syslog Specification

syslog is a standard for message logging that separates the software that generates messages, the system that stores them, and the software that reports and analyzes them. cognitix Threat Defender supports syslog in the Report Channels.

This specification defines all syslog messages with their information elements used in cognitix-specific events.

syslog Setup

The pw-core application generates reporting messages in syslog format that are readable in the Logging section of the Threat Defender user interface. These messages can then be exported to external syslog receivers as desired.

syslog Messages in General

Every syslog message generated by the pw-core application will carry the APP-NAME “pw-core” and can thereby be distinguished from any other syslog message generated by a cognitix Threat Defender.

All syslog datasets are provided as key-value pairs separated by =, where never the key but always the value will be quoted.

As far as possible, the syslog datasets of pw-core follow the CIM (Common Information Model). But pw-core also introduces custom dataset defintions where none of the existing ones fit.

syslog Datasets

The following datasets are used by pw-core:

Property

Dataset origin

Data type

Description

action

Splunk CIM

string

The action taken by the network device that was triggered by a policy rule hit. Only the values “allowed”, “blocked” and “teardown” are valid.

app

Splunk CIM

string

The application and protocol of the traffic, reporting the layer 7 application and protocol classification results as short names, e.g.: “reddit:ssl”

asset_id

cognitix

string

The ID of an asset, in the format asset-uuid.

asset_name

cognitix

string

The name of an asset.

dest_asset_name

cognitix

string

The ID of the asset matching the destination host, in the format asset-uuid.

dest_bytes_tx

cognitix

number

Bytes transmitted from destination to source.

dest_country_code

cognitix

string

The destination country of a flow, encoded following ISO 3165-1 alpha-2, e.g. “FR”, “DE” or “ZZ” for unknown countries.

dest_host

Splunk CIM

string

The host name served by the webserver or proxy, in the format punycodeIDNA-encoded-domain.

dest_interface

Splunk CIM

string

The interface that is listening remotely or receiving packets locally; can also be referred to as the “egress interface”.

dest_interface_name

cognitix

string

The name of the egress interface.

dest_ip

Splunk CIM

string

The IP address of the destination, in the format ipv4-or-ipv6.

dest_location

cognitix

string

The location of the destination host as determined by network object matching, can only be “internal” or “external”.

dest_mac

Splunk CIM

string

The destination TCP/IP layer 1 MAC address of a packet’s destination, such as 06:10:9f:eb:8f:14. Has the format macAddress. Note: Always force lower case on this field. Always use colons instead of dashes, spaces, or no separator.

dest_packets_tx

cognitix

number

Packets transmitted from destination to source.

dest_port

Splunk CIM

number

The destination port of the network traffic.

dpi_classification

cognitix

number

The application and protocol of the traffic, reporting the layer 7 application and protocol classification results as a number.

event_type

Splunk CIM

string

The reporting event type. Possible values are: “policy_rule_hit”, “flow_end_log”, “new_asset”, “changed_asset”, “removed_asset”.

flow_id

Splunk CIM

number

A unique numeric identifier for the flow (uint64).

ioc_tags

cognitix

string

A comma-separated list of IoC tags associated with an IoC value.

ioc_value

cognitix

string

The latest IoC matched for a flow, e.g. “9.20.11.3”, “www.example.com”, “www.badurl.nz/kiwi”.

ioc_value_type

cognitix

string

The IoC indicator type. Only the values “ipv3”, “domain”, “url” are valid.

ips_rule_id

cognitix

number

The ID of an IPS rule.

ips_rule_description

cognitix

string

The description string of an IPS rule.

new_ip

cognitix

string

The IP address that has been added to the ipIds entry of an asset.

new_mac

cognitix

string

The MAC address that has been added to the macIds entry of an asset.

policy_id

cognitix

string

The ID of a policy scenario, defined in the policy configuration.

policy_name

cognitix

string

The name of a policy scenario, defined in the policy configuration.

product

Splunk CIM

string

The product name, will always be set to “td”.

protocol

Splunk CIM

string

The OSI layer 2 (network) protocol of the traffic observed, in lower case. For example: ip, appletalk, ipx.

protocol_version

Splunk CIM

string

Version of the OSI layer 3 protocol.

removed_ip

cognitix

string

The IP address that has been removed from the ipIds entry of an asset.

removed_mac

cognitix

string

The MAC address that has been removed from the macIds entry of an asset.

rule

cognitix

string

The name of a policy rule, defined in the policy configuration, that defines the action that was taken in the network event.

rule_id

cognitix

string

The ID of a policy rule, defined in the policy configuration, that defines the action that was taken in the network event.

severity

Splunk CIM

string

The log action severity according to the CIM naming scheme. Only the values “informational”, “low”, “medium”, “high” are valid.

scenario_hit

cognitix

string

The ID of a triggered scenario.

src_asset_name

cognitix

string

The ID of the asset matching the source host, in the format asset-uuid.

src_bytes_tx

cognitix

number

Bytes transmitted from source to destination.

src_country_code

cognitix

string

The source country of a flow, encoded following ISO 3165-1 alpha-2, e.g. “FR”, “DE” or “ZZ” for unknown countries.

src_interface

Splunk CIM

string

The interface that is listening remotely or sending packets locally. Can also be referred to as the “ingress interface”.

src_interface_name

cognitix

string

The name of the “ingress” interface.

src_ip

Splunk CIM

string

The IP address of the source, in the format ipv4-or-ipv6.

src_location

cognitix

string

The location of the source host as determined by network object matching, can only be “internal” or “external”.

src_mac

Splunk CIM

string

The source TCP/IP layer 1 MAC address of a packet’s destination, such as 06:10:9f:eb:8f:14. Has the format macAddress. Note: Always force lower case on this field. Always use colons instead of dashes, spaces, or no separator.

src_packets_tx

cognitix

number

Packets transmitted from source to destination.

src_port

Splunk CIM

number

The source port of the network traffic.

timestamp

cognitix

number

The timestamp when the message was emitted in ISO 8601 format with a millisecond resolution.

host

Splunk CIM

string

The hostname of the cognitix Threat Defender instance reporting this event.

uri_path

Splunk CIM

string

The path of the resource served by the webserver or proxy.

user_id

cognitix

string

The ID of the user who is responsible for the existence of the flow.

vendor

Splunk CIM

string

The vendor name; will always be set to “cognitix”.

vendor_severity

Splunk CIM

string

The log action severity according to the cognitix naming scheme. Only the values “notice”, “low”, “medium”, “high” are valid.

vlan_id

cognitix

number

The outermost VLAN tag.

cognitix Threat Defender syslog Message Types

Common Datasets

Every syslog message contains the following datasets:

  • vendor

  • product

  • host

  • event_type

Specific Datasets

Depending the value of the event_type dataset, the following datasets are appended to a syslog message.

policy_rule_hit

Mandatory fields:

  • src_interface

  • dest_interface

  • src_interface_name

  • dest_interface_name

  • src_mac

  • dest_mac

  • protocol

  • protocol_version

  • src_ip

  • dest_ip

  • transport

  • src_port

  • dest_port

  • timestamp

  • src_location

  • dest_location

  • src_country_code

  • dest_country_code

  • flow_id

  • app

  • dpi_classification

  • severity

  • vendor_severity

  • policy_id

  • policy_name

  • rule_id

  • rule

Optional fields:

  • vlan_id

  • action

  • ioc_tags

  • ioc_value

  • ioc_value_type

  • ips_rule_id

  • ips_rule_description

  • dest_host

  • uri_path

  • src_asset_id

  • dest_asset_id

  • user_id

flow_end_log

Mandatory fields:

  • src_interface

  • dest_interface

  • src_interface_name

  • dest_interface_name

  • src_mac

  • dest_mac

  • protocol

  • protocol_version

  • src_ip

  • dest_ip

  • transport

  • src_port

  • dest_port

  • timestamp

  • src_location

  • dest_location

  • src_country_code

  • dest_country_code

  • flow_id

  • app

  • dpi_classification

  • severity

  • vendor_severity

  • policy_id

  • policy_name

  • rule_id

  • rule

Optional fields:

  • vlan_id

  • action

  • ioc_tags

  • ioc_value

  • ioc_value_type

  • ips_rule_id

  • ips_rule_description

  • dest_host

  • uri_path

  • src_asset_id

  • dest_asset_id

  • user_id

  • src_packets_tx

  • dest_packets_tx

  • src_bytes_tx

  • dest_bytes_tx

new_asset

Mandatory fields:

  • asset_id

  • asset_name

changed_asset

Mandatory fields:

  • asset_id

  • asset_name

Optional fields:

  • new_mac

  • removed_mac

  • new_ip

  • removed_ip

removed_asset

Mandatory fields:

  • asset_id

  • asset_name