Event Forwarder Message Fields

There are a number of syslog formats supported by BeyondInsight, including newline-delimited, tab-delimited, LEEF, CEF, and a custom JSON structure for added parsing options. This document provides details on the following:

• Message components and format
• Persistent and variable fields within each message
• Event field mappings, event name, event type values, and event category values for Password Safe events
• Hardware, monitored services, and performance counter events for U-Series Appliance
• Sample syslog output formats

Overall Message structure

The newline-delimited and JSON syslog message structure is outlined below. CEF, LEEF, FireEye TAP, Splunk HTTP EC, and other implementations adhere to the message structures as required by their specifications.

Message Components

[priority] [syslog sender time] [syslog sender IP] [message body]

• Priority: Calculated using the event severity and syslog facility.
• Syslog Sender Time (yyyy-MM-ddTHH:mm:ss): UTC date and time when the event was forwarded.

If there appears to be a discrepancy with the time of an event, make sure the receiver is configured to use UTC.

• Syslog Sender IP: The IP address of the sender as an IPv4 address or IPv6 address.
• Message Body: The current syslog message body implementation is newline-delimited.

Message Format

<priority>yyyy-MM-ddTHH:mm:ssZ 10.10.10.10 Key=Value

<0>2016-06-13T11:38:21Z 10.101.25.115 AgentId=Retina …

The Event Forwarder only scrapes and forwards events from the database. A comprehensive list of all Syslog Event Messages is currently unavailable.