Sample Syslog Output Formats

Syslog Format : Newline-delimited (available in BeyondInsight 6.2 and earlier)

The timestamp format has been changed from "MMM yy HH:mm: ss" to "yyyy-MM-ddTHH:mm: ssZ" as of version 6.2.

<0>2015-12-05T11:22:53Z 10.124.101.11 Agent Desc: Application Bus 3.0
Event Date: 2016-06-13 10:14:35
Server Date: 2016-06-13 11:38:21
RefType: 16
Agent ID: retina
Agent Ver: 5.23.1.3108
Category: Processes
Source Host: WIN-4PBV285405S
Event Desc: svchost
Event Name: Process   772
OS: Windows,Microsoft,Windows,Server 2008 R2 Standard Edition (full installation) x64,Service Pack 1
Event Severity: 0
Source IP: 10.200.31.203
Event Subject: 010.200.031.085
Event Type: 0
User: SYSTEM
Workgroup Desc: BeyondTrust
Workgroup ID: BeyondTrust Workgroup
Workgroup Location: Default Location
Process ID: 772 (0x304)
Parent Process ID: 492 (0x1EC)
Start Time: 5/12/2016 9:21:05 AM GMT-04

Syslog Format: Tab-delimited (available in BeyondInsight 6.2)

<0>2016-12-05T11:22:53Z 10.101.25.167 Agent Desc: Application Bus 3.0Agent ID: retina
    Agent Ver: 5.25.2.3215Category: UserSource Host: WIN-N83HFCB9RNAEvent 
Desc: Built-in account for guest access to the computer/domainEvent Name: GuestOS: 
Windows,Microsoft,Windows,UnknownEvent Severity: 0Source IP: 10.101.25.167
Event Subject: 010.101.025.177Event Type: 0User: WIN-N83HFCB9RNA$
    Workgroup Desc: BeyondTrust	Workgroup ID: BeyondTrust Workgroup	Workgroup 
Location: Default Location	Member of Group (01/001): Guests	Privilege (01/002)
: Guest	Account Disabled (01/003): True	Last Logon (01/004): never 	Last Logoff 
(01/005): unknown 	Expires (01/006): never 	Max Storage (01/007): unlimited	Bad 
PW Count (01/008): 0	Number of Logons (01/009): 0	Logon Server (01/010): \\*	Country
 Code (01/011): 0	RID (01/012): 501	Password Expired (01/013): no	Source 
(01/014): NetUserEnum	SID (01/015): S-1-5-21-2210307081-232491991-3792010023-501

JSON syslog format (available BeyondInsight 6.0)

<0>2016-06-13T11:38:21 10.101.25.115 
{
          "formatVersion":"1.0", 
          "vendor":"BeyondTrust",
          "product":"BeyondInsight",
          "version":"6.0.0",
          "agentid":"attack",
          "agentdesc":"Application Bus 3.0",
          "agentver":"Unknown",
          "category":"User",
          "severity":"0",
          "eventid":"RET-SCAN-007",
          "eventname":"beyondtrust",
          "eventdesc":"bt admin",
          "eventdate":"Jun 10 2016 03:05:04",
          "sourcehost":"mymachine-ws",
          "os":"Windows,Microsoft,Windows,Unknown",
          "souirceip":"172.168.101.202",
          "eventsubject":"172.168.101.222",
          "eventtype":"0",
          "user":"MYMACHINE-WS$",
          "workgroupid":"BeyondTrust Workgroup",
          "workgroupdesc":"BeyondTrust",
          "workgrouplocation":"Default Location", 
          "nvps":
          {
                        "id":"c85dca8c-df30-4a70-98f8-c8a47f7fc2fa", 
                        "evtdate":"6/10/2016 3:05:04 AM", 
                        "clienthost":"mymachine-ws", 
                        "eventseverity":"0", 
                        "dllversion":"AppBus EMS v3.0 com xml", 
                        "transactiongroup":"5B3A069BE0D84E7EA56F2A40EFDBE253", 
                        "subjectdescription":"mymachine-ws", 
                        "evtsubjbi":"2896693762", 
                        "evtsrcipbi":"2896693762", 
                        "referenceid":"7", 
                        "evtdatatype":"SCAN", 
                        "evtstatus":"True", 
                        "badpwcount0101":"0", 
                        "countrycode0101":"0", 
                        "expires0101":"never ", 
                        "fullname0101":"beyondtrust", 
                        "lastlogoff0101":"unknown ", 
                        "lastlogon0101":"Tue Jun 02 19:26:42 2015", 
                        "logonserver0101":"\\\\*", 
                        "maxstorage0101":"unlimited", 
                        "memberofgroup0101":"Administrators, Performance Log Users, Users", 
                        "numberoflogons0101":"7", 
                        "passwordage0101":"412 days", 
                        "passwordexpired0101":"no", 
                        "privilege0101":"Administrator", 
                        "rid0101":"1006", 
                        "sid0101":"S-1-5-21-4152543990-75340177-3020034217-1006", 
                        "source0101":"NetUserEnum"
          }
}

LEEF syslog format (available BeyondInsight 6.0)

Jun 13 23:11:40 fe80::ad7a:8589:f107:158a%12 
LEEF:1.0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-009|cat=Modules	devTime=Jun 
04 2016 02:08:58	devTimeFormat=MMM dd yyyy HH:mm:ss	sev=0	
	src=10.200.31.212	resource=WIN-AR9FPF5LTJG	dst=10.200.31.84	
	usrName=WIN-AR9FPF5LTJG$	groupID=BeyondTrust Workgroup	
	AgentDesc=Application Bus 3.0	AgentID=retina	AgentVer=5.24.1.3126	
	EventDesc=acrotray.exe	EventName=acrotray.exe	
	Os=Windows,Microsoft,Windows,Unknown	EventType=0	
	WorkgroupDesc=BeyondTrust	WorkgroupLocation=Default Location	Type=Module	
	Name=acrotray.exe	Filename=C:\\Program Files\\Adobe\\Acrobat 
11.0\\Acrobat\\acrotray.exe	MD5=E0DF6506C36AA207F41EFED13D876D83	
	SHA1=11B87A57B626CCD760D121215C1B96AB72F06BAA	Version=11.0.6.70	
	Company Name=Adobe Systems Inc.	Description=AcroTray	Product=AcroTray - 
Adobe Acrobat Distiller helper application.	Signer=Adobe Systems, Incorporated	Image 
Size=3514368	Entry Address=0056F07E	Base Address=003C0000	
	CertSerial=68ADD7AFFC72183C31865ACD3CB2D70C	CertIssuer=Symantec Class 3 
Extended Validation Code Signing CA	

CEF syslog format (available BeyondInsight 6.0)

Jun 13 16:09:00 WIN-TC570BCQDNA CEF:0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-012|
IP Start Time|0|rt=Jun 13 2016 19:08:32 deviceExternalId=pbw_vulnerability cat=Status 
src=10.200.31.81 shost=PATCHWIN764X suser=NT AUTHORITY\NETWORK SERVICE msg=2016-
06-13 16:08:33 dst=10.200.31.81 BeyondTrustBeyondInsightAgentDesc=PBW 7.0.2.79 
BeyondTrustBeyondInsightAgentID=pbw_vulnerability 
BeyondTrustBeyondInsightAgentVer=7.0.2.79 BeyondTrustBeyondInsightCategory=Status 
BeyondTrustBeyondInsightClientHost=PATCHWIN764X 
BeyondTrustBeyondInsightEventDesc=2016-06-13 16:08:33 
BeyondTrustBeyondInsightEventName=IP Start Time BeyondTrustBeyondInsightOs=Windows 7 
(X64), Service Pack 1 BeyondTrustBeyondInsightEventSeverity=0 
BeyondTrustBeyondInsightSourceIp=10.200.31.81 
BeyondTrustBeyondInsightEventSubject=10.200.31.81 BeyondTrustBeyondInsightEventType=0 
BeyondTrustBeyondInsightUser=NT AUTHORITY\NETWORK SERVICE 
BeyondTrustBeyondInsightWorkgroupDesc=BeyondTrust Workgroup 
BeyondTrustBeyondInsightWorkgroupID=BeyondTrust Workgroup 
BeyondTrustBeyondInsightWorkgroupLocation=Default Location