Versions Compared

Version Old Version 7 New Version 8
Changes made by

Benjamin.Walther

Benjamin.Walther

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Free text search: "bwalth01" or "130.64.205.66"
  • All Juniper VPN activity: deviceVendor contains "Juniper" AND deviceProduct = "Netscreen VPN"
  • All traffic going to a particular IP: destinationAddress = "94.100.18.41"
  • All traffic to a set of IP addresses: destinationAddress IN [seim:"130.64.205.66","130.64.205.72","130.64.205.178"]
  • All failed login attempts: categoryBehavior CONTAINS "Verify" AND categoryOutcome = "/Failure"
  • Example Load Balancer log (for when you need Load Balancer specific searches):  Sep  2 13:04:01 tab-dc-ndc-lb02-vip.net.tufts.edu tmm2[5279]: Rule Log-on-connect <SERVERto-Arcsite <;SERVER_CONNECTED>;: Got connection: Client(130.64.112177.132:34738 -> VIP: 249:61338)<;>;(130.64.112.133:80 -> Node: 10.246.108.5:80.212.185:443)LTM(10.250.136.10:61338)<;>;(10.250.136.82:443)Server

Useful fields for narrowing down Logger queries:

  • eventId - always a distinct, sequential integer. No two events have the same EventId
  • destinationAddress - the IP address to which packets, requests, or connections were sent
  • sourceAddress - the IP address from which packets, requests, or connections were sent
  • name - the human-readable description of the event
  • message - a human readable description or debug output associated with the event
  • destinationPort, sourcePort - the ports used in network connections
  • sourceHostName, destinationHostName - the hostnames that resolves with the sourceAddress and destinationAddress
  • eventTime - the time at which the logging service first recorded the event
  • destinationMacAddress, sourceMacAddress - for networking events which record MAC addresses
  • destinationUserName, sourceUserName - the username involved with requesting an action which generated the event
  • baseEventId - for correlated or aggregated events, the eventId associated with the rule that triggered this new derivative event
  • baseEventCount - the number of aggregated events that were combined to form this new derivative event
  • device - the server hostname on which the SmartConnector is installed that captured this event
  • deviceReceiptTime - the time which the ArcSight SmartConnector received the log
  • deviceCustomString[seim:1-6] - special values associated with a particular event that do not fit inside other fields. Sometimes related distances, MAC addresses, or other misc details.
  • CategoryBehavior - the action associated with this event. Usually among:
    • /Access
    • /Access/Start
    • /Access/Stop
    • /Authentication/Verify
    • /Authorization
    • /Communicate
    • /Communicate/Query
    • /Communicate/Response
    • /Create
    • /Execute
    • /Execute/Query
    • /Execute/Response
    • /Execute/Start
    • /Execute/Stop
    • /Found/Defective
    • /Found/Exhausted
    • /Modify/Configuration
    • /Modify/Content
  • CategoryOutcome - the reported outcome of the event. Among:
    • /Attempt
    • /Success
    • /Failure

...