Standardizované názvy proměnných
Systém Logmanager používá k ukládání dat standardizované názvy proměnných. V níže uvedené tabulce je uvedena základní sada proměnných, které se v systému vyskytují. U každé proměnné je uveden příklad, datový typ, limit a popis.
Předdefinované parsery výrobce používají na vstupní data tuto sadu proměnných.
Při tvorbě vlastních parsovacích pravidel doporučujeme používat při vytváření nových proměnných tento standardizovaný seznam.
Standardizované názvy proměnných:
| Jméno proměnné | Příklad | Typ | Limit | Popis |
|---|---|---|---|---|
| status | success | string | 100 | Field contain information about outcome of event. not allowed, success, failed - all field values should be stored in lowercase format. Also for web server status codes (200, 400 etc.). |
| status_code | 500 | int | 100 | Status codes - 404, 500. |
| systemtime | 2016-07-14T08:27:56.299152500Z | timestamp | System time of application / device that send event. | |
| protocol | TCP | string | 10 | Communication protocol (TCP, UDP etc., should be translated using lookup tables). |
| service | HTTP | string | 30 | Application level protocol (HTTP, HTTPS, IMAP, SSH etc.). |
| src_ip | 1.1.1.1 | IP | Source IP of network communication. Source IP of client in application logs etc. If possible use also for fields with names as client_ip etc. | |
| dst_ip | 2.2.2.2 | IP | Destination IP of network communication. If possible use also for fields with names as server_ip etc. | |
| src_port | 80 | int | 0 - 65535 | Source port of network communication. |
| dst_port | 80 | int | 0 - 65535 | Destination port of network communication. (webserver port etc.). |
| src_mac | 44-45-53-54-4f-54 | MAC | Source MAC address. | |
| dst_mac | 44-45-53-54-4f-54 | MAC | Destination MAC address. | |
| transposition_disposition | SNAT | string | 100 | Type of NAT (SNAT, DNAT, proxy etc.). |
| transposition_src_ip | 1.1.1.1 | IP | Source IP of transposition (Firewall source IP or original IP in proxy request on web application). | |
| transposition_src_port | 80 | int | 0 - 65535 | Source port of transposition. |
| transposition_dst_ip | 2.2.2.2 | IP | Destination IP of transposition. | |
| transposition_dst_port | 80 | int | 0 - 65535 | Destination port of transposition. |
| direction | inbound | string | 50 | Direction of event (firewall, application). |
| src_iface | ether2 | string | Source interface / zone name. | |
| dst_iface | DMZ | string | Destination interface / zone name. | |
| sent_byte | 1234 | int | Whole numbers | Number of bytes sent. |
| sent_pkt | 1234 | int | Whole numbers | Number of packets sent. |
| rcvd_byte | 1234 | int | Whole numbers | Number of bytes received. |
| rcvd_pkt | 1234 | int | Whole numbers | Number of packets received. |
| total_byte | 1234 | int | Whole numbers | Number of bytes received. |
| total_pkt | 1234 | int | Whole numbers | Number of packets received. |
| username | john | string | 255 | User name of user that caused this event. |
| username_id | 2312312 | string | 255 | User name of user that caused this event. |
| delay | 120,00 | float | Delay of event / session. | |
| duration | 120,00 | float | Duration of event / session in seconds. In next releases of LM there will be option to recalculate string to int. For now if you retype string as float and it contains characters result will be -1 (original value will stay). | |
| policy_id | 2 | string | Unique policy ID. | |
| action | permit | string | Field contain information about action taken on event (firewall permit, deny timeout etc.). | |
| event | Wait Timer | string | Event description. | |
| device_name | device123.domain.local | string | Name of device. | |
| url_path | domain.com/example | string | Visited URL. | |
| url_query | domain.com/example/index.php?method1=1 | string | Used query to visit URL. | |
| referer | domain.com/example | string | Address of where request came from. | |
| domain | example.com | string | Domain used for authentication. | |
| objectname | c:/file.txt | string | Object name. File names etc. | |
| method | GET | string | 10 | Used method to get event (GET, POST in webservers). |
| from | user@user.cz | string | 255 | From email. |
| to | user@user.cz user@user2.cz | list | To email, this should be always a list of items. | |
| vlan | Default VLAN | string | 255 | VLAN name. |
| vlan_id | 1 | int | 0 - 4096 | VLAN ID number. |
| reason | Unable to delete xy | string | 500 | Reason, why event occurred. |
| error_code | 124 | string | 100 | Error code of event. |
| length | 150 | string | ||
| sn | 1232151-asdas-12 | string | 255 | Serial number of device, event. |
| user_agent | Mozzila 123.41 | string | 500 | User agent version that accessed service. |
| limit | 123 | int | File size limit, request limit, etc. | |
| size | 5,00 | float | Size of request, file size, email size. | |
| threshold | 5,00 | float | Threshold set in event. | |
| spam_score | 12,00 | float | Spam score. | |
| process_id | 36542 | int | ID of process. | |
| message_id | 00004ac80280$f1dd2417$085ad4bc$@server.cz | string | Message ID. | |
| scan_time | 5,00 | float | Duration of scan time. | |
| category | web | string | internal application category (frontend, login, logout). | |
| src_url | startup.cfg | string | Source file name. | |
| dst_url | backup.cfg | string | Destination file name. | |
| user_interface | ssh | string | User interface (ssh, telnet, serial etc.). |