Event Forwarder Message Fields
There are a number of syslog formats supported by BeyondInsight, including newline-delimited, tab-delimited, LEEF, CEF, and a custom JSON structure for added parsing options. This document provides details on the following:
- Message components and format
- Persistent and variable fields within each message
- Event field mappings, event name, event type values, and event category values for Password Safe events
- Hardware, monitored services, and performance counter events for U-Series Appliance
- Sample syslog output formats
Overall Message structure
The newline-delimited and JSON syslog message structure is outlined below. CEF, LEEF, FireEye TAP, Splunk HTTP EC, and other implementations adhere to the message structures as required by their specifications.
[priority] [syslog sender time] [syslog sender IP] [message body]
- Priority: Calculated using the event severity and syslog facility.
- Syslog Sender Time (yyyy-MM-ddTHH:mm:ss): UTC date and time when the event was forwarded.
If there appears to be a discrepancy with the time of an event, make sure the receiver is configured to use UTC.
- Syslog Sender IP: The IP address of the sender as an IPv4 address or IPv6 address.
- Message Body: The current syslog message body implementation is newline-delimited.
<priority>yyyy-MM-ddTHH:mm:ssZ 10.10.10.10 Key=Value
<0>2016-06-13T11:38:21Z 10.101.25.115 AgentId=Retina …
The Event Forwarder only scrapes and forwards events from the database. A comprehensive list of all Syslog Event Messages is currently unavailable.