syslog Specification
syslog is a standard for message logging that separates the software that generates messages, the system that stores them, and the software that reports and analyzes them. cognitix Threat Defender supports syslog in the Report Channels.
This specification defines all syslog messages with their information elements used in cognitix-specific events.
syslog Setup
The pw-core application generates reporting messages in syslog format that are readable in the Logging section of the Threat Defender user interface. These messages can then be exported to external syslog receivers as desired.
syslog Messages in General
Every syslog message generated by the pw-core application displays the APP-NAME “pw-core” and can thereby be distinguished from any other syslog message generated by cognitix Threat Defender.
All syslog datasets are provided as key-value pairs separated by =
,
where never the key
but always the value
is quoted.
As far as possible, the syslog datasets of pw-core follow the CIM (Common Information Model). But pw-core also introduces custom dataset definitions where none of the existing ones fit.
Message Types
The following events are generated. The name of an event is also the value of the event_type
field.
The flow tracking generates:
flow-update
at regular intervals with updated information about a flow.flow-deleted
when a flow is destroyed.
Threats are reported by:
ips-hit
when an IPS rule matches.ioc-hit
when an IOC match is found.policy-hit
when a rule with the policy-hit flag in the logging action is triggered.
The policy engine also emits events of the type:
policy-rule-log
for matched policy rules with enabled logging.
syslog Fields
The following fields are used by pw-core:
Field Name |
Field Origin |
Data Type |
Description |
---|---|---|---|
|
Splunk CIM |
string |
The action taken by the network device that was triggered by a policy rule hit. Only the values “allowed”, “blocked” and “teardown” are valid. |
|
Splunk CIM |
string |
The application and protocol of the traffic, reporting the layer 7 application and protocol classification results as short names, e.g.: “reddit:ssl” |
|
cognitix |
string |
The ID of an asset, in the format |
|
cognitix |
string |
The name of an asset. |
|
cognitix |
string |
The ID of the asset matching the destination host, in the format |
|
cognitix |
number |
Bytes transmitted from destination to source. |
|
cognitix |
string |
The destination country of a flow, encoded following ISO 3165-1 alpha-2, e.g. “FR”, “DE” or “ZZ” for unknown countries. |
|
Splunk CIM |
string |
The host name served by the webserver or proxy, in the format |
|
Splunk CIM |
string |
The interface that is listening remotely or receiving packets locally; can also be referred to as the “egress interface”. |
|
cognitix |
string |
The name of the egress interface. |
|
Splunk CIM |
string |
The IP address of the destination, in the format |
|
cognitix |
string |
The location of the destination host as determined by network object matching, can only be “internal” or “external”. |
|
Splunk CIM |
string |
The destination TCP/IP layer 1 MAC address of a packet’s destination, such as |
|
cognitix |
number |
Packets transmitted from destination to source. |
|
Splunk CIM |
number |
The destination port of the network traffic. |
|
cognitix |
number |
The application and protocol of the traffic, reporting the layer 7 application and protocol classification results as a number. |
|
Splunk CIM |
string |
The reporting event type. |
|
Splunk CIM |
number |
A unique numeric identifier for the flow (uint64). |
|
cognitix |
string |
A comma-separated list of IoC tags associated with an IoC value. |
|
cognitix |
string |
The latest IoC matched for a flow, e.g. “9.20.11.3”, “www.example.com”, “www.badurl.nz/kiwi”. |
|
cognitix |
string |
The IoC indicator type. Only the values “ipv3”, “domain”, “url” are valid. |
|
cognitix |
number |
The ID of an IPS rule. |
|
cognitix |
string |
The description string of an IPS rule. |
|
cognitix |
string |
The ID of a policy scenario, defined in the policy configuration. |
|
cognitix |
string |
The name of a policy scenario, defined in the policy configuration. |
|
Splunk CIM |
string |
The product name, will always be set to “td”. |
|
Splunk CIM |
string |
The OSI layer 2 (network) protocol of the traffic observed, in lower case. For example: ip, appletalk, ipx. |
|
Splunk CIM |
string |
Version of the OSI layer 3 protocol. |
|
cognitix |
string |
The name of a policy rule, defined in the policy configuration, that defines the action that was taken in the network event. |
|
cognitix |
string |
The ID of a policy rule, defined in the policy configuration, that defines the action that was taken in the network event. |
|
Splunk CIM |
string |
The log action severity according to the CIM naming scheme. Only the values “informational”, “low”, “medium”, “high” are valid. |
|
cognitix |
string |
The ID of the asset matching the source host, in the format |
|
cognitix |
number |
Bytes transmitted from source to destination. |
|
cognitix |
string |
The source country of a flow, encoded following ISO 3165-1 alpha-2, e.g. “FR”, “DE” or “ZZ” for unknown countries. |
|
Splunk CIM |
string |
The interface that is listening remotely or sending packets locally. Can also be referred to as the “ingress interface”. |
|
cognitix |
string |
The name of the “ingress” interface. |
|
Splunk CIM |
string |
The IP address of the source, in the format |
|
cognitix |
string |
The location of the source host as determined by network object matching, can only be “internal” or “external”. |
|
Splunk CIM |
string |
The source TCP/IP layer 1 MAC address of a packet’s destination, such as |
|
cognitix |
number |
Packets transmitted from source to destination. |
|
Splunk CIM |
number |
The source port of the network traffic. |
|
cognitix |
number |
The timestamp when the message was emitted in ISO 8601 format with a millisecond resolution. |
|
Splunk CIM |
string |
The hostname of the cognitix Threat Defender instance reporting this event. |
|
Splunk CIM |
string |
The path of the resource served by the webserver or proxy. |
|
cognitix |
string |
The ID of the user who is responsible for the existence of the flow. |
|
Splunk CIM |
string |
The vendor name; will always be set to “cognitix”. |
|
Splunk CIM |
string |
The log action severity according to the cognitix naming scheme. Only the values “notice”, “low”, “medium”, “high” are valid. |
|
cognitix |
number |
The outermost VLAN tag. |
cognitix Threat Defender syslog Message Types
Fields
Every syslog message contains the following fields:
vendor
product
host
event_type
Depending on the value of the event_type
dataset, the following datasets are
appended to a syslog message.
Currently all event types contain flow information. It consists of:
src_interface
src_interface_name
dest_interface (optional)
dest_interface_name (optional)
src_mac
dest_mac
protocol
protocol_version
src_ip
dest_ip
transport
src_port
dest_port
timestamp
src_location
dest_location
src_country_code (optional)
dest_country_code (optional)
flow_id
app
dpi_classification
src_packets_tx
dest_packets_tx
src_bytes_tx
dest_bytes_tx
vlan_id (optional)
src_asset_id (optional)
src_asset_name (optional)
dest_asset_id (optional)
dest_asset_name (optional)
user_id (optional)
user_name (optional)
Events of the types policy-hit
and policy-rule-log
additionally contain:
severity
vendor_severity
policy_id
policy_name
rule_id
rule
action (optional)
Events of the type ips-hit
additionally contain:
ips_rule_id
ips_rule_description
dest_host (optional)
uri_path (optional)
Events of the type ioc-hit
additionally contain:
ioc_tags
ioc_value
ioc_value_type
dest_host (optional)
uri_path (optional)