Event Forwarder Message Fields
There are a number of syslog formats supported by BeyondInsight, including newline-delimited, tab-delimited, LEEF, CEF, and a custom JSON structure for added parsing options.
Overall Message structure
The newline-delimited and JSON syslog message structure is outlined below. CEF, LEEF, FireEye TAP, Splunk HTTP EC, and other implementations adhere to the message structures as required by their specifications.
[priority] [syslog sender time] [syslog sender IP] [message body]
- Priority: Calculated using the event severity and syslog facility.
- Syslog Sender Time (yyyy-MM-ddTHH:mm:ss): UTC date and time when the event was forwarded.
If there appears to be a discrepancy with the time of an event, make sure the receiver is configured to use UTC.
- Syslog Sender IP: The IP address of the sender as an IPv4 address or IPv6 address.
- Message Body: The current syslog message body implementation is newline-delimited.
<priority>yyyy-MM-ddTHH:mm:ssZ 10.10.10.10 Key=Value
<0>2016-06-13T11:38:21Z 10.101.25.115 AgentId=Retina …
The Event Forwarder only scrapes and forwards events from the database. A comprehensive list of all Syslog Event Messages is currently unavailable.