Event Forwarder Message Fields

With the release of BeyondInsight 6.0, additional syslog formats are available in addition to the current message format. The existing newline-delimited syslog message format is supplemented with support for LEEF, CEF, and other formats, as well as a custom JSON structure for added parsing options.

Overall Message structure

The existing newline-delimited and upcoming JSON syslog message structure is outlined below. CEF, LEEF, FireEye TAP, Splunk HTTP EC, and other implementations adhere to the message structures as required by their specifications.

Message Components

[priority] [syslog sender time] [syslog sender IP] [message body]
  • Priority: Calculated using the event severity and syslog facility.
  • Syslog Sender Time (yyyy-MM-ddTHH:mm:ss): UTC date and time when the event was forwarded.

If there appears to be a discrepancy with the time of an event, make sure the receiver is configured to use UTC.

  • Syslog Sender IP: The IP address of the sender as an IPv4 address or IPv6 address.
  • Message Body: The current syslog message body implementation is newline-delimited.

Message Format

<priority>yyyy-MM-ddTHH:mm:ssZ 10.10.10.10 Key=Value
Sample Message Format
<0>2016-06-13T11:38:21Z 10.101.25.115 AgentId=Retina …