ArcSight Logger - Commonly Used Event Fields

Owned by Benjamin.Walther
Last updated: Feb 21, 2012Version comment

Example Queries:

  • Free text search: "bwalth01" or "130.64.205.66"
  • All Juniper VPN activity: deviceVendor contains "Juniper" AND deviceProduct = "Netscreen VPN"
  • All traffic going to a particular IP: destinationAddress = "94.100.18.41"
  • All traffic to a set of IP addresses: destinationAddress IN [seim:"130.64.205.66","130.64.205.72","130.64.205.178"]
  • All failed login attempts: categoryBehavior CONTAINS "Verify" AND categoryOutcome = "/Failure"
  • Example Load Balancer log (for when you need Load Balancer specific searches):  Rule Log-to-Arcsite <;SERVER_CONNECTED>;: Got connection: Client(130.64.177.249:61338)<;>;(130.64.212.185:443)LTM(10.250.136.10:61338)<;>;(10.250.136.82:443)Server

Useful fields for narrowing down Logger queries:

  • eventId - always a distinct, sequential integer. No two events have the same EventId
  • destinationAddress - the IP address to which packets, requests, or connections were sent
  • sourceAddress - the IP address from which packets, requests, or connections were sent
  • name - the human-readable description of the event
  • message - a human readable description or debug output associated with the event
  • destinationPort, sourcePort - the ports used in network connections
  • sourceHostName, destinationHostName - the hostnames that resolves with the sourceAddress and destinationAddress
  • eventTime - the time at which the logging service first recorded the event
  • destinationMacAddress, sourceMacAddress - for networking events which record MAC addresses
  • destinationUserName, sourceUserName - the username involved with requesting an action which generated the event
  • baseEventId - for correlated or aggregated events, the eventId associated with the rule that triggered this new derivative event
  • baseEventCount - the number of aggregated events that were combined to form this new derivative event
  • device - the server hostname on which the SmartConnector is installed that captured this event
  • deviceReceiptTime - the time which the ArcSight SmartConnector received the log
  • deviceCustomString[seim:1-6] - special values associated with a particular event that do not fit inside other fields. Sometimes related distances, MAC addresses, or other misc details.
  • CategoryBehavior - the action associated with this event. Usually among:
    • /Access
    • /Access/Start
    • /Access/Stop
    • /Authentication/Verify
    • /Authorization
    • /Communicate
    • /Communicate/Query
    • /Communicate/Response
    • /Create
    • /Execute
    • /Execute/Query
    • /Execute/Response
    • /Execute/Start
    • /Execute/Stop
    • /Found/Defective
    • /Found/Exhausted
    • /Modify/Configuration
    • /Modify/Content
  • CategoryOutcome - the reported outcome of the event. Among:
    • /Attempt
    • /Success
    • /Failure
  • CategoryObject - the type of device associated with this event. Usually among:
    • /Actor/User
    • /Host
    • /Host/Application
    • /Host/Application/Database
    • /Host/Application/Service
    • /Host/Application/Service/Email
    • /Host/Operating System
    • /Host/Resource
    • /Host/Resource/Interface
    • /Host/Resource/Memory
    • Network
  • CategorySignificance - the reported event significance type. Usually among:
    • /Hostile
    • /Informational
    • /Informational/Error
    • /Informational/Normal
    • /Informational/Warning
    • /Normal
    • /Recon
    • /Rule/Action/Success
    • /Suspicious
  • transportProtocol - usually among:
    • TCP
    • UDP
    • ICMP
    • IGMP
  • DeviceProduct - the brand name of the product which triggered the event. Examples:
    • Apache
    • ArcSight
    • CiscoRouter
    • Device Product
    • IntruShield
    • IP Flow
    • Logger
    • Microsoft Windows
    • Mobility Controller
    • Netscreen VPN
    • NSM
    • NT syslog
    • Peoplesoft Financials
    • Peoplesoft HR
    • Sendmail
    • Switch
    • Tomcat
    • Unix
    • WebLogic
  • DeviceVendor - the brand name of the owner/vendor of the product. Examples:
    • Apache
    • ArcSight
    • Aruba Networks
    • BEA
    • CISCO
    • Extreme Networks
    • IP Flow
    • Juniper
    • McAfee
    • Microsoft
    • Oracle
    • SaberNet
    • Unix
  • DeviceAction - the arbitrary action reported by the device. Examples:
    • DHCPACK
    • DHCPDISCOVER
    • DHCPINFORM
    • DHCPNAK
    • DHCPOFFER
    • DHCPRELEASE
    • DHCPREQUEST
    • 200
    • 400
    • 5
    • Accept
    • accepted
    • closed
    • connect
    • info
    • moved
    • notice
    • pckt dropped
    • Postponed
    • REFUSED
    • Sent
    • SERVFAIL
    • succeeded
    • Suspicious
    • Warning

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.