Supported Global Audit Logging Meta Key Variables

This topic describes the meta key variables that NetWitness global audit logging supports.

NetWitness provides predefined global audit logging templates that you can use for your global audit logging configurations. For third-party syslog servers, you can define your own template format (CEF or non-CEF) using supported meta key variables.

Procedures related to this table are described in Define a Template for Global Audit Logging and Configure Global Audit Logging.

Supported Global Audit Logging Meta Key Variables

The following table describes the meta key variables that NetWitness global audit logging supports. Use these values to create a custom audit logging template for a third-party syslog server.

Variable Description
%{category} Identifier of the audit event. It specifies the the category of the audit event.
%{destinationAddress} Destination IP Address
%{destinationPort} Destination Port
%{deviceExternalId} Unique ID of the service generating the audit event
%{deviceFacility} Syslog facility used when writing the event to syslog daemon. For example, authpriv.
%{deviceProcessId} ID of the process generating the event, which is the process ID of the NetWitness service
%{deviceProcessName} Name of the executable corresponding to dvcpid
%{deviceProduct} The product family. This is always NetWitness Audit.
%{deviceService} Service responsible for generating the event
%{deviceVendor} The product vendor, RSA
%{deviceVersion} Host/Service version
%{identity} Identity of the logged on user responsible for generating the audit event
%{key} A configuration item key. It is the config param for which the audit event is captured.
%{operation} Description of the event
%{outcome} Outcome of the operation performed corresponding to the audit event
%{parameters} API and Operation parameters, which capture specific parameters about a query
%{referrerUrl} The parent URL that refers to the current URL
%{sessionId} Session or connection identifier
%{severity} Severity of the audit event
%{sourceAddress} Source IP Address
%{sourcePort} Source Port
%{sourceService} The service that is responsible for generating this event
%{text} Free text, extra information, or actual description for the event
%{timestamp} Time at which the event is reported
%{transportProtocol} Network protocol used
%{userAgent} Browser detail of the user accessing the page
%{userGroup} Role assignment
%{userRole} User role permissions assignment
%{value} A configuration value. It is the value captured during the update