Sample Syslog Output Formats
This is a small sample of event messages in various formats, not an all-encompassing set of every possible event.
Syslog Format: Newline-delimited
<0>2015-12-05T11:22:53Z 10.124.101.11 Agent Desc: Application Bus 3.0 Event Date: 2016-06-13 10:14:35 Server Date: 2016-06-13 11:38:21 RefType: 16 Agent ID: retina Agent Ver: 5.23.1.3108 Category: Processes Source Host: WIN-4PBV285405S Event Desc: svchost Event Name: Process 772 OS: Windows,Microsoft,Windows,Server 2008 R2 Standard Edition (full installation) x64,Service Pack 1 Event Severity: 0 Source IP: 10.200.31.203 Event Subject: 010.200.031.085 Event Type: 0 User: SYSTEM Workgroup Desc: BeyondTrust Workgroup ID: BeyondTrust Workgroup Workgroup Location: Default Location Process ID: 772 (0x304) Parent Process ID: 492 (0x1EC) Start Time: 5/12/2016 9:21:05 AM GMT-04
Syslog Format: Tab-delimited
<0>2016-12-05T11:22:53Z 10.101.25.167 Agent Desc: Application Bus 3.0Agent ID: retina Agent Ver: 5.25.2.3215Category: UserSource Host: WIN-N83HFCB9RNAEvent Desc: Built-in account for guest access to the computer/domainEvent Name: GuestOS: Windows,Microsoft,Windows,UnknownEvent Severity: 0Source IP: 10.101.25.167 Event Subject: 010.101.025.177Event Type: 0User: WIN-N83HFCB9RNA$ Workgroup Desc: BeyondTrust Workgroup ID: BeyondTrust Workgroup Workgroup Location: Default Location Member of Group (01/001): Guests Privilege (01/002) : Guest Account Disabled (01/003): True Last Logon (01/004): never Last Logoff (01/005): unknown Expires (01/006): never Max Storage (01/007): unlimited Bad PW Count (01/008): 0 Number of Logons (01/009): 0 Logon Server (01/010): \\* Country Code (01/011): 0 RID (01/012): 501 Password Expired (01/013): no Source (01/014): NetUserEnum SID (01/015): S-1-5-21-2210307081-232491991-3792010023-501
JSON Syslog Format
<0>2016-06-13T11:38:21 10.101.25.115 { "formatVersion":"1.0", "vendor":"BeyondTrust", "product":"BeyondInsight", "version":"6.0.0", "agentid":"attack", "agentdesc":"Application Bus 3.0", "agentver":"Unknown", "category":"User", "severity":"0", "eventid":"RET-SCAN-007", "eventname":"beyondtrust", "eventdesc":"bt admin", "eventdate":"Jun 10 2016 03:05:04", "sourcehost":"mymachine-ws", "os":"Windows,Microsoft,Windows,Unknown", "souirceip":"172.168.101.202", "eventsubject":"172.168.101.222", "eventtype":"0", "user":"MYMACHINE-WS$", "workgroupid":"BeyondTrust Workgroup", "workgroupdesc":"BeyondTrust", "workgrouplocation":"Default Location", "nvps": { "id":"c85dca8c-df30-4a70-98f8-c8a47f7fc2fa", "evtdate":"6/10/2016 3:05:04 AM", "clienthost":"mymachine-ws", "eventseverity":"0", "dllversion":"AppBus EMS v3.0 com xml", "transactiongroup":"5B3A069BE0D84E7EA56F2A40EFDBE253", "subjectdescription":"mymachine-ws", "evtsubjbi":"2896693762", "evtsrcipbi":"2896693762", "referenceid":"7", "evtdatatype":"SCAN", "evtstatus":"True", "badpwcount0101":"0", "countrycode0101":"0", "expires0101":"never ", "fullname0101":"beyondtrust", "lastlogoff0101":"unknown ", "lastlogon0101":"Tue Jun 02 19:26:42 2015", "logonserver0101":"\\\\*", "maxstorage0101":"unlimited", "memberofgroup0101":"Administrators, Performance Log Users, Users", "numberoflogons0101":"7", "passwordage0101":"412 days", "passwordexpired0101":"no", "privilege0101":"Administrator", "rid0101":"1006", "sid0101":"S-1-5-21-4152543990-75340177-3020034217-1006", "source0101":"NetUserEnum" } }
LEEF Syslog Format
Jun 13 23:11:40 fe80::ad7a:8589:f107:158a%12 LEEF:1.0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-009|cat=Modules devTime=Jun 04 2016 02:08:58 devTimeFormat=MMM dd yyyy HH:mm:ss sev=0 src=10.200.31.212 resource=WIN-AR9FPF5LTJG dst=10.200.31.84 usrName=WIN-AR9FPF5LTJG$ groupID=BeyondTrust Workgroup AgentDesc=Application Bus 3.0 AgentID=retina AgentVer=5.24.1.3126 EventDesc=acrotray.exe EventName=acrotray.exe Os=Windows,Microsoft,Windows,Unknown EventType=0 WorkgroupDesc=BeyondTrust WorkgroupLocation=Default Location Type=Module Name=acrotray.exe Filename=C:\\Program Files\\Adobe\\Acrobat 11.0\\Acrobat\\acrotray.exe MD5=E0DF6506C36AA207F41EFED13D876D83 SHA1=11B87A57B626CCD760D121215C1B96AB72F06BAA Version=11.0.6.70 Company Name=Adobe Systems Inc. Description=AcroTray Product=AcroTray - Adobe Acrobat Distiller helper application. Signer=Adobe Systems, Incorporated Image Size=3514368 Entry Address=0056F07E Base Address=003C0000 CertSerial=68ADD7AFFC72183C31865ACD3CB2D70C CertIssuer=Symantec Class 3 Extended Validation Code Signing CA
CEF Syslog Format
Jun 13 16:09:00 WIN-TC570BCQDNA CEF:0|BeyondTrust|BeyondInsight|6.0.0|RET-SCAN-012| IP Start Time|0|rt=Jun 13 2016 19:08:32 deviceExternalId=pbw_vulnerability cat=Status src=10.200.31.81 shost=PATCHWIN764X suser=NT AUTHORITY\NETWORK SERVICE msg=2016- 06-13 16:08:33 dst=10.200.31.81 BeyondTrustBeyondInsightAgentDesc=PBW 7.0.2.79 BeyondTrustBeyondInsightAgentID=pbw_vulnerability BeyondTrustBeyondInsightAgentVer=7.0.2.79 BeyondTrustBeyondInsightCategory=Status BeyondTrustBeyondInsightClientHost=PATCHWIN764X BeyondTrustBeyondInsightEventDesc=2016-06-13 16:08:33 BeyondTrustBeyondInsightEventName=IP Start Time BeyondTrustBeyondInsightOs=Windows 7 (X64), Service Pack 1 BeyondTrustBeyondInsightEventSeverity=0 BeyondTrustBeyondInsightSourceIp=10.200.31.81 BeyondTrustBeyondInsightEventSubject=10.200.31.81 BeyondTrustBeyondInsightEventType=0 BeyondTrustBeyondInsightUser=NT AUTHORITY\NETWORK SERVICE BeyondTrustBeyondInsightWorkgroupDesc=BeyondTrust Workgroup BeyondTrustBeyondInsightWorkgroupID=BeyondTrust Workgroup BeyondTrustBeyondInsightWorkgroupLocation=Default Location