Logs Export in CEF Format

Event Log Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

events

Origin

Module where the event occurred.

admin_console

Severity

The severity of the event.

Available values:

  • 1: info

  • 4: warning

  • 7: error

  • 10: critical

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@ersthetatica

suser

The username.

Admin

cat

Component where the event occurred.

console_auth

act

Event type.

login_successful

src

Source IPv4 address.

192.168.117.254

cs1Label

This field is used for event details.

Attributes

cs1

Event details in JSON format.

{"name":"MIME_BUILTIN_COMPOSITE","module":"nlist_import"}

Web access log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

webaccess

Name

Source type.

log

Threat Level

Threat level for the URL category.

Available values: 2, 4, 6, 8, 10 (the set threat level multiplied by 2); Unknown, if no category is defined.

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@ersthetatica

act

Action taken by the device according to the configured policies.

captive

reason

The reason why the event was created, e.g. the reason for the site block.

{"id":39,"name":"Social Networking","threat_level":3}

suser

The username.

user_example (Unknown, if the user is unknown)

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

Default Allow

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

cs6Label

Indicates if the content was decrypted.

Decrypted

cs6

Decrypted or not.

true, false

app

Application layer protocol and its version.

HTTP/1.1

requestMethod

Method used to access the URL address (POST, GET, etc.).

GET

request

In the case of an HTTP request, the field contains the URL of the requested resource and the protocol used.

http://www.secure.com

requestContext

Request source URL (HTTP referer).

https://www.google.com/

requestClientApplication

Browser useragent.

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0

cn3Label

Specifies the server's original response.

Response

cn3

Status code.

302

flexString1Label

Refers to the content type.

Media type

flexString1

The type of the content.

text/html

flexString2Label

Indicates the category of the requested URL.

URL Categories

flexString2

URL category.

Computers & Technology

in

Number of transmitted inbound bytes (data transferred from the source to the destination).

231

out

Number of transmitted outbound bytes (data transferred from the destination to the source).

40

cn1Label

Indicates the number of packets transmitted from the source to the destination.

Packets sent

cn1

Number of packets transmitted from the source to the destination.

3

cn2Label

Indicates the number of packets transmitted from the destination to the source.

Packets received

cn2

Number of packets transmitted from the destination to the source.

1

DNS log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1701085036026

deviceExternalId

The unique name of the device that generated the event.

utmcore@ntoorereaeda

act

Action taken by the device according to the configured policies.

block

reason

The reason why the event was created, e.g. the URL category on which the rule was triggered.

{"url_cats":[{"id":37,"name":"Search Engines & Portals","threat_level":1}]}

app

Application layer protocol

DNS

suser

The username.

user1 (Unknown, if the user is unknown)

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

Rule1

dhost

The destination host name, whose address is determined using the DNS server.

google.com

proto

Level 4 protocol used.

UDP

src

Traffic source IPv4 address.

10.10.0.11

spt

Source port

Values: 0-65535.

smac

Source MAC address.

FA:16:3E:65:1C:B4

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535. Port 53 is normally used for DNS.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

cs6Label

Indicates the data being transmitted.

Data

cs6

The transmitted data.

{"question":[{"domain":"google.com","type":"A","class":"IN"}],

"answer":[{"domain":"google.com","type":"TXT","class":"IN","ttl":5,"data":"Blocked"},{"domain":"google.com","type":"A","class":"IN","ttl":5,"data":"10.10.0.1"}]}

flexString1Label

Indicates the category of the requested URL.

URL Categories

flexString1

URL category.

Search Engines & Portals

Differences in the CEF Compact format:

  • The following fields are missing:

    • cs3Label=Source Country; cs3=$src_country

    • cs5Label=Destination Country; cs5=$dst_country

  • The following fields have been changed:

    • cs2Label=SrcZone

    • cs3Label=DstZone; cs3=$dst_zone_name

    • cs4Label=Data; cs4=$data

    • flexString1Label=URLCats

  • Some field values are truncated to 80 characters, this is a general rule for the compact format. For example, a list of URL categories, URL, username, rule name, zone name, etc.

Traffic log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

traffic

Rule Type

Type of the rule triggered to cause the event.

firewall

Threat Level

Application threat level.

Available values: from 1 (if no application) to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@ersthetatica

suser

The username.

user_example (Unknown, if the user is unknown)

act

Action taken by the device according to the configured policies.

accept

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

Allow trusted to untrusted

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

proto

Level 4 protocol used.

TCP or UDP

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

sourceTranslatedAddress

Source address after reassignment (if NAT rules are configured).

192.168.174.134 (0.0.0.0 if not)

sourceTranslatedPort

Source port after reassignment (if NAT rules are configured).

Values: 0-65535 (0 if not)

destinationTranslatedAddress

Destination address after reassignment (if NAT rules are configured).

192.226.127.130 (0.0.0.0 if not)

destinationTranslatedPort

Destination port after reassignment (if NAT rules are configured).

Values: 0-65535 (0 if not)

in

Number of transmitted inbound bytes (data transferred from the source to the destination).

231

out

Number of transmitted outbound bytes (data transferred from the destination to the source).

40

cn1Label

Indicates the number of packets transmitted from the source to the destination.

Packets sent

cn1

Number of packets transmitted from the source to the destination.

3

cn2Label

Indicates the number of packets transmitted from the destination to the source.

Packets received

cn2

Number of packets transmitted from the destination to the source.

1

IDPS log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

idps

Signature

Name of the triggered IPS signature.

BlackSun Test

Threat Level

Signature threat level.

Available values: from 2 to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@ersthetatica

suser

The username.

user_example (Unknown, if the user is unknown)

act

Action taken by the device according to the configured policies.

accept

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

IDPS Rule Example

msg

Signature threat level and name.

[2] BlackSun

app

Application layer protocol

HTTP

proto

Level 4 protocol used.

TCP or UDP

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

in

Number of transmitted inbound bytes (data transferred from the source to the destination).

231

out

Number of transmitted outbound bytes (data transferred from the destination to the source).

40

SCADA log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

scada

Name

Source type.

log

PDU Severity

SCADA severity.

Available values:

  • 1: very low

  • 2: low

  • 3: medium

  • 4: high

  • 5: very high

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@ersthetatica

act

Action taken by the device according to the configured policies.

accept

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

Scada Rule Example

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

app

Application layer protocol

Modbus

cs6Label

Refers to the device information.

PDU Details

cs6

Device details in JSON format.

{"protocol":"modbus","pdu_severity":0,"pdu_func":"3","pdu_address":0, "mb_value":0,"mb_quantity":0,"mb_payload":"AAIAAA==", "mb_message":"response","mb_addr":0}

SSH inspection log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

ssh

Name

Source type.

log

Threat Level

Application threat level.

Available values: from 1 (if no application) to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@ersthetatica

act

Action taken by the device according to the configured policies.

accept

app

Application layer protocol

SSH or SFTP

suser

The username.

user_example (Unknown, if the user is unknown)

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

SSH inspection rule

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

smac

Source MAC address.

FA:16:3E:65:1C:B4

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

cs6Label

Refers to the command transmitted via SSH.

Command

cs6

Command transmitted via SSH, in JSON format.

whoami

Mail Security Log Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

mailsecurity

Name

Source type.

log

Threat Level

Application threat level.

Available values:

  • 0: info

  • 6: warning

  • 8: error

  • 10: critical

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

The unique name of the device that generated the event.

utmcore@einersonstal

act

Action taken by the device according to the configured policies.

mark

suser

The username.

user_example (Unknown, if the user is unknown)

cs1Label

Indicates the rule name.

Rule

cs1

Name for the mail security rule.

Mail security rule

src

Source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone

Untrusted

cs3Label

Indicates the country of the traffic source.

Source Country

cs3

Traffic source country.

AE (a two-letter country code is displayed)

dst

Destination IPv4 address.

10.10.10.10

dpt

Destination port

Values: 0-65535.

cs4Label

Indicates the traffic destination zone.

Destination Zone

cs4

Traffic destination zone name.

Untrusted

cs5Label

Indicates the country of the traffic destination.

Destination Country

cs5

The destination country.

AE (a two-letter country code is displayed)

app

Application layer protocol

SMTP

in

Number of transmitted inbound bytes (data transferred from the source to the destination).

10

out

Number of transmitted outbound bytes (data transferred from the destination to the source).

10

flexString1Label

Indicates the sender's address.

From

flexString1

Sender's email.

sender@example.com

cs6Label

Indicates the recipient's address.

To

cs6

Recipient's email.

receiver@example.com

cn1Label

Indicates the number of packets transmitted from the source to the destination.

Packets sent

cn1

Number of packets transmitted from the source to the destination.

3

cn2Label

Indicates the number of packets transmitted from the destination to the source.

Packets received

cn2

Number of packets transmitted from the destination to the source.

1

Endpoint Event Log Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

endpoint_log

Name

Source type.

log

Severity

The severity of the event.

Available values:

  • 0: info

  • 6: warning

  • 8: error

  • 10: critical

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

ID of the device generated this event.

35fb5820-74db-4eac-b05b-d01bc284c4e8

suser

The username.

Admin

msg

Detailed information about the event.

Windows Defender state successfully changed to SECURITY_PRODUCT_STATE_ON.

cs1Label

Specifies the endpoint device ID.

endpointId

cs1

Endpoint device or sensor ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

cs2Label

Indicates the name of the endpoint device or the sensor.

endpointName

cs2

Endpoint device or sensor name.

DESKTOP-0731NFQ

cs3Label

Indicates the event type.

logLevel

cs3

Event type.

Success audit, Warning, Details, Rejection audit, Error

cs4Label

Specifies the event category.

logCategoryString

cs4

The event's category.

Special Logon

cs5Label

Indicates the log type.

logFile

cs5

Type of the log containing important information on the software and hardware events.

Security (security log file), Application (application log file), System (system log file), Windows PowerShell

cs6Label

Indicates the log event source.

sourceName

cs6

Log event source.

Microsoft-Windows-Security-Auditing

flexString1Label

Indicates the insertion string.

insertionString

flexString1

The insertion string is the EventData block of the Windows event data.

Windows DefenderSECURITY_PRODUCT_STATE_ON

cn1Label

Indicates the log event code.

logEventCode

cn1

Log event code.

1154

cn2Label

Indicates the event ID.

logEventId

cn2

Event ID.

10016

cn3Label

Indicates the log event type.

logEventType

cn3

Log event type.

1 (error), 2 (warning), 3 (information), 4 (audit success), 5 (audit failure).

Endpoint Rule Log Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

endpoint_log

Name

Source type.

log

Threat Level

Threat level for the URL category.

Values: 1-10:

  • 6: very low

  • 6: low

  • 6: medium

  • 8: high

  • 10: very high

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

ID of the device generated this event.

35fb5820-74db-4eac-b05b-d01bc284c4e8

act

Action taken by the device according to the configured policies.

accept

filePath

Application to which the firewall rule was applied.

C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe

cs1Label

Specifies the endpoint device ID.

endpointId

cs1

Endpoint device or sensor ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

cs2Label

Specifies the endpoint device NetBIOS name.

endpointName

cs2

Endpoint device NetBIOS name.

DESKTOP-0731NFQ

cs3Label

Specifies the rule, which resulted to creating this log record.

Rule

cs3

The name of the rule.

Test rule name

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port

Values: 0-65535.

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535.

shost

Hostname.

www.google.com

flexString1Label

Refers to the content type.

Media type

flexString1

The type of the content.

text/html

flexString2Label

Indicates the category of the requested URL.

Categories

flexString2

URL category.

Computers & Technology

Endpoint Application Log Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

endpoint_applications

Name

Source type.

log

Threat Level

Default value.

0

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

ID of the device generated this event.

35fb5820-74db-4eac-b05b-d01bc284c4e8

act

Action (application start or stop).

start, stop

suser

User

DESKTOP-0731NFQ\User

filePath

Path to the file.

C:\\Windows\\system32\\cmd.exe

cs1Label

Specifies the endpoint device ID.

endpointId

cs1

The endpoint device ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

cs2Label

Specifies the endpoint device NetBIOS name.

endpointName

cs2

Endpoint device NetBIOS name.

DESKTOP-0731NFQ

spid

Process ID.

3860

fileHash

The application hash.

B4979A9F970029889713D756C3F123643DDE73DA

cs3Label

Indicates the command line.

cmdLine

cs3

Command line prompt.

C:\\Windows\\system32\\sc.exe start w32time task_started

cs4Label

Indicates the Session ID.

sessionId

cs4

Session ID.

1656395717

Endpoint Hardware Log Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log type.

endpoint_hardware

Name

Source type.

log

Threat Level

Default value.

0

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

ID of the device generated this event.

35fb5820-74db-4eac-b05b-d01bc284c4e8

act

Action (connect or remove a device).

add_device, remove_device

cs1Label

Specifies the endpoint device ID.

endpointId

cs1

The endpoint device ID.

35fb5820-74db-4eac-b05b-d01bc284c4e8

cs2Label

Specifies the endpoint device NetBIOS name.

endpointName

cs2

Endpoint device NetBIOS name.

DESKTOP-0731NFQ

sourceServiceName

A Windows driver that allows the computer to communicate with hardware/device.

USBHUB3

cs3Label

Specifies the ID of the device being connected or removed.

deviceId

cs3

Device ID.

USB\\VID_0E0F&PID_0002\\6&201153C1&0&8

cs4Label

Indicates the device name.

deviceName

cs4

The name of the device.

Kingston DataTraveler 2.0 USB Device

Windows Active Directory Log Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

endpoint_log

Name

Source type.

log

Threat Level

Threat level.

Available values: from 1 to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1701085036026

deviceExternalId

The unique name of the device that generated the event.

utmcore@ntoorereaeda

suser

The username.

user1.dep.local

msg

The event description in the AD log.

Group membership information

Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-3795870133-5220325-2125745684-1103 Account Name: user1 Account Domain: DEP Logon ID: 0xA57A446 Event in sequence: 1 of 1 Group Membership: %{S-1-5-21-3795870133-5220325-2125745684-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-3795870133-5220325-2125745684-512} %{S-1-5-21-3795870133-5220325-2125745684-572} %{S-1-5-64-10} %{S-1-16-12288} The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

cn1Label

Indicates the event code in the AD log.

logEventCode

cn1

Event code.

4627

cn2Label

Indicates the event ID in the AD log.

logEventId

cn2

Event ID.

4627

cn3Label

Indicates the event type in the Windows log (System\Security\Application, etc.).

logEventType

cn3

Windows log event type.

4

cs1Label

Indicates the ID of the endpoint --- the source of the event.

endpointId

cs1

The endpoint device ID.

16535060-5a1a-4e92-8331-239406ec34da

cs2Label

Indicates the name of the endpoint --- the source of the event (UserGate client, WMI sensor, etc.).

endpointName

cs2

Endpoint device name.

dep.local

cs3Label

Indicates the severity of the event in the AD log.

logLevel

cs3

Event severity level.

Audit Success

cs4Label

Indicates the event category code (12554 Group Membership, 12544 Logon, 14337 Kerberos Service Ticket Operations, etc.).

logCategoryString

cs4

The event's category.

Group Membership

cs5Label

Indicates the Windows log file.

logFile

cs5

Windows log file

Security

cs6Label

Indicates the source of the AD log.

sourceName

cs6

The source of the AD log.

Microsoft-Windows-Security-Auditing

flexString1Label

Indicates the content of the event in the AD log.

insertionString

flexString1

Parameters of the AD log event after message parsing.

['S-1-0-0', '-', '-', '0x0', 'S-1-5-21-3795870133-5220325-2125745684-1103', 'user1', 'DEP', '0x7a25a21', '3', '1', '1', '\ \ \\t\\t%

{S-1-5-21-3795870133-5220325-2125745684-513}\ \ \\t\\t%{S-1-1-0}\ \ \\t\\t%{S-1-5-32-544}\ \ \\t\\t%{S-1-5-32-555}\ \ \\t\\t%{S-1-5-32-545}\ \ \\t\\t%{S-1-5-32-554}\ \ \\t\\t%{S-1-5-2}\ \ \\t\\t%{S-1-5-11}

\ \ \\t\\t%{S-1-5-15}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-512}\ \ \\t\\t%{S-1-5-21-3795870133-5220325-2125745684-572}\ \ \\t\\t%{S-1-5-64-10}\ \ \\t\\t%{S-1-16-12288}']

Syslog Format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

syslog

Name

Source type.

log

Threat Level

Threat level.

Available values: from 1 to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1701085036026

deviceExternalId

The unique name of the device that generated the event.

utmcore@ntoorereaeda

msg

The event description.

[3603:3603:1128/175000.938565:ERROR:CONSOLE(6)] "console.assert", source: devtools://devtools/bundled/devtools-frontend/front_end/panels/console/console.js (6)

cn1Label

Indicates the source type of Syslog events.

For more information about Syslog facility values, see RFC 5424.

Facility

cn1

Syslog event source type. Example: user-level messages.

1

cs1Label

Indicates the name of the device where the event occurred.

Hostname

cs1

The name of the computer where the event occurred.

node1

cs2Label

Indicates the application that caused the event.

Tag

cs2

The application that caused the event.

org.gnome.Shell.desktop

cs3Label

Indicates the process ID of the event.

ProcessID

cs3

PID of the process triggering the event.

3036

cs4Label

Indicates that a rule was triggered.

Rule

cs4

Name of the rule triggered to cause the event.

Example - Allow user-level messages

UserID log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1701085036026

deviceExternalId

The unique name of the device that generated the event.

utmcore@ntoorereaeda

act

Action taken by the device according to the configured policies.

login

reason

The reason why the event was created.

{"user_groups_sids":["S-1-5-21-3795870133-5220325-2125745684-513","S-1-5-21-3795870133-5220325-2125745684-512"],

"user_sid":"S-1-5-21-3795870133-5220325-2125745684-1103","login":"user1","domain":"DEV","event_id":4624}

suser

The username.

user1 (Unknown, if the user is unknown)

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

dev.local

src

Traffic source IPv4 address.

10.10.0.11