Standardized variable names
Logmanager system is using standardized variable names to save data. Basic set of variables which occur in the system is in the following table. Every variable has own example, data type, limit and description.
This set of variables is used by predefined parsers of the manufacturer on the input data.
When creating own parsing rules, we recommend to use this standardized list on creation of new variables.
Standardized variable names:
| Field name | Example | Type | Field limit | Description | |
|---|---|---|---|---|---|
| status | success | string | 100 | Field contain information about outcome of event. not allowed, success, failed - all field values should be stored in lowercase format. Also for web server status codes (200, 400 etc.). | |
| status_code | 500 | int | 100 | Status codes - 404, 500. | |
| systemtime | 2016-07-14T08:27:56.299152500Z | timestamp | System time of application / device that send event. | ||
| protocol | TCP | string | 10 | Communication protocol (TCP, UDP etc., should be translated using lookup tables). | |
| service | HTTP | string | 30 | Application level protocol (HTTP, HTTPS, IMAP, SSH etc.). | |
| src_ip | 1.1.1.1 | IP | Source IP of network communication. Source IP of client in application logs etc. If possible use also for fields with names as client_ip etc. | ||
| dst_ip | 2.2.2.2 | IP | Destination IP of network communication. If possible use also for fields with names as server_ip etc. | ||
| src_port | 80 | int | 0 - 65535 | Source port of network communication. | |
| dst_port | 80 | int | 0 - 65535 | Destination port of network communication. (webserver port etc.). | |
| src_mac | 44-45-53-54-4f-54 | MAC | Source MAC address. | ||
| dst_mac | 44-45-53-54-4f-54 | MAC | Destination MAC address. | ||
| transposition_disposition | SNAT | string | 100 | Type of NAT (SNAT, DNAT, proxy etc.). | |
| transposition_src_ip | 1.1.1.1 | IP | Source IP of transposition (Firewall source IP or original IP in proxy request on web application). | ||
| transposition_src_port | 80 | int | 0 - 65535 | Source port of transposition. | |
| transposition_dst_ip | 2.2.2.2 | IP | Destination IP of transposition. | ||
| transposition_dst_port | 80 | int | 0 - 65535 | Destination port of transposition. | |
| direction | inbound | string | 50 | Direction of event (firewall, application). | |
| src_iface | ether2 | string | Source interface / zone name. | ||
| dst_iface | DMZ | string | Destination interface / zone name. | ||
| sent_byte | 1234 | int | Whole numbers | Number of bytes sent. | |
| sent_pkt | 1234 | int | Whole numbers | Number of packets sent. | |
| rcvd_byte | 1234 | int | Whole numbers | Number of bytes received. | |
| rcvd_pkt | 1234 | int | Whole numbers | Number of packets received. | |
| total_byte | 1234 | int | Whole numbers | Number of bytes received. | |
| total_pkt | 1234 | int | Whole numbers | Number of packets received. | |
| username | john | string | 255 | User name of user that caused this event. | |
| username_id | 2312312 | string | 255 | User name of user that caused this event. | |
| delay | 120,00 | float | Delay of event / session. | ||
| duration | 120,00 | float | Duration of event / session in seconds. In next releases of LM there will be option to recalculate string to int. For now if you retype string as float and it contains characters result will be -1 (original value will stay). | ||
| policy_id | 2 | string | Unique policy ID. | ||
| action | permit | string | Field contain information about action taken on event (firewall permit, deny timeout etc.). | ||
| event | Wait Timer | string | Event description. | ||
| device_name | device123.domain.local | string | Name of device. | ||
| url_path | domain.com/example | string | Visited URL. | ||
| url_query | domain.com/example/index.php?method1=1 | string | Used query to visit URL. | ||
| referer | domain.com/example | string | Address of where request came from. | ||
| domain | example.com | string | Domain used for authentication. | ||
| objectname | c:/file.txt | string | Object name. File names etc. | ||
| method | GET | string | 10 | Used method to get event (GET, POST in webservers). | |
| from | user@user.cz | string | 255 | From email. | |
| to | user@user.cz user@user2.cz | list | To email, this should be always a list of items. | ||
| vlan | Default VLAN | string | 255 | VLAN name. | |
| vlan_id | 1 | int | 0 - 4096 | VLAN ID number. | |
| reason | Unable to delete xy | string | 500 | Reason, why event occurred. | |
| error_code | 124 | string | 100 | Error code of event. | |
| length | 150 | string | |||
| sn | 1232151-asdas-12 | string | 255 | Serial number of device, event. | |
| user_agent | Mozzila 123.41 | string | 500 | User agent version that accessed service. | |
| limit | 123 | int | File size limit, request limit, etc. | ||
| size | 5,00 | float | Size of request, file size, email size. | ||
| threshold | 5,00 | float | Threshold set in event. | ||
| spam_score | 12,00 | float | Spam score. | ||
| process_id | 36542 | int | ID of process. | ||
| message_id | 00004ac80280$f1dd2417$085ad4bc$@server.cz | string | Message ID. | ||
| scan_time | 5,00 | float | Duration of scan time. | ||
| category | web | string | internal application category (frontend, login, logout). | ||
| src_url | startup.cfg | string | Source file name. | ||
| dst_url | backup.cfg | string | Destination file name. | ||
| user_interface | ssh | string | User interface (ssh, telnet, serial etc.). |