Supported CEF Meta Keys

This topic describes the Common Event Format (CEF) meta keys that NetWitness global audit logging supports.

Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:

  • Include the CEF headers in the template.
  • Use only the extensions and custom extensions in a (Key=Value) format from the meta key table below.
  • Ensure that the extensions and custom extensions are in the key=%{string}<space>key=%{string} format.

For third-party syslog servers, you can define your own format (CEF or non-CEF).

Procedures related to this table are described in Define a Template for Global Audit Logging and Configure Global Audit Logging.

Supported Common Event Format (CEF) Meta Keys

The following table describes the CEF Syslog meta keys that NetWitness global audit logging supports. The Datetime and Hostname fields in the Syslog Prefix are not configurable and not included in the template, but they are prepended to every log message by default. The CEF Header is required to conform to the CEF standard and for any CEF parser. The Extensions and Custom Extensions are optional. The Default Audit CEF Template contains many of the fields in this table. You can add any of the Extensions and Custom Extensions listed to the global audit logging template that you define.

CEF Field String Description NW Meta Keys

Index in
Log Decoder

Syslog Prefix
Datetime Not Configurable Syslog Header date time event.time.str Transient
Hostname Not Configurable Syslog Header hostname None
CEF Header The CEF Header fields are required to conform to the CEF standard and for any CEF parser.
CEF:Version CEF:0 CEF Header --STATIC-- N/A
DeviceVendor %{deviceVendor} The product vendor, NetWitness - N/A
DeviceProduct %{deviceProduct} The product family. This is always NetWitness Audit. product Transient
DeviceVersion %{deviceVersion} Host/Service version version Transient
Signature ID %{category} Identifier of the audit event. It specifies the the category of the audit event. event.type None
Name %{operation} Description of the event event.desc None
Severity %{severity} Severity of the audit event severity Transient
deviceExternalId %{deviceExternalId} Unique ID of the host or service generating the audit event Transient
deviceFacility %{deviceFacility} Syslog facility used when writing the event to syslog daemon. For example, authpriv. cs.devfacility Custom
deviceProcessName %{deviceProcessName} Name of the executable corresponding to dvcpid process None
dpt %{destinationPort} Destination Port ip.dstport None
dst %{destinationAddress} Destination IP Address ip.dst None
dvcpid %{deviceProcessId} ID of the process generating the event, which is the process ID of the NetWitness service Transient
msg %{text} Free text, extra information, or actual description for the event msg Transient
outcome %{outcome} Outcome of the operation performed corresponding to the audit event result Transient
tpt %{transportProtocol} Network protocol used protocol Transient
userAgent %{userAgent} Browser detail of the user accessing the page user.agent Transient
rt %{timestamp} Time at which the event is reported event.time None
sourceServiceName %{deviceService} The service that is responsible for generating this event Transient
spt %{sourcePort} Source Port ip.srcport Transient
userRole %{userRole} User role permissions assignment. For example:
admin.owner, appliance.manage,
connections.manage, everyone, logs.manage, services.manage,
sys.manage, users.manage
user.role Transient
src %{sourceAddress} Source IP Address ip.src None
suser %{identity} Identity of the logged on user responsible for generating the audit event user.dst None
Custom Extensions
params %{parameters} API and Operation parameters, which capture specific parameters about a query index
paramKey %{key} A configuration item key. It is the config param for which the audit event is captured.

For example: /sys/config/stat.interval None
paramValue %{value} A configuration value. It is the value captured during the update. no meta key Custom
userGroup %{userGroup} Role assignment. For example:
Administrators, Analysts, MalwareAnalysts,
Malware_Analysts, Operators,
group None
referrerURL %{referrer} The parent URL that refers to the current URL referer None
sessionId %{sessionId} Session or connection identifier Transient
remoteAddress %{remoteAddress} Ip address of the destination ip.src None
reasonForFailure %{reasonForFailure} reason for failure for the certain action performed result None
reason %{reason} Reason for certain action performed result None
addRole %{Add.Role} User role Assignment user.role Transient
id %{id} Incident id or host id no meta key Transient
arguments %{arguments} Value passes between programs or functions index Transient
uri %{uri} Directory directory None
user %{User} Name of the user from the source or destination user.dst None
accountProvider %{AccountProvider} Authentication account for the user. For example, PAM, and PKI. index Transient
file %{file} Name of the content file used for deployment filename File
deviceIDs %{deviceIDs} Device id for the particular service Transient
role %{Role} User role assignment user.role Transient
account %{Account} user account user.dst None
addPermission %{Add.Permission} User role permission assignment permissions Transient
key %{Key} Name of a configuration/rule None
value %{Value} Value of a configuration change. For example, "Value":"HR12". In this example, hours format is changed to 12 hours. no meta key Custom
alert %(alert} Id of the alert, For example, id:5ce457afec6c0f02ffb85ace alert Transient
moduleSettings %{ModuleSettings} Message or name of a setting index Transient
incident %{incident} Id of the incident. For example, INC-313 context None
action %{action} Action performed by the user. For example, service.stop action None
notificationBinding %{NotificationBinding} Type of notification. For example, incident created, alert, incident removed index Transient
name %{name} name of a configuration or rule alert Transient
enabled %{enabled} Enable the rule no meta key Custom
disabled %{disabled} Disable the rule no meta key Custom

Note: Use all of the extensions in the following format:
deviceProcessName=%{deviceProcessName} outcome=%{outcome}
Include a <space> between a value and a tagname.

By default, all meta keys are not indexed. In the above table, the Index in Log Decoder column shows the state of the flags keyword (Transient, None, and Custom). If a key is set to Transient, it is parsed but not stored in the database. If it is set to None, it is indexed and stored in the database. A key listed as "Custom" does not exist in the table-map.xml file and, therefore, it is not stored or parsed at all.

For more information, see the following documentation:

  • The "Maintain the Table Map Files" section in the "Hosts and Services Procedures" topic in the Hosts and Services Getting Started Guide provides instructions for verifying and updating the table mappings.
  • The "Edit a Service Index File" section in the "Hosts and Services Procedures" topic in the Hosts and Services Getting Started Guide provides information on updating the custom index file on the Concentrator.