Useful fields for narrowing down Logger queries:
- eventId - always a distinct, sequential integer. No two events have the same EventId
- destinationAddress - the IP address to which packets, requests, or connections were sent
- sourceAddress - the IP address from which packets, requests, or connections were sent
- name - the human-readable description of the event
- message - a human readable description or debug output associated with the event
- destinationPort, sourcePort - the ports used in network connections
- sourceHostName, destinationHostName - the hostnames that resolves with the sourceAddress and destinationAddress
- eventTime - the time at which the logging service first recorded the event
- destinationMacAddress, sourceMacAddress - for networking events which record MAC addresses
- destinationUserName, sourceUserName - the username involved with requesting an action which generated the event
- baseEventId - for correlated or aggregated events, the eventId associated with the rule that triggered this new derivative event
- baseEventCount - the number of aggregated events that were combined to form this new derivative event
- device - the server hostname on which the SmartConnector is installed that captured this event
- deviceReceiptTime - the time which the ArcSight SmartConnector received the log
- deviceCustomString[1-6] - special values associated with a particular event that do not fit inside other fields. Sometimes related distances, MAC addresses, or other misc details.
- CategoryBehavior - the action associated with this event. Usually among:
- /Access
- /Access/Start
- /Access/Stop
- /Authentication/Verify
- /Authorization
- /Communicate
- /Communicate/Query
- /Communicate/Response
- /Create
- /Execute
- /Execute/Query
- /Execute/Response
- /Execute/Start
- /Execute/Stop
- /Found/Defective
- /Found/Exhausted
- /Modify/Configuration
- /Modify/Content
- CategoryObject - the type of device associated with this event. Usually among:
- /Actor/User
- /Host
- /Host/Application
- /Host/Application/Database
- /Host/Application/Service
- /Host/Application/Service/Email
- /Host/Operating System
- /Host/Resource
- /Host/Resource/Interface
- /Host/Resource/Memory
- Network
- CategorySignificance - the reported event significance type. Usually among:
- /Hostile
- /Informational
- /Informational/Error
- /Informational/Normal
- /Informational/Warning
- /Normal
- /Recon
- /Rule/Action/Success
- /Suspicious
- CategoryOutcome - the reported outcome of the event. Among:
- /Attempt
- /Success
- /Failure
- transportProtocol - usually among:
- TCP
- UDP
- ICMP
- IGMP
- DeviceProduct - the brand name of the product which triggered the event. Examples:
- Apache
- ArcSight
- CiscoRouter
- Device Product
- IntruShield
- IP Flow
- Logger
- Microsoft Windows
- Mobility Controller
- Netscreen VPN
- NSM
- NT syslog
- Peoplesoft Financials
- Peoplesoft HR
- Sendmail
- Switch
- Tomcat
- Unix
- WebLogic
- DeviceVendor - the brand name of the owner/vendor of the product. Examples:
- Apache
- ArcSight
- Aruba Networks
- BEA
- CISCO
- Extreme Networks
- IP Flow
- Juniper
- McAfee
- Microsoft
- Oracle
- SaberNet
- Unix
- DeviceAction - the arbitrary action reported by the device. Examples:
- DHCPACK
- DHCPDISCOVER
- DHCPINFORM
- DHCPNAK
- DHCPOFFER
- DHCPRELEASE
- DHCPREQUEST
- 200
- 400
- 5
- Accept
- accepted
- closed
- connect
- info
- moved
- notice
- pckt dropped
- Postponed
- REFUSED
- Sent
- SERVFAIL
- succeeded
- Suspicious
- Warning<!-- BODY,DIV,TABLE,THEAD,TBODY,TFOOT,TR,TH,TD,P
Unknown macro: { font-family}-->| /Access |
/Access/Start
/Access/Stop
AgentRunning
/All Customers/Tufts/Tufts
/Authentication/Verify
/Authorization
carlsbad.uit.tufts.edu:514)=0'
categoryBehavior
/Communicate
/Communicate/Query
/Communicate/Response
/Create
/Execute
/Execute/Query
/Execute/Response
/Execute/Start
/Execute/Stop
/Found/Defective
/Found/Exhausted
Low
/Modify/Configuration
/Modify/Content