Supported CEF Meta KeysSupported CEF Meta Keys
This topic describes the Common Event Format (CEF) meta keys that NetWitness global audit logging supports.
Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:
- Include the CEF headers in the template.
- Use only the extensions and custom extensions in a (Key=Value) format from the meta key table below.
- Ensure that the extensions and custom extensions are in the key=%{string}<space>key=%{string} format.
For third-party syslog servers, you can define your own format (CEF or non-CEF).
Procedures related to this table are described in Define a Template for Global Audit Logging and Configure Global Audit Logging.
Supported Common Event Format (CEF) Meta KeysSupported Common Event Format (CEF) Meta Keys
The following table describes the CEF Syslog meta keys that NetWitness global audit logging supports. The Datetime and Hostname fields in the Syslog Prefix are not configurable and not included in the template, but they are prepended to every log message by default. The CEF Header is required to conform to the CEF standard and for any CEF parser. The Extensions and Custom Extensions are optional. The Default Audit CEF Template contains many of the fields in this table. You can add any of the Extensions and Custom Extensions listed to the global audit logging template that you define.
| CEF Field | String | Description | NW Meta Keys |
Index in |
|---|---|---|---|---|
| Syslog Prefix | ||||
| Datetime | Not Configurable | Syslog Header date time | event.time.str | Transient |
| Hostname | Not Configurable | Syslog Header hostname | alias.host | None |
| CEF Header | The CEF Header fields are required to conform to the CEF standard and for any CEF parser. | |||
| CEF:Version | CEF:0 | CEF Header | --STATIC-- | N/A |
| DeviceVendor | %{deviceVendor} | The product vendor, NetWitness | - | N/A |
| DeviceProduct | %{deviceProduct} | The product family. This is always NetWitness Audit. | product | Transient |
| DeviceVersion | %{deviceVersion} | Host/Service version | version | Transient |
| Signature ID | %{category} | Identifier of the audit event. It specifies the the category of the audit event. | event.type | None |
| Name | %{operation} | Description of the event | event.desc | None |
| Severity | %{severity} | Severity of the audit event | severity | Transient |
| Extensions | ||||
| deviceExternalId | %{deviceExternalId} | Unique ID of the host or service generating the audit event | hardware.id | Transient |
| deviceFacility | %{deviceFacility} | Syslog facility used when writing the event to syslog daemon. For example, authpriv. | cs.devfacility | Custom |
| deviceProcessName | %{deviceProcessName} | Name of the executable corresponding to dvcpid | process | None |
| dpt | %{destinationPort} | Destination Port | ip.dstport | None |
| dst | %{destinationAddress} | Destination IP Address | ip.dst | None |
| dvcpid | %{deviceProcessId} | ID of the process generating the event, which is the process ID of the NetWitness service | process.id | Transient |
| msg | %{text} | Free text, extra information, or actual description for the event | msg | Transient |
| outcome | %{outcome} | Outcome of the operation performed corresponding to the audit event | result | Transient |
| tpt | %{transportProtocol} | Network protocol used | protocol | Transient |
| userAgent | %{userAgent} | Browser detail of the user accessing the page | user.agent | Transient |
| rt | %{timestamp} | Time at which the event is reported | event.time | None |
| sourceServiceName | %{deviceService} | The service that is responsible for generating this event | service.name | Transient |
| spt | %{sourcePort} | Source Port | ip.srcport | Transient |
| userRole | %{userRole} | User role permissions assignment. For example: admin.owner, appliance.manage, connections.manage, everyone, logs.manage, services.manage, storedproc.execute, storedproc.manage, sys.manage, users.manage |
user.role | Transient |
| src | %{sourceAddress} | Source IP Address | ip.src | None |
| suser | %{identity} | Identity of the logged on user responsible for generating the audit event | user.dst | None |
| Custom Extensions | ||||
| params | %{parameters} | API and Operation parameters, which capture specific parameters about a query | index |
Transient |
| paramKey | %{key} | A configuration item key. It is the config param for which the audit event is captured. For example: /sys/config/stat.interval |
obj.name | None |
| paramValue | %{value} | A configuration value. It is the value captured during the update. | no meta key | Custom |
| userGroup | %{userGroup} | Role assignment. For example: Administrators, Analysts, MalwareAnalysts, Malware_Analysts, Operators, PRIVILEGED_CONNECTION_ AUTHORITY, SOC_Managers |
group | None |
| referrerURL | %{referrer} | The parent URL that refers to the current URL | referer | None |
| sessionId | %{sessionId} | Session or connection identifier | log.session.id | Transient |
| remoteAddress | %{remoteAddress} | Ip address of the destination | ip.src | None |
| reasonForFailure | %{reasonForFailure} | reason for failure for the certain action performed | result | None |
| reason | %{reason} | Reason for certain action performed | result | None |
| addRole | %{Add.Role} | User role Assignment | user.role | Transient |
| id | %{id} | Incident id or host id | no meta key | Transient |
| arguments | %{arguments} | Value passes between programs or functions | index | Transient |
| uri | %{uri} | Directory | directory | None |
| user | %{User} | Name of the user from the source or destination | user.dst | None |
| accountProvider | %{AccountProvider} | Authentication account for the user. For example, PAM, and PKI. | index | Transient |
| file | %{file} | Name of the content file used for deployment | filename | File |
| deviceIDs | %{deviceIDs} | Device id for the particular service | hardware.id | Transient |
| role | %{Role} | User role assignment | user.role | Transient |
| account | %{Account} | user account | user.dst | None |
| addPermission | %{Add.Permission} | User role permission assignment | permissions | Transient |
| key | %{Key} | Name of a configuration/rule | obj.name | None |
| value | %{Value} | Value of a configuration change. For example, "Value":"HR12". In this example, hours format is changed to 12 hours. | no meta key | Custom |
| alert | %(alert} | Id of the alert, For example, id:5ce457afec6c0f02ffb85ace | alert | Transient |
| moduleSettings | %{ModuleSettings} | Message or name of a setting | index | Transient |
| incident | %{incident} | Id of the incident. For example, INC-313 | context | None |
| action | %{action} | Action performed by the user. For example, service.stop | action | None |
| notificationBinding | %{NotificationBinding} | Type of notification. For example, incident created, alert, incident removed | index | Transient |
| name | %{name} | name of a configuration or rule | alert | Transient |
| enabled | %{enabled} | Enable the rule | no meta key | Custom |
| disabled | %{disabled} | Disable the rule | no meta key | Custom |
Note: Use all of the extensions in the following format:
deviceProcessName=%{deviceProcessName} outcome=%{outcome}
Include a <space> between a value and a tagname.
By default, all meta keys are not indexed. In the above table, the Index in Log Decoder column shows the state of the flags keyword (Transient, None, and Custom). If a key is set to Transient, it is parsed but not stored in the database. If it is set to None, it is indexed and stored in the database. A key listed as "Custom" does not exist in the table-map.xml file and, therefore, it is not stored or parsed at all.
For more information, see the following documentation:
- The "Maintain the Table Map Files" section in the "Hosts and Services Procedures" topic in the Hosts and Services Getting Started Guide provides instructions for verifying and updating the table mappings.
- The "Edit a Service Index File" section in the "Hosts and Services Procedures" topic in the Hosts and Services Getting Started Guide provides information on updating the custom index file on the Concentrator.
