Views:
The following syslog fields are available on the SMS.
Field Type Max size Description
_delimiter tab, comma, semi-colon, or pipe.
actionSetName integer 56 Action set name.
actionType integer 3 Action type on the filter associated with the syslog event.
  • 7 — IPS Alert
  • 8 — IPS Block
  • 9 — P2P
  • 12 — Quarantine
  • 37 — Reputation Alert
  • 38 — Reputation Block
arcSightFilterName string 250 Name of the filter associated with the syslog event.
arcSightSeverity integer 7 0 is Info, 1 is Low, 4 is Minor, 7 is Major, 10 is Critical
categoryName string 128 Name of the filter category.
clientAddress IP address 39
TCIP/XFF client IP address in IPv4 or IPv6 format from HTTP traffic when configured in the profile settings.
This field matches the srcAddress field when TCIP/XFF collection is enabled but TCIP/XFF is unavailable for the traffic flow associated with the event.
This field will be empty in the following situations:
  • The profile configured on the segment does not have TCIP/XFF enabled
  • The IPS device is running a version of TOS that doesn't support the feature
Note
Note
When you upgrade a TPS device, the SMS will start sending the client IP address (or source IP address if the client IP address is not available) to any remote syslog configured with this field.
clientAddressv4 IP address 15 TCIP/ XFF client IP address in IPv4 format from HTTP traffic when configured in the profile settings.
This field matches the srcAddress field when TCIP/XFF collection is enabled but TCIP/XFF is unavailable for the traffic flow associated with the syslog event.
This field will be empty in the following situations:
  • The profile configured on the segment does not have TCIP/XFF enabled
  • The IPS device is running a version of TOS that doesn't support the feature
  • An IPv6 address was captured
clientAddressv6 IP address 39 TCIP/XFF client IPv6 address in IPv6 format (for example, 2001:db8:85a3::8a2e:370:7334) from HTTP traffic when configured in the profile settings.
This field matches the srcAddress field when TCIP/XFF collection is enabled but TCIP/XFF is unavailable for the traffic flow associated with the event.
This field will be empty in the following situations:
  • The profile configured on the segment does not have TCIP/XFF enabled
  • The IPS device is running a version of TOS that doesn't support the feature
  • An IPv4 address was captured
cveIds string 1000 CVE ID
When creating a custom syslog format, note the following:
Because commas are used to separate multiple CVEs in a syslog entry, define and manually insert an escape character when you use comma delimiters in your custom syslog. These characters will properly separate the CVE ID field so that the receiving server can parse the custom fields.
You might also need to adjust the settings for your syslog server so that it recognizes the defined escape character.
destAddress IP address 39 Destination address of the syslog event.
destAddressv4 IP address 15 Destination IPv4 address. This field will be empty if the destAddress is an IPv6 address.
destAddressv6 IP address 39 Destination IPv6 address. This field will be empty if the destAddress is an IPv4 address.
destPort integer 5 Destination port number.
destUserDomain string 255 Active Directory domain name of the user at the destination IP address. The Identity Agent must be configured for the SMS.
destUserMachine string 1023 Computer name for the user at the destination IP address. The Identity Agent must be configured for the SMS.
destUserName string 1023 Active Directory logged in username at the destination IP address. The Identity Agent must be configured for the SMS.
deviceName string 63 User-provided name of the device event was received from.
deviceSegment integer 11 Segment on the device where the event occurred.
deviceSlot integer 11 Device slot.
deviceTimezone string 50 Device time zone.
eventID long 20 SMS event identifier. This is the Event No field, available on Inspection Event Details.
eventTimestamp long 20 Event timestamp in milliseconds.
filterName string 250 Name of the filter associated with the syslog event.
fiterNameV2 string 250 Name of the filter associated with the event and contains the same information as the filterName field except for the colon (:) and semi-colon (;) punctuation.
flowControl string 20 Flow control of the filter.
hitCount integer 10 Number of times this event occurred during aggregation period.
msgParameters string 255 Message parameters used for certain filters, such as DDoS filters and Reputation filters. Each parameter is separated by pipes (for example, 10.1.4.80/32|exceeds|1|3)
Example: If a signature has a message (e.g., 7202 is 7202: SYN flood against [1] [2] [3] SYNs/sec (current rate = [4], the numbers in brackets refer to the data in the message parameters. The complete message results when the signature message is combined with the message parameters.
For example:
7202: SYN flood against 10.1.4.80/32 exceeds 1 SYNs/sec (current rate = 3)
originalFilterName string 250 Name of the original filter associated with the event.
originalSignatureNumber integer 50 Original filter number (for example, 1000730).
packetTrace boolean 3 Packet trace associated with the event — 0 is if there is no packet trace, 1 is if there is a packet trace. This field will not be available from TPS devices.
pcapData string 35k (base64 encoded) Include SMS packet trace metadata as part of the filter event to examine filter detections, and determine impacts and steps for remediation.
Note
Note
The packet trace data will always be included when you add this field to the syslog format. Although larger traces get truncated, consider making syslog server configuration changes to handle the potential of large amounts of incoming data.
physicalPortIn integer 5 Physical port in.
policyUUID string 36 UUID for the policy (for example, c6da0827-798b-49ad-85e8-bb8e0ae531b5). You can also use this field in conjunction with the SMS Web Services API.
profileName string 127 Name of the profile on the device segment/interface where the event occurred.
protocol string 30 Name of the protocol.
protocolLower string 30 Name of the protocol in lowercase letters.
severity integer 3 0 is Normal, 1 is Low, 2 is Minor, 3 is Major, 4 is Critical
severityType string 8 Severity type (Low, Minor, Major, etc.)
signatureName string 250 User-friendly name for the filter. Use this field with the SMS Web Services API.
signatureNumber integer 11 Filter number. Use this field in conjunction with the SMS Web Services API.
signatureUUID string 36 UUID for the filter. Use this field in conjunction with the SMS Web Services API.
smsName string 63 User-provided name of the SMS.
snortClass [deprecated] string 64 Snort Classification.
snortDate [deprecated] date 15 Event timestamp.
snortDestAddress [deprecated] IP address: Port 45 Destination address and port of the event.
snortName [deprecated] string 255 Name of the filter associated with the event.
snortNameV2 [deprecated] string 255 Name of the filter associated with the event.
snortPriority [deprecated] integer 6 0 is Normal, 1 is Low, 2 is Minor, 3 is Major, 4 is Critical
snortProtocol [deprecated] string 36 Name of the protocol.
snortProtocolV2 [deprecated] string 36 Name of the protocol.
snortSid [deprecated] string 25 Snort rule identifier (for example, [1:0:1]).
snortSrcAddress [deprecated] IP address: Port 45 Source address and port of the event (for example, 10.0.0.3:80).
srcAddress IP address 39 Source address of the event (for example, 10.0.0.3).
srcAddressv4 IP address 15 Source IPv4 address. (for example, 10.0.0.3). This field will be empty if the srcAddress is an IPv6 address.
srcAddressv6 IP address 39 Source IPv6 address (for example, 2001:db8:85a3::8a2e:370:7336). This field will be empty if the srcAddress is an IPv4 address.
srcPort integer 5 Source port number.
srcUserDomain string 255 Active Directory domain name of the user at the source IP address. The Identity Agent must be configured for the SMS.
srcUserMachine string 1023 Computer name for the user at the source IP address. The Identity Agent must be configured for the SMS.
srcUserName string 1023 Name for the user at the source IP address. The Identity Agent must be configured for the SMS.
taxonomyID long 11 Category ID assigned to the signature.
uriHost string 255 HTTP hostname from the HTTP header when HTTP context is configured for the profile and reported by the IPS device (for example, example.com).
uriMethod string 15 HTTP method from the HTTP header when HTTP context is configured for the profile and reported by the IPS device (for example, GET).
uriString string 284 URI from the HTTP header when HTTP context is configured for the profile and reported by the IPs device (for example, /path/to/resource/resource.txt).
vlanTag integer 5 Vlan ID.