Event Forwarder Message Fields

There are a number of syslog formats supported by BeyondInsight, including newline-delimited, tab-delimited, LEEF, CEF, and a custom JSON structure for added parsing options.

Overall Message structure

The newline-delimited and JSON syslog message structure is outlined below. CEF, LEEF, FireEye TAP, Splunk HTTP EC, and other implementations adhere to the message structures as required by their specifications.

Message Components

[priority] [syslog sender time] [syslog sender IP] [message body]
  • Priority: Calculated using the event severity and syslog facility.
  • Syslog Sender Time (yyyy-MM-ddTHH:mm:ss): UTC date and time when the event was forwarded.

If there appears to be a discrepancy with the time of an event, make sure the receiver is configured to use UTC.

  • Syslog Sender IP: The IP address of the sender as an IPv4 address or IPv6 address.
  • Message Body: The current syslog message body implementation is newline-delimited.

Message Format

<priority>yyyy-MM-ddTHH:mm:ssZ 10.10.10.10 Key=Value
Sample Message Format
<0>2016-06-13T11:38:21Z 10.101.25.115 AgentId=Retina …

The Event Forwarder only scrapes and forwards events from the database. A comprehensive list of all Syslog Event Messages is currently unavailable.