Versions Compared

Version Old Version 1 New Version 2
Changes made by

Benjamin.Walther

Benjamin.Walther

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
Useful fields for narrowing down Logger queries:
* *eventId* \- always a distinct, sequential integer. No two events have the same EventId
* *destinationAddress* \- the IP address +to+ which packets, requests, or connections were sent
* *sourceAddress* \- the IP address +from+ which packets, requests, or connections were sent
* *name* \- the human-readable description of the event
* *message* \- a human readable description or debug output associated with the event
* *destinationPort*, *sourcePort* \- the ports used in network connections
* *sourceHostName*, *destinationHostName* \- the hostnames that resolves with the sourceAddress and destinationAddress
* *eventTime* \- the time at which the logging service first recorded the event
* *destinationMacAddress*, *sourceMacAddress* \- for networking events which record MAC addresses
* *destinationUserName*, *sourceUserName* \- the username involved with requesting an action which generated the event
* *baseEventId* \- for correlated or aggregated events, the eventId associated with the rule that triggered this new derivative event
* *baseEventCount* \- the number of aggregated events that were combined to form this new derivative event
* *device* \- the server hostname on which the SmartConnector is installed that captured this event
* *deviceReceiptTime* \- the time which the ArcSight SmartConnector received the log
* *deviceCustomString\[1-6\]* \- special values associated with a  particular event that do not fit inside other fields. Sometimes related  distances, MAC addresses, or other misc details.
* *CategoryBehavior* \- the action associated with this event. Usually among:
** /Access
** /Access/Start
** /Access/Stop
** /Authentication/Verify
** /Authorization
** /Communicate
** /Communicate/Query
** /Communicate/Response
** /Create
** /Execute
** /Execute/Query
** /Execute/Response
** /Execute/Start
** /Execute/Stop
** /Found/Defective
** /Found/Exhausted
** /Modify/Configuration
** /Modify/Content
* *CategoryObject* \- the type of device associated with this event. Usually among:
** /Actor/User
** /Host
** /Host/Application
** /Host/Application/Database
** /Host/Application/Service
** /Host/Application/Service/Email
** /Host/Operating System
** /Host/Resource
** /Host/Resource/Interface
** /Host/Resource/Memory
** Network
* *CategorySignificance* \- the reported event significance type. Usually among:
** /Hostile
** /Informational
** /Informational/Error
** /Informational/Normal
** /Informational/Warning
** /Normal
** /Recon
** /Rule/Action/Success
** /Suspicious
* *CategoryOutcome* \- the reported outcome of the event. Among:
** /Attempt
** /Success
** /Failure
* *transportProtocol* \- usually among:
** TCP
** UDP
** ICMP
** IGMP
* *DeviceProduct* \- the brand name of the product which triggered the event. Examples:
** Apache
** ArcSight
** CiscoRouter
** Device Product
** IntruShield
** IP Flow
** Logger
** Microsoft Windows
** Mobility Controller
** Netscreen VPN
** NSM
** NT syslog
** Peoplesoft Financials
** Peoplesoft HR
** Sendmail
** Switch
** Tomcat
** Unix
** WebLogic
* *DeviceVendor* \- the brand name of the owner/vendor of the product. Examples:
** Apache
** ArcSight
** Aruba Networks
** BEA
** CISCO
** Extreme Networks
** IP Flow
** Juniper
** McAfee
** Microsoft
** Oracle
** SaberNet
** Unix
* *DeviceAction* \- the arbitrary action reported by the device. Examples:
** DHCPACK
** DHCPDISCOVER
** DHCPINFORM
** DHCPNAK
** DHCPOFFER
** DHCPRELEASE
** DHCPREQUEST
** 200
** 400
** 5
** Accept
** accepted
** closed
** connect
** info
** moved
** notice
** pckt dropped
** Postponed
** REFUSED
** Sent
** SERVFAIL
** succeeded
** Suspicious
** Warning<\!-\-   		BODY,DIV,TABLE,THEAD,TBODY,TFOOT,TR,TH,TD,P { font-family:"Liberation Sans"; font-size:x-small } \-->\| /Access \|
| /Access/Start |
| /Access/Stop |
| AgentRunning |
| /All Customers/Tufts/Tufts |
| /Authentication/Verify |
| /Authorization |
| carlsbad.uit.tufts.edu:514)=0' |
| categoryBehavior |
| /Communicate |
| /Communicate/Query |
| /Communicate/Response |
| /Create |
| /Execute |
| /Execute/Query |
| /Execute/Response |
| /Execute/Start |
| /Execute/Stop |
| /Found/Defective |
| /Found/Exhausted |
| Low |
| /Modify/Configuration |
| /Modify/Content |