syslog Specification¶
syslog is a standard for message logging that separates the software that generates messages, the system that stores them, and the software that reports and analyzes them. cognitix Threat Defender supports syslog in the Report Channels.
This specification defines all syslog messages with their information elements used in cognitix-specific events.
syslog Setup¶
The pw-core application generates reporting messages in syslog format that are readable in the Logging section of the Threat Defender user interface. These messages can then be exported to external syslog receivers as desired.
syslog Messages in General¶
Every syslog message generated by the pw-core application will carry the APP-NAME “pw-core” and can thereby be distinguished from any other syslog message generated by a cognitix Threat Defender.
All syslog datasets are provided as key-value pairs separated by =,
where never the key but always the value will be quoted.
As far as possible, the syslog datasets of pw-core follow the CIM (Common Information Model). But pw-core also introduces custom dataset defintions where none of the existing ones fit.
syslog Datasets¶
The following datasets are used by pw-core:
Property |
Dataset origin |
Data type |
Description |
|---|---|---|---|
|
Splunk CIM |
string |
The action taken by the network device that was triggered by a policy rule hit. Only the values “allowed”, “blocked” and “teardown” are valid. |
|
Splunk CIM |
string |
The application and protocol of the traffic, reporting the layer 7 application and protocol classification results as short names, e.g.: “reddit:ssl” |
|
cognitix |
string |
The ID of an asset, in the format |
|
cognitix |
string |
The name of an asset. |
|
cognitix |
string |
The ID of the asset matching the destination host, in the format |
|
cognitix |
number |
Bytes transmitted from destination to source. |
|
cognitix |
string |
The destination country of a flow, encoded following ISO 3165-1 alpha-2, e.g. “FR”, “DE” or “ZZ” for unknown countries. |
|
Splunk CIM |
string |
The host name served by the webserver or proxy, in the format |
|
Splunk CIM |
string |
The interface that is listening remotely or receiving packets locally; can also be referred to as the “egress interface”. |
|
cognitix |
string |
The name of the egress interface. |
|
Splunk CIM |
string |
The IP address of the destination, in the format |
|
cognitix |
string |
The location of the destination host as determined by network object matching, can only be “internal” or “external”. |
|
Splunk CIM |
string |
The destination TCP/IP layer 1 MAC address of a packet’s destination, such as |
|
cognitix |
number |
Packets transmitted from destination to source. |
|
Splunk CIM |
number |
The destination port of the network traffic. |
|
cognitix |
number |
The application and protocol of the traffic, reporting the layer 7 application and protocol classification results as a number. |
|
Splunk CIM |
string |
The reporting event type. Possible values are: “policy_rule_hit”, “flow_end_log”, “new_asset”, “changed_asset”, “removed_asset”. |
|
Splunk CIM |
number |
A unique numeric identifier for the flow (uint64). |
|
cognitix |
string |
A comma-separated list of IoC tags associated with an IoC value. |
|
cognitix |
string |
The latest IoC matched for a flow, e.g. “9.20.11.3”, “www.example.com”, “www.badurl.nz/kiwi”. |
|
cognitix |
string |
The IoC indicator type. Only the values “ipv3”, “domain”, “url” are valid. |
|
cognitix |
number |
The ID of an IPS rule. |
|
cognitix |
string |
The description string of an IPS rule. |
|
cognitix |
string |
The IP address that has been added to the |
|
cognitix |
string |
The MAC address that has been added to the |
|
cognitix |
string |
The ID of a policy scenario, defined in the policy configuration. |
|
cognitix |
string |
The name of a policy scenario, defined in the policy configuration. |
|
Splunk CIM |
string |
The product name, will always be set to “td”. |
|
Splunk CIM |
string |
The OSI layer 2 (network) protocol of the traffic observed, in lower case. For example: ip, appletalk, ipx. |
|
Splunk CIM |
string |
Version of the OSI layer 3 protocol. |
|
cognitix |
string |
The IP address that has been removed from the |
|
cognitix |
string |
The MAC address that has been removed from the |
|
cognitix |
string |
The name of a policy rule, defined in the policy configuration, that defines the action that was taken in the network event. |
|
cognitix |
string |
The ID of a policy rule, defined in the policy configuration, that defines the action that was taken in the network event. |
|
Splunk CIM |
string |
The log action severity according to the CIM naming scheme. Only the values “informational”, “low”, “medium”, “high” are valid. |
|
cognitix |
string |
The ID of a triggered scenario. |
|
cognitix |
string |
The ID of the asset matching the source host, in the format |
|
cognitix |
number |
Bytes transmitted from source to destination. |
|
cognitix |
string |
The source country of a flow, encoded following ISO 3165-1 alpha-2, e.g. “FR”, “DE” or “ZZ” for unknown countries. |
|
Splunk CIM |
string |
The interface that is listening remotely or sending packets locally. Can also be referred to as the “ingress interface”. |
|
cognitix |
string |
The name of the “ingress” interface. |
|
Splunk CIM |
string |
The IP address of the source, in the format |
|
cognitix |
string |
The location of the source host as determined by network object matching, can only be “internal” or “external”. |
|
Splunk CIM |
string |
The source TCP/IP layer 1 MAC address of a packet’s destination, such as |
|
cognitix |
number |
Packets transmitted from source to destination. |
|
Splunk CIM |
number |
The source port of the network traffic. |
|
cognitix |
number |
The timestamp when the message was emitted in ISO 8601 format with a millisecond resolution. |
|
Splunk CIM |
string |
The hostname of the cognitix Threat Defender instance reporting this event. |
|
Splunk CIM |
string |
The path of the resource served by the webserver or proxy. |
|
cognitix |
string |
The ID of the user who is responsible for the existence of the flow. |
|
Splunk CIM |
string |
The vendor name; will always be set to “cognitix”. |
|
Splunk CIM |
string |
The log action severity according to the cognitix naming scheme. Only the values “notice”, “low”, “medium”, “high” are valid. |
|
cognitix |
number |
The outermost VLAN tag. |
cognitix Threat Defender syslog Message Types¶
Common Datasets¶
Every syslog message contains the following datasets:
vendor
product
host
event_type
Specific Datasets¶
Depending the value of the event_type dataset, the following datasets are
appended to a syslog message.
policy_rule_hit¶
Mandatory fields:
src_interface
dest_interface
src_interface_name
dest_interface_name
src_mac
dest_mac
protocol
protocol_version
src_ip
dest_ip
transport
src_port
dest_port
timestamp
src_location
dest_location
src_country_code
dest_country_code
flow_id
app
dpi_classification
severity
vendor_severity
policy_id
policy_name
rule_id
rule
Optional fields:
vlan_id
action
ioc_tags
ioc_value
ioc_value_type
ips_rule_id
ips_rule_description
dest_host
uri_path
src_asset_id
dest_asset_id
user_id
flow_end_log¶
Mandatory fields:
src_interface
dest_interface
src_interface_name
dest_interface_name
src_mac
dest_mac
protocol
protocol_version
src_ip
dest_ip
transport
src_port
dest_port
timestamp
src_location
dest_location
src_country_code
dest_country_code
flow_id
app
dpi_classification
severity
vendor_severity
policy_id
policy_name
rule_id
rule
Optional fields:
vlan_id
action
ioc_tags
ioc_value
ioc_value_type
ips_rule_id
ips_rule_description
dest_host
uri_path
src_asset_id
dest_asset_id
user_id
src_packets_tx
dest_packets_tx
src_bytes_tx
dest_bytes_tx
changed_asset¶
Mandatory fields:
asset_id
asset_name
Optional fields:
new_mac
removed_mac
new_ip
removed_ip