Sample Syslog Output Formats in BeyondInsight Event Forwarder
Sample syslog output formats
Note
This is a small sample of event messages in various formats, not an all-encompassing set of every possible event.
Syslog format: newline-delimited
<0>2015-12-05T11:22:53Z 10.124.101.11 Agent Desc: Application Bus 3.0
Event Date: 2016-06-13 10:14:35
Server Date: 2016-06-13 11:38:21
RefType: 16
Agent ID: retina
Agent Ver: 5.23.1.3108
Category: Processes
Source Host: WIN-4PBV285405S
Event Desc: svchost
Event Name: Process 772
OS: Windows,Microsoft,Windows,Server 2008 R2 Standard Edition (full installation) x64,Service Pack 1
Event Severity: 0
Source IP: 10.200.31.203
Event Subject: 010.200.031.085
Event Type: 0
User: SYSTEM
Workgroup Desc: BeyondTrust
Workgroup ID: BeyondTrust Workgroup
Workgroup Location: Default Location
Process ID: 772 (0x304)
Parent Process ID: 492 (0x1EC)
Start Time: 5/12/2016 9:21:05 AM GMT-04
Syslog format: tab-delimited
<0>2016-12-05T11:22:53Z 10.101.25.167 Agent Desc: Application Bus 3.0Agent ID: retina
Agent Ver: 5.25.2.3215Category: UserSource Host: WIN-N83HFCB9RNAEvent
Desc: Built-in account for guest access to the computer/domainEvent Name: GuestOS:
Windows,Microsoft,Windows,UnknownEvent Severity: 0Source IP: 10.101.25.167
Event Subject: 010.101.025.177Event Type: 0User: WIN-N83HFCB9RNA$
Workgroup Desc: BeyondTrust Workgroup ID: BeyondTrust Workgroup Workgroup
Location: Default Location Member of Group (01/001): Guests Privilege (01/002)
: Guest Account Disabled (01/003): True Last Logon (01/004): never Last Logoff
(01/005): unknown Expires (01/006): never Max Storage (01/007): unlimited Bad
PW Count (01/008): 0 Number of Logons (01/009): 0 Logon Server (01/010): \\* Country
Code (01/011): 0 RID (01/012): 501 Password Expired (01/013): no Source
(01/014): NetUserEnum SID (01/015): S-1-5-21-2210307081-232491991-3792010023-501
JSON syslog format
<0>2016-06-13T11:38:21 10.101.25.115
{
"formatVersion":"1.0",
"vendor":"BeyondTrust",
"product":"BeyondInsight",
"version":"6.0.0",
"agentid":"attack",
"agentdesc":"Application Bus 3.0",
"agentver":"Unknown",
"category":"User",
"severity":"0",
"eventid":"RET-SCAN-007",
"eventname":"beyondtrust",
"eventdesc":"bt admin",
"eventdate":"Jun 10 2016 03:05:04",
"sourcehost":"mymachine-ws",
"os":"Windows,Microsoft,Windows,Unknown",
"souirceip":"172.168.101.202",
"eventsubject":"172.168.101.222",
"eventtype":"0",
"user":"MYMACHINE-WS$",
"workgroupid":"BeyondTrust Workgroup",
"workgroupdesc":"BeyondTrust",
"workgrouplocation":"Default Location",
"nvps":
{
"id":"c85dca8c-df30-4a70-98f8-c8a47f7fc2fa",
"evtdate":"6/10/2016 3:05:04 AM",
"clienthost":"mymachine-ws",
"eventseverity":"0",
"dllversion":"AppBus EMS v3.0 com xml",
"transactiongroup":"5B3A069BE0D84E7EA56F2A40EFDBE253",
"subjectdescription":"mymachine-ws",
"evtsubjbi":"2896693762",
"evtsrcipbi":"2896693762",
"referenceid":"7",
"evtdatatype":"SCAN",
"evtstatus":"True",
"badpwcount0101":"0",
"countrycode0101":"0",
"expires0101":"never ",
"fullname0101":"beyondtrust",
"lastlogoff0101":"unknown ",
"lastlogon0101":"Tue Jun 02 19:26:42 2015",
"logonserver0101":"\\\\*",
"maxstorage0101":"unlimited",
"memberofgroup0101":"Administrators, Performance Log Users, Users",
"numberoflogons0101":"7",
"passwordage0101":"412 days",
"passwordexpired0101":"no",
"privilege0101":"Administrator",
"rid0101":"1006",
"sid0101":"S-1-5-21-4152543990-75340177-3020034217-1006",
"source0101":"NetUserEnum"
}
}
LEEF syslog format
Jun 13 23:11:40 fe80::ad7a:8589:f107:158a%12
LEEF:1.0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-009|cat=Modules devTime=Jun
04 2016 02:08:58 devTimeFormat=MMM dd yyyy HH:mm:ss sev=0
src=10.200.31.212 resource=WIN-AR9FPF5LTJG dst=10.200.31.84
usrName=WIN-AR9FPF5LTJG$ groupID=BeyondTrust Workgroup
AgentDesc=Application Bus 3.0 AgentID=retina AgentVer=5.24.1.3126
EventDesc=acrotray.exe EventName=acrotray.exe
Os=Windows,Microsoft,Windows,Unknown EventType=0
WorkgroupDesc=BeyondTrust WorkgroupLocation=Default Location Type=Module
Name=acrotray.exe Filename=C:\\Program Files\\Adobe\\Acrobat
11.0\\Acrobat\\acrotray.exe MD5=E0DF6506C36AA207F41EFED13D876D83
SHA1=11B87A57B626CCD760D121215C1B96AB72F06BAA Version=11.0.6.70
Company Name=Adobe Systems Inc. Description=AcroTray Product=AcroTray -
Adobe Acrobat Distiller helper application. Signer=Adobe Systems, Incorporated Image
Size=3514368 Entry Address=0056F07E Base Address=003C0000
CertSerial=68ADD7AFFC72183C31865ACD3CB2D70C CertIssuer=Symantec Class 3
Extended Validation Code Signing CA
CEF syslog format
Jun 13 16:09:00 WIN-TC570BCQDNA CEF:0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-012|
IP Start Time|0|rt=Jun 13 2016 19:08:32 deviceExternalId=pbw_vulnerability cat=Status
src=10.200.31.81 shost=PATCHWIN764X suser=NT AUTHORITY\NETWORK SERVICE msg=2016-
06-13 16:08:33 dst=10.200.31.81 BeyondTrustBeyondInsightAgentDesc=PBW 7.0.2.79
BeyondTrustBeyondInsightAgentID=pbw_vulnerability
BeyondTrustBeyondInsightAgentVer=7.0.2.79 BeyondTrustBeyondInsightCategory=Status
BeyondTrustBeyondInsightClientHost=PATCHWIN764X
BeyondTrustBeyondInsightEventDesc=2016-06-13 16:08:33
BeyondTrustBeyondInsightEventName=IP Start Time BeyondTrustBeyondInsightOs=Windows 7
(X64), Service Pack 1 BeyondTrustBeyondInsightEventSeverity=0
BeyondTrustBeyondInsightSourceIp=10.200.31.81
BeyondTrustBeyondInsightEventSubject=10.200.31.81 BeyondTrustBeyondInsightEventType=0
BeyondTrustBeyondInsightUser=NT AUTHORITY\NETWORK SERVICE
BeyondTrustBeyondInsightWorkgroupDesc=BeyondTrust Workgroup
BeyondTrustBeyondInsightWorkgroupID=BeyondTrust Workgroup
BeyondTrustBeyondInsightWorkgroupLocation=Default Location
Updated about 1 month ago