Sample Syslog Output Formats
This is a small sample of event messages in various formats, not an all-encompassing set of every possible event.
Syslog Format: Newline-delimited
<0>2015-12-05T11:22:53Z 10.124.101.11 Agent Desc: Application Bus 3.0 Event Date: 2016-06-13 10:14:35 Server Date: 2016-06-13 11:38:21 RefType: 16 Agent ID: retina Agent Ver: 5.23.1.3108 Category: Processes Source Host: WIN-4PBV285405S Event Desc: svchost Event Name: Process 772 OS: Windows,Microsoft,Windows,Server 2008 R2 Standard Edition (full installation) x64,Service Pack 1 Event Severity: 0 Source IP: 10.200.31.203 Event Subject: 010.200.031.085 Event Type: 0 User: SYSTEM Workgroup Desc: BeyondTrust Workgroup ID: BeyondTrust Workgroup Workgroup Location: Default Location Process ID: 772 (0x304) Parent Process ID: 492 (0x1EC) Start Time: 5/12/2016 9:21:05 AM GMT-04
Syslog Format: Tab-delimited
<0>2016-12-05T11:22:53Z 10.101.25.167 Agent Desc: Application Bus 3.0Agent ID: retina
Agent Ver: 5.25.2.3215Category: UserSource Host: WIN-N83HFCB9RNAEvent
Desc: Built-in account for guest access to the computer/domainEvent Name: GuestOS:
Windows,Microsoft,Windows,UnknownEvent Severity: 0Source IP: 10.101.25.167
Event Subject: 010.101.025.177Event Type: 0User: WIN-N83HFCB9RNA$
Workgroup Desc: BeyondTrust Workgroup ID: BeyondTrust Workgroup Workgroup
Location: Default Location Member of Group (01/001): Guests Privilege (01/002)
: Guest Account Disabled (01/003): True Last Logon (01/004): never Last Logoff
(01/005): unknown Expires (01/006): never Max Storage (01/007): unlimited Bad
PW Count (01/008): 0 Number of Logons (01/009): 0 Logon Server (01/010): \\* Country
Code (01/011): 0 RID (01/012): 501 Password Expired (01/013): no Source
(01/014): NetUserEnum SID (01/015): S-1-5-21-2210307081-232491991-3792010023-501
JSON Syslog Format
<0>2016-06-13T11:38:21 10.101.25.115
{
"formatVersion":"1.0",
"vendor":"BeyondTrust",
"product":"BeyondInsight",
"version":"6.0.0",
"agentid":"attack",
"agentdesc":"Application Bus 3.0",
"agentver":"Unknown",
"category":"User",
"severity":"0",
"eventid":"RET-SCAN-007",
"eventname":"beyondtrust",
"eventdesc":"bt admin",
"eventdate":"Jun 10 2016 03:05:04",
"sourcehost":"mymachine-ws",
"os":"Windows,Microsoft,Windows,Unknown",
"souirceip":"172.168.101.202",
"eventsubject":"172.168.101.222",
"eventtype":"0",
"user":"MYMACHINE-WS$",
"workgroupid":"BeyondTrust Workgroup",
"workgroupdesc":"BeyondTrust",
"workgrouplocation":"Default Location",
"nvps":
{
"id":"c85dca8c-df30-4a70-98f8-c8a47f7fc2fa",
"evtdate":"6/10/2016 3:05:04 AM",
"clienthost":"mymachine-ws",
"eventseverity":"0",
"dllversion":"AppBus EMS v3.0 com xml",
"transactiongroup":"5B3A069BE0D84E7EA56F2A40EFDBE253",
"subjectdescription":"mymachine-ws",
"evtsubjbi":"2896693762",
"evtsrcipbi":"2896693762",
"referenceid":"7",
"evtdatatype":"SCAN",
"evtstatus":"True",
"badpwcount0101":"0",
"countrycode0101":"0",
"expires0101":"never ",
"fullname0101":"beyondtrust",
"lastlogoff0101":"unknown ",
"lastlogon0101":"Tue Jun 02 19:26:42 2015",
"logonserver0101":"\\\\*",
"maxstorage0101":"unlimited",
"memberofgroup0101":"Administrators, Performance Log Users, Users",
"numberoflogons0101":"7",
"passwordage0101":"412 days",
"passwordexpired0101":"no",
"privilege0101":"Administrator",
"rid0101":"1006",
"sid0101":"S-1-5-21-4152543990-75340177-3020034217-1006",
"source0101":"NetUserEnum"
}
}
LEEF Syslog Format
Jun 13 23:11:40 fe80::ad7a:8589:f107:158a%12 LEEF:1.0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-009|cat=Modules devTime=Jun 04 2016 02:08:58 devTimeFormat=MMM dd yyyy HH:mm:ss sev=0 src=10.200.31.212 resource=WIN-AR9FPF5LTJG dst=10.200.31.84 usrName=WIN-AR9FPF5LTJG$ groupID=BeyondTrust Workgroup AgentDesc=Application Bus 3.0 AgentID=retina AgentVer=5.24.1.3126 EventDesc=acrotray.exe EventName=acrotray.exe Os=Windows,Microsoft,Windows,Unknown EventType=0 WorkgroupDesc=BeyondTrust WorkgroupLocation=Default Location Type=Module Name=acrotray.exe Filename=C:\\Program Files\\Adobe\\Acrobat 11.0\\Acrobat\\acrotray.exe MD5=E0DF6506C36AA207F41EFED13D876D83 SHA1=11B87A57B626CCD760D121215C1B96AB72F06BAA Version=11.0.6.70 Company Name=Adobe Systems Inc. Description=AcroTray Product=AcroTray - Adobe Acrobat Distiller helper application. Signer=Adobe Systems, Incorporated Image Size=3514368 Entry Address=0056F07E Base Address=003C0000 CertSerial=68ADD7AFFC72183C31865ACD3CB2D70C CertIssuer=Symantec Class 3 Extended Validation Code Signing CA
CEF Syslog Format
Jun 13 16:09:00 WIN-TC570BCQDNA CEF:0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-012| IP Start Time|0|rt=Jun 13 2016 19:08:32 deviceExternalId=pbw_vulnerability cat=Status src=10.200.31.81 shost=PATCHWIN764X suser=NT AUTHORITY\NETWORK SERVICE msg=2016- 06-13 16:08:33 dst=10.200.31.81 BeyondTrustBeyondInsightAgentDesc=PBW 7.0.2.79 BeyondTrustBeyondInsightAgentID=pbw_vulnerability BeyondTrustBeyondInsightAgentVer=7.0.2.79 BeyondTrustBeyondInsightCategory=Status BeyondTrustBeyondInsightClientHost=PATCHWIN764X BeyondTrustBeyondInsightEventDesc=2016-06-13 16:08:33 BeyondTrustBeyondInsightEventName=IP Start Time BeyondTrustBeyondInsightOs=Windows 7 (X64), Service Pack 1 BeyondTrustBeyondInsightEventSeverity=0 BeyondTrustBeyondInsightSourceIp=10.200.31.81 BeyondTrustBeyondInsightEventSubject=10.200.31.81 BeyondTrustBeyondInsightEventType=0 BeyondTrustBeyondInsightUser=NT AUTHORITY\NETWORK SERVICE BeyondTrustBeyondInsightWorkgroupDesc=BeyondTrust Workgroup BeyondTrustBeyondInsightWorkgroupID=BeyondTrust Workgroup BeyondTrustBeyondInsightWorkgroupLocation=Default Location
