Event Forwarder Message Fields
With the release of BeyondInsight 6.0, additional syslog formats are available in addition to the current message format. The existing newline-delimited syslog message format is supplemented with support for LEEF, CEF, and other formats, as well as a custom JSON structure for added parsing options.
Overall Message structure
The existing newline-delimited and upcoming JSON syslog message structure is outlined below. CEF, LEEF, FireEye TAP, Splunk HTTP EC, and other implementations adhere to the message structures as required by their specifications.
[priority] [syslog sender time] [syslog sender IP] [message body]
- Priority: Calculated using the event severity and syslog facility.
- Syslog Sender Time (yyyy-MM-ddTHH:mm:ss): UTC date and time when the event was forwarded.
If there appears to be a discrepancy with the time of an event, make sure the receiver is configured to use UTC.
- Syslog Sender IP: The IP address of the sender as an IPv4 address or IPv6 address.
- Message Body: The current syslog message body implementation is newline-delimited.
<priority>yyyy-MM-ddTHH:mm:ssZ 10.10.10.10 Key=Value
<0>2016-06-13T11:38:21Z 10.101.25.115 AgentId=Retina …