Persistent Fields

The following keys can be expected within each message.

Field

Value Type

Description

Event Date

DateTime

Event date (UTC)

Server Date

DateTime

DateTime of server event forwarding processing (UTC)

RefType

String

Event reference Id

Agent Desc

String

The last known relaying agent (for example, Application Bus 3.0)

Agent ID

String

The source or originating agent

Agent Ver

String

The version of the agent

Source Host

String

The machine name of the agent (or IP address if the machine name is not available)

Source IP

String

The IP address of the agent

OS

String

The operating system of the agent

Category

String

Event Category. This can be any number of verbs (T49152, U11234, Group, Audits, etc.)

Event Name

String

The name of the event

Event Desc

String

Additional descriptive details for the event. This varies in level of detail based on the event source, etc.

Event Severity

Integer

In general,

(BeyondInsight 5.8 syslog) Emergency = 0, Alert = 1, Critical = 2, Error = 3, Warning = 4, Notice = 5, Information = 6, Debug = 7

(BeyondInsight 6.0 syslog) Severities range from 0 – 10 where information = 0, low = 3, medium = 6, and high = 9.

Event Subject

String

Subject Identity at the root of the event. This can be a scanned asset (for example, IP or Hostname), an action (for example, Application launch)

Event Type

Integer

[Reserved for future use]

User

String

The computer / machine user associated with the event

Workgroup ID

String

The workgroup ID (for example,BeyondTrust Workgroup)

Workgroup Desc

String

The workgroup name (for example, BeyondTrust)

Workgroup Location

String

The workgroup location (for example, Default Location)