
login_successful |
|
|
src |
Source IPv4 address. |
192.168.117.254 |
|
|
cs1Label |
This field is used for event details. |
Attributes |
|
|
cs1 |
Event details in JSON format. |
{"name":"MIME_BUILTIN_COMPOSITE","module":"nlist_import"} |
Web access log format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log name. |
webaccess |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Threat level for the URL category. |
Available values: 2, 4, 6, 8, 10 (the set threat level multiplied by 2); Unknown, if no category is defined. |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
act |
Action taken by the device according to the configured policies. |
captive |
|
|
reason |
The reason why the event was created, e.g. the reason for the site block. |
{"id":39,"name":"Social Networking","threat_level":3} |
|
|
suser |
The username. |
user_example (Unknown, if the user is unknown) |
|
|
cs1Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
Default Allow |
|
|
src |
Traffic source IPv4 address. |
10.10.10.10 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone name. |
Trusted |
|
|
cs3Label |
Indicates the source country. |
Source Country |
|
|
cs3 |
Source country name. |
AE (a two-letter country code is displayed) |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. |
|
|
cs4Label |
Indicates the destination zone. |
Destination Zone |
|
|
cs4 |
Destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the destination country. |
Destination Country |
|
|
cs5 |
Destination country name. |
AE (a two-letter country code is displayed) |
|
|
cs6Label |
Indicates if the content was decrypted. |
Decrypted |
|
|
cs6 |
Decrypted or not. |
true, false |
|
|
app |
Application layer protocol and its version. |
HTTP/1.1 |
|
|
requestMethod |
Method used to access the URL address (POST, GET, etc.). |
GET |
|
|
request |
In the case of an HTTP request, the field contains the URL of the requested resource and the protocol used. |
||
|
requestContext |
Request source URL (HTTP referer). |
||
|
requestClientApplication |
Browser useragent. |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 |
|
|
cn3Label |
Specifies the server's original response. |
Response |
|
|
cn3 |
Status code. |
302 |
|
|
flexString1Label |
Refers to the content type. |
Media type |
|
|
flexString1 |
The type of the content. |
text/html |
|
|
flexString2Label |
Indicates the category of the requested URL. |
URL Categories |
|
|
flexString2 |
URL category. |
Computers & Technology |
|
|
in |
Number of transmitted inbound bytes (data transferred from the source to the destination). |
231 |
|
|
out |
Number of transmitted outbound bytes (data transferred from the destination to the source). |
40 |
|
|
cn1Label |
Indicates the number of packets transmitted from the source to the destination. |
Packets sent |
|
|
cn1 |
Number of packets transmitted from the source to the destination. |
3 |
|
|
cn2Label |
Indicates the number of packets transmitted from the destination to the source. |
Packets received |
|
|
cn2 |
Number of packets transmitted from the destination to the source. |
1 |
DNS log format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1701085036026 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
act |
Action taken by the device according to the configured policies. |
block |
|
|
reason |
The reason why the event was created, e.g. the URL category on which the rule was triggered. |
{"url_cats":[{"id":37,"name":"Search Engines & Portals","threat_level":1}]} |
|
|
app |
Application layer protocol |
DNS |
|
|
suser |
The username. |
user1 (Unknown, if the user is unknown) |
|
|
cs1Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
Rule1 |
|
|
dhost |
The destination host name, whose address is determined using the DNS server. |
||
|
proto |
Level 4 protocol used. |
UDP |
|
|
src |
Traffic source IPv4 address. |
10.10.0.11 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
smac |
Source MAC address. |
FA:16:3E:65:1C:B4 |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone name. |
Trusted |
|
|
cs3Label |
Indicates the source country. |
Source Country |
|
|
cs3 |
Source country name. |
AE (a two-letter country code is displayed) |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. Port 53 is normally used for DNS. |
|
|
cs4Label |
Indicates the destination zone. |
Destination Zone |
|
|
cs4 |
Destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the destination country. |
Destination Country |
|
|
cs5 |
Destination country name. |
AE (a two-letter country code is displayed) |
|
|
cs6Label |
Indicates the data being transmitted. |
Data |
|
|
cs6 |
The transmitted data. |
{"question":[{"domain":"google.com","type":"A","class":"IN"}], "answer":[{"domain":"google.com","type":"TXT","class":"IN","ttl":5,"data":"Blocked"},{"domain":"google.com","type":"A","class":"IN","ttl":5,"data":"10.10.0.1"}]} |
|
|
flexString1Label |
Indicates the category of the requested URL. |
URL Categories |
|
|
flexString1 |
URL category. |
Search Engines & Portals |
Differences in the CEF Compact format:
-
The following fields are missing:
-
cs3Label=Source Country; cs3=$src_country
-
cs5Label=Destination Country; cs5=$dst_country
-
-
The following fields have been changed:
-
cs2Label=SrcZone
-
cs3Label=DstZone; cs3=$dst_zone_name
-
cs4Label=Data; cs4=$data
-
flexString1Label=URLCats
-
-
Some field values are truncated to 80 characters, this is a general rule for the compact format. For example, a list of URL categories, URL, username, rule name, zone name, etc.
Traffic log format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
traffic |
|
|
Rule Type |
Type of the rule triggered to cause the event. |
firewall |
|
|
Threat Level |
Application threat level. |
Available values: from 1 (if no application) to 10 (the set threat level multiplied by 2). |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
suser |
The username. |
user_example (Unknown, if the user is unknown) |
|
|
act |
Action taken by the device according to the configured policies. |
accept |
|
|
cs1Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
Allow trusted to untrusted |
|
|
src |
Traffic source IPv4 address. |
10.10.10.10 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone name. |
Trusted |
|
|
cs3Label |
Indicates the source country. |
Source Country |
|
|
cs3 |
Source country name. |
AE (a two-letter country code is displayed) |
|
|
proto |
Level 4 protocol used. |
TCP or UDP |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. |
|
|
cs4Label |
Indicates the destination zone. |
Destination Zone |
|
|
cs4 |
Destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the destination country. |
Destination Country |
|
|
cs5 |
Destination country name. |
AE (a two-letter country code is displayed) |
|
|
sourceTranslatedAddress |
Source address after reassignment (if NAT rules are configured). |
192.168.174.134 (0.0.0.0 if not) |
|
|
sourceTranslatedPort |
Source port after reassignment (if NAT rules are configured). |
Values: 0-65535 (0 if not) |
|
|
destinationTranslatedAddress |
Destination address after reassignment (if NAT rules are configured). |
192.226.127.130 (0.0.0.0 if not) |
|
|
destinationTranslatedPort |
Destination port after reassignment (if NAT rules are configured). |
Values: 0-65535 (0 if not) |
|
|
in |
Number of transmitted inbound bytes (data transferred from the source to the destination). |
231 |
|
|
out |
Number of transmitted outbound bytes (data transferred from the destination to the source). |
40 |
|
|
cn1Label |
Indicates the number of packets transmitted from the source to the destination. |
Packets sent |
|
|
cn1 |
Number of packets transmitted from the source to the destination. |
3 |
|
|
cn2Label |
Indicates the number of packets transmitted from the destination to the source. |
Packets received |
|
|
cn2 |
Number of packets transmitted from the destination to the source. |
1 |
IDPS log format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
idps |
|
|
Signature |
Name of the triggered IPS signature. |
BlackSun Test |
|
|
Threat Level |
Signature threat level. |
Available values: from 2 to 10 (the set threat level multiplied by 2). |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
suser |
The username. |
user_example (Unknown, if the user is unknown) |
|
|
act |
Action taken by the device according to the configured policies. |
accept |
|
|
cs1Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
IDPS Rule Example |
|
|
msg |
Signature threat level and name. |
[2] BlackSun |
|
|
app |
Application layer protocol |
HTTP |
|
|
proto |
Level 4 protocol used. |
TCP or UDP |
|
|
src |
Traffic source IPv4 address. |
10.10.10.10 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone name. |
Trusted |
|
|
cs3Label |
Indicates the source country. |
Source Country |
|
|
cs3 |
Source country name. |
AE (a two-letter country code is displayed) |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. |
|
|
cs4Label |
Indicates the destination zone. |
Destination Zone |
|
|
cs4 |
Destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the destination country. |
Destination Country |
|
|
cs5 |
Destination country name. |
AE (a two-letter country code is displayed) |
|
|
in |
Number of transmitted inbound bytes (data transferred from the source to the destination). |
231 |
|
|
out |
Number of transmitted outbound bytes (data transferred from the destination to the source). |
40 |
SCADA log format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log name. |
scada |
|
|
Name |
Source type. |
log |
|
|
PDU Severity |
SCADA severity. |
Available values:
|
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
act |
Action taken by the device according to the configured policies. |
accept |
|
|
cs1Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
Scada Rule Example |
|
|
src |
Traffic source IPv4 address. |
10.10.10.10 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone name. |
Trusted |
|
|
cs3Label |
Indicates the source country. |
Source Country |
|
|
cs3 |
Source country name. |
AE (a two-letter country code is displayed) |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. |
|
|
cs4Label |
Indicates the destination zone. |
Destination Zone |
|
|
cs4 |
Destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the destination country. |
Destination Country |
|
|
cs5 |
Destination country name. |
AE (a two-letter country code is displayed) |
|
|
app |
Application layer protocol |
Modbus |
|
|
cs6Label |
Refers to the device information. |
PDU Details |
|
|
cs6 |
Device details in JSON format. |
{"protocol":"modbus","pdu_severity":0,"pdu_func":"3","pdu_address":0, "mb_value":0,"mb_quantity":0,"mb_payload":"AAIAAA==", "mb_message":"response","mb_addr":0} |
SSH inspection log format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log name. |
ssh |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Application threat level. |
Available values: from 1 (if no application) to 10 (the set threat level multiplied by 2). |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
act |
Action taken by the device according to the configured policies. |
accept |
|
|
app |
Application layer protocol |
SSH or SFTP |
|
|
suser |
The username. |
user_example (Unknown, if the user is unknown) |
|
|
cs1Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
SSH inspection rule |
|
|
src |
Traffic source IPv4 address. |
10.10.10.10 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
smac |
Source MAC address. |
FA:16:3E:65:1C:B4 |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone name. |
Trusted |
|
|
cs3Label |
Indicates the source country. |
Source Country |
|
|
cs3 |
Source country name. |
AE (a two-letter country code is displayed) |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. |
|
|
cs4Label |
Indicates the destination zone. |
Destination Zone |
|
|
cs4 |
Destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the destination country. |
Destination Country |
|
|
cs5 |
Destination country name. |
AE (a two-letter country code is displayed) |
|
|
cs6Label |
Refers to the command transmitted via SSH. |
Command |
|
|
cs6 |
Command transmitted via SSH, in JSON format. |
whoami |
Mail Security Log Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
mailsecurity |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Application threat level. |
Available values:
|
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
act |
Action taken by the device according to the configured policies. |
mark |
|
|
suser |
The username. |
user_example (Unknown, if the user is unknown) |
|
|
cs1Label |
Indicates the rule name. |
Rule |
|
|
cs1 |
Name for the mail security rule. |
Mail security rule |
|
|
src |
Source IPv4 address. |
10.10.10.10 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
cs2Label |
Indicates the source zone. |
Source Zone |
|
|
cs2 |
Source zone |
Untrusted |
|
|
cs3Label |
Indicates the country of the traffic source. |
Source Country |
|
|
cs3 |
Traffic source country. |
AE (a two-letter country code is displayed) |
|
|
dst |
Destination IPv4 address. |
10.10.10.10 |
|
|
dpt |
Destination port |
Values: 0-65535. |
|
|
cs4Label |
Indicates the traffic destination zone. |
Destination Zone |
|
|
cs4 |
Traffic destination zone name. |
Untrusted |
|
|
cs5Label |
Indicates the country of the traffic destination. |
Destination Country |
|
|
cs5 |
The destination country. |
AE (a two-letter country code is displayed) |
|
|
app |
Application layer protocol |
SMTP |
|
|
in |
Number of transmitted inbound bytes (data transferred from the source to the destination). |
10 |
|
|
out |
Number of transmitted outbound bytes (data transferred from the destination to the source). |
10 |
|
|
flexString1Label |
Indicates the sender's address. |
From |
|
|
flexString1 |
Sender's email. |
||
|
cs6Label |
Indicates the recipient's address. |
To |
|
|
cs6 |
Recipient's email. |
||
|
cn1Label |
Indicates the number of packets transmitted from the source to the destination. |
Packets sent |
|
|
cn1 |
Number of packets transmitted from the source to the destination. |
3 |
|
|
cn2Label |
Indicates the number of packets transmitted from the destination to the source. |
Packets received |
|
|
cn2 |
Number of packets transmitted from the destination to the source. |
1 |
Endpoint Event Log Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
endpoint_log |
|
|
Name |
Source type. |
log |
|
|
Severity |
The severity of the event. |
Available values:
|
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
ID of the device generated this event. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
suser |
The username. |
Admin |
|
|
msg |
Detailed information about the event. |
Windows Defender state successfully changed to SECURITY_PRODUCT_STATE_ON. |
|
|
cs1Label |
Specifies the endpoint device ID. |
endpointId |
|
|
cs1 |
Endpoint device or sensor ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
cs2Label |
Indicates the name of the endpoint device or the sensor. |
endpointName |
|
|
cs2 |
Endpoint device or sensor name. |
DESKTOP-0731NFQ |
|
|
cs3Label |
Indicates the event type. |
logLevel |
|
|
cs3 |
Event type. |
Success audit, Warning, Details, Rejection audit, Error |
|
|
cs4Label |
Specifies the event category. |
logCategoryString |
|
|
cs4 |
The event's category. |
Special Logon |
|
|
cs5Label |
Indicates the log type. |
logFile |
|
|
cs5 |
Type of the log containing important information on the software and hardware events. |
Security (security log file), Application (application log file), System (system log file), Windows PowerShell |
|
|
cs6Label |
Indicates the log event source. |
sourceName |
|
|
cs6 |
Log event source. |
Microsoft-Windows-Security-Auditing |
|
|
flexString1Label |
Indicates the insertion string. |
insertionString |
|
|
flexString1 |
The insertion string is the EventData block of the Windows event data. |
Windows DefenderSECURITY_PRODUCT_STATE_ON |
|
|
cn1Label |
Indicates the log event code. |
logEventCode |
|
|
cn1 |
Log event code. |
1154 |
|
|
cn2Label |
Indicates the event ID. |
logEventId |
|
|
cn2 |
Event ID. |
10016 |
|
|
cn3Label |
Indicates the log event type. |
logEventType |
|
|
cn3 |
Log event type. |
1 (error), 2 (warning), 3 (information), 4 (audit success), 5 (audit failure). |
Endpoint Rule Log Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
endpoint_log |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Threat level for the URL category. |
Values: 1-10:
|
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
ID of the device generated this event. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
act |
Action taken by the device according to the configured policies. |
accept |
|
|
filePath |
Application to which the firewall rule was applied. |
C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe |
|
|
cs1Label |
Specifies the endpoint device ID. |
endpointId |
|
|
cs1 |
Endpoint device or sensor ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
cs2Label |
Specifies the endpoint device NetBIOS name. |
endpointName |
|
|
cs2 |
Endpoint device NetBIOS name. |
DESKTOP-0731NFQ |
|
|
cs3Label |
Specifies the rule, which resulted to creating this log record. |
Rule |
|
|
cs3 |
The name of the rule. |
Test rule name |
|
|
src |
Traffic source IPv4 address. |
10.10.10.10 |
|
|
spt |
Source port |
Values: 0-65535. |
|
|
dst |
IPv4 address of the traffic destination. |
194.226.127.130 |
|
|
dpt |
Destination port |
Values: 0-65535. |
|
|
shost |
Hostname. |
||
|
flexString1Label |
Refers to the content type. |
Media type |
|
|
flexString1 |
The type of the content. |
text/html |
|
|
flexString2Label |
Indicates the category of the requested URL. |
Categories |
|
|
flexString2 |
URL category. |
Computers & Technology |
Endpoint Application Log Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
endpoint_applications |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Default value. |
0 |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
ID of the device generated this event. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
act |
Action (application start or stop). |
start, stop |
|
|
suser |
User |
DESKTOP-0731NFQ\User |
|
|
filePath |
Path to the file. |
C:\\Windows\\system32\\cmd.exe |
|
|
cs1Label |
Specifies the endpoint device ID. |
endpointId |
|
|
cs1 |
The endpoint device ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
cs2Label |
Specifies the endpoint device NetBIOS name. |
endpointName |
|
|
cs2 |
Endpoint device NetBIOS name. |
DESKTOP-0731NFQ |
|
|
spid |
Process ID. |
3860 |
|
|
fileHash |
The application hash. |
B4979A9F970029889713D756C3F123643DDE73DA |
|
|
cs3Label |
Indicates the command line. |
cmdLine |
|
|
cs3 |
Command line prompt. |
C:\\Windows\\system32\\sc.exe start w32time task_started |
|
|
cs4Label |
Indicates the Session ID. |
sessionId |
|
|
cs4 |
Session ID. |
1656395717 |
Endpoint Hardware Log Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log type. |
endpoint_hardware |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Default value. |
0 |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1652344423822 |
|
deviceExternalId |
ID of the device generated this event. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
act |
Action (connect or remove a device). |
add_device, remove_device |
|
|
cs1Label |
Specifies the endpoint device ID. |
endpointId |
|
|
cs1 |
The endpoint device ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
|
cs2Label |
Specifies the endpoint device NetBIOS name. |
endpointName |
|
|
cs2 |
Endpoint device NetBIOS name. |
DESKTOP-0731NFQ |
|
|
sourceServiceName |
A Windows driver that allows the computer to communicate with hardware/device. |
USBHUB3 |
|
|
cs3Label |
Specifies the ID of the device being connected or removed. |
deviceId |
|
|
cs3 |
Device ID. |
USB\\VID_0E0F&PID_0002\\6&201153C1&0&8 |
|
|
cs4Label |
Indicates the device name. |
deviceName |
|
|
cs4 |
The name of the device. |
Kingston DataTraveler 2.0 USB Device |
Windows Active Directory Log Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log name. |
endpoint_log |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Threat level. |
Available values: from 1 to 10 (the set threat level multiplied by 2). |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1701085036026 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
suser |
The username. |
user1.dep.local |
|
|
msg |
The event description in the AD log. |
Group membership information Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-3795870133-5220325-2125745684-1103 Account Name: user1 Account Domain: DEP Logon ID: 0xA57A446 Event in sequence: 1 of 1 Group Membership: %{S-1-5-21-3795870133-5220325-2125745684-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-3795870133-5220325-2125745684-512} %{S-1-5-21-3795870133-5220325-2125745684-572} %{S-1-5-64-10} %{S-1-16-12288} The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. |
|
|
cn1Label |
Indicates the event code in the AD log. |
logEventCode |
|
|
cn1 |
Event code. |
4627 |
|
|
cn2Label |
Indicates the event ID in the AD log. |
logEventId |
|
|
cn2 |
Event ID. |
4627 |
|
|
cn3Label |
Indicates the event type in the Windows log (System\Security\Application, etc.). |
logEventType |
|
|
cn3 |
Windows log event type. |
4 |
|
|
cs1Label |
Indicates the ID of the endpoint --- the source of the event. |
endpointId |
|
|
cs1 |
The endpoint device ID. |
16535060-5a1a-4e92-8331-239406ec34da |
|
|
cs2Label |
Indicates the name of the endpoint --- the source of the event (UserGate client, WMI sensor, etc.). |
endpointName |
|
|
cs2 |
Endpoint device name. |
dep.local |
|
|
cs3Label |
Indicates the severity of the event in the AD log. |
logLevel |
|
|
cs3 |
Event severity level. |
Audit Success |
|
|
cs4Label |
Indicates the event category code (12554 Group Membership, 12544 Logon, 14337 Kerberos Service Ticket Operations, etc.). |
logCategoryString |
|
|
cs4 |
The event's category. |
Group Membership |
|
|
cs5Label |
Indicates the Windows log file. |
logFile |
|
|
cs5 |
Windows log file |
Security |
|
|
cs6Label |
Indicates the source of the AD log. |
sourceName |
|
|
cs6 |
The source of the AD log. |
Microsoft-Windows-Security-Auditing |
|
|
flexString1Label |
Indicates the content of the event in the AD log. |
insertionString |
|
|
flexString1 |
Parameters of the AD log event after message parsing. |
['S-1-0-0', '-', '-', '0x0', 'S-1-5-21-3795870133-5220325-2125745684-1103', 'user1', 'DEP', '0x7a25a21', '3', '1', '1', '\ \ \\t\\t% {S-1-5-21-3795870133-5220325-2125745684-513}\ \ \\t\\t%{S-1-1-0}\ \ \\t\\t%{S-1-5-32-544}\ \ \\t\\t%{S-1-5-32-555}\ \ \\t\\t%{S-1-5-32-545}\ \ \\t\\t%{S-1-5-32-554}\ \ \\t\\t%{S-1-5-2}\ \ \\t\\t%{S-1-5-11} \ \ \\t\\t%{S-1-5-15}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-512}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-572}\ \ \\t\\t%{S-1-5-64-10}\ \ \\t\\t%{S-1-16-12288}'] |
Syslog Format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
Source |
Log name. |
syslog |
|
|
Name |
Source type. |
log |
|
|
Threat Level |
Threat level. |
Available values: from 1 to 10 (the set threat level multiplied by 2). |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1701085036026 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
msg |
The event description. |
[3603:3603:1128/175000.938565:ERROR:CONSOLE(6)] "console.assert", source: devtools://devtools/bundled/devtools-frontend/front_end/panels/console/console.js (6) |
|
|
cn1Label |
Indicates the source type of Syslog events. For more information about Syslog facility values, see RFC 5424. |
Facility |
|
|
cn1 |
Syslog event source type. Example: user-level messages. |
1 |
|
|
cs1Label |
Indicates the name of the device where the event occurred. |
Hostname |
|
|
cs1 |
The name of the computer where the event occurred. |
node1 |
|
|
cs2Label |
Indicates the application that caused the event. |
Tag |
|
|
cs2 |
The application that caused the event. |
org.gnome.Shell.desktop |
|
|
cs3Label |
Indicates the process ID of the event. |
ProcessID |
|
|
cs3 |
PID of the process triggering the event. |
3036 |
|
|
cs4Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs4 |
Name of the rule triggered to cause the event. |
Example - Allow user-level messages |
UserID log format
|
Field type |
Field name |
Description |
Example value |
|---|---|---|---|
|
CEF header |
CEF:Version |
CEF version. |
CEF:0 |
|
Device Vendor |
Product vendor. |
UserGate |
|
|
Device Product |
Product type. |
NGFW |
|
|
Device Version |
Product version. |
7 |
|
|
CEF [extension] |
rt |
Time when the event was received (in milliseconds since January 1, 1970). |
1701085036026 |
|
deviceExternalId |
The unique name of the device that generated the event. |
||
|
act |
Action taken by the device according to the configured policies. |
login |
|
|
reason |
The reason why the event was created. |
{"user_groups_sids":["S-1-5-21-3795870133-5220325-2125745684-513","S-1-5-21-3795870133-5220325-2125745684-512"], "user_sid":"S-1-5-21-3795870133-5220325-2125745684-1103","login":"user1","domain":"DEV","event_id":4624} |
|
|
suser |
The username. |
user1 (Unknown, if the user is unknown) |
|
|
cs1Label |
Indicates that a rule was triggered. |
Rule |
|
|
cs1 |
Name of the rule triggered to cause the event. |
dev.local |
|
|
src |
Traffic source IPv4 address. |
10.10.0.11 |