Follow

Cognito Detect Syslog Guide


Overview

The Vectra® AI X-series platform can be configured to send various event logs over Syslog messages for storage and analysis. Syslog messages include information displayed in the Xseries user interface, although in some cases the representations in the user interface may consist of derived values.
*Please see the attached guide for information regarding Enhanced Details for detections launched in 5.9. 

Configuration Steps

Maximum three Syslog destinations can be configured from Cognito Detect web-UI. Here are the steps:

  1. Login to Cognito Detect web-UI with admin ID.
  2. Go to Settings » notification. In the notification page Scroll to Syslog section.
  3. Click on the "✎ Edit" option to add or edit Syslog destinations. Here the fields description:
    mceclip5.png 
    • Destination: Enter the <IP-adress or FQDN> of the remote Syslog server.
    • PORT: Enter the port number on which Syslog receiving server is listening.
    • PROTOCOL: Protocol being leveraged for the preferred type of Syslog service. Select one from the drop-down:
      UDP #Stateless
      TCP #Stateful
      SSL #Secure
    • FORMAT: The format in which Syslog messages are to be sent to the remote Syslog server. Select one from the drop-down:
      Standard
      CEF #i.e. HP ArcSight CEF (i.e. Common Event Format) 
      JSON # JavaScript Object Notation
    • LOG TYPES:  Type of logs that are to be sent to the remote Syslog server. Select one or more  from the following options:
      Host Scoring
      Account Scoring
      Host Detection
      Account Detection Account Lockdown
      Campaigns
      Audit
      Health
  4. Upon completing the configuration click on save:
    mceclip10.png
  5.  Click on "➤ Test":   to verify Syslog configuration.
    mceclip8.png
    Upon successful following message should appear at top of the web-page for few seconds :
    mceclip7.png

 

LOG TYPES:


Host Scoring

Host scoring messages are generated when a host score is changed, which occurs upon initial threat detection, the discovery of additional detections, and updates to any discovered detections. A host scoring message contains information on whether the host is marked as a key asset or has a detection that targets a key asset. The host score is also reduced over time if the underlying detection behavior subsides, either because of user intervention or because the host has left the network.

Standard

HOST [host@41261 category="$category" hostName="$host_name" currentIP="$host_ip" dvchost="$dvchost" threat="$threat" certainty="$certainty" URL="$href" UTCTime="$UTCTimeEnd" sourceKeyAsset="$src_key_asset" destKeyAsset="$dst_key_asset"]		

CEF

CEF:0|Vectra |X Series|$version|hsc|Host Score Change|3|externalId=$host_id cat=$category dvc=$headend_addr dvchost=$dvchost shost=$host_name src=$host_ip dst=$host_ip flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStartCEF end=$UTCTimeEndCEF cs1Label=sourceKeyAsset cs1=$src_key_asset cs2Label=destKeyAsset cs2=$dst_key_asset		

JSON

{"version": "$version", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "src_key_asset": $src_key_asset, "host_id": $host_id, "headend_addr": "$headend_addr", "category": "$category", "dst_key_asset": $dst_key_asset, "certainty": $certainty, "vectra_timestamp": "$timestamp", "host_name": "$host_name", "threat": $threat}			

Detail:

Key Type Description
$category str Always the string 'HOST SCORING'. Used internally to differentiate between account, host and detection messages.
$certainty int The certainty of the score assigned to this host.
$dst_key_asset bool Whether there is a detection that is targeting this host and this host is a key asset
$dvchost str The hostname of the Cognito Brain
$headend_addr str The IP of the Cognito Brain
$host_id int The ID of the host
$host_ip str The IP of the host being scored
$host_name str The name of the host being scored
$href str A link to see this host in the UI
$src_key_asset bool Whether the host being scored is marked as a key asset
$threat int Newly calculated host threat
$timestamp int Timestamp in seconds since epoch
$version str The version of the Vectra platform running the Cognito Brain

 

Account Scoring

Account scoring messages are generated when an account score is changed, which occurs upon initial threat detection, the discovery of additional detections, and updates to any discovered detections. The account score is reduced over time if the underlying detection behavior subsides, either because of user intervention or because the account has left the network.

Standard

ACCOUNT [account@41261 category="$category" threat="$threat" certainty="$certainty" URL="$href" UTCTime="$UTCTimeEnd"]			

CEF

CEF:0|Vectra |X Series|$version|asc|Account Score Change|3|externalId=$account_id cat=$category dvc=$headend_addr flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty cs1Label=Vectra Event URL cs1=$href start=$UTCTimeStartCEF end=$UTCTimeEndCEF			

JSON

{"category": "$category", "account_id": $account_id, "href": "$href", "certainty": $certainty, "version": "$version", "vectra_timestamp": "$timestamp", "headend_addr": "$headend_addr", "threat": $threat, "account_uid": "$account_uid"}			

Detail:

Key  Type  Description
$account_id  int  The ID of the account
$account_uid  str  The user ID of the account
$category  str  Always the string 'ACCOUNT SCORING'. Used internally to differentiate between account, host and detection messages.
$certainty  int  The certainty of the score assigned to this account
$headend_addr  str  The IP of the Cognito Brain
$href  str  A link to see this account in the UI
$threat  int  Newly calculated account threat
$timestamp  int  Timestamp in seconds since epoch
$version  str  The version of the Vectra platform running the Cognito Brain

 

Host Detection

Standard

DETECT [detection@41261 category="$category" type="$d_type_vname" hostname="$host_name" currentIP="$host_ip" dvchost="$dvchost" threat="$threat" certainty="$certainty" URL="$href" DestinationIP="$dd_dst_ip" DestinationDomain="$dd_dst_dns" DestinationPort="$dd_dst_port" Proto="$dd_proto" triaged="$triaged" BytesSent="$dd_bytes_sent" © 2020 Vectra AI, Inc. | 11 BytesRcvd="$dd_bytes_rcvd" UTCTimeStart="$UTCTimeStart" UTCTimeEnd="$UTCTimeEnd"]			

CEF

CEF:0|Vectra |X Series|$version|$d_type|$d_type_vname|$severity|externalId=$detection_id cat=$category dvc=$headend_addr dvchost=$dvchost shost=$host_name src=$host_ip flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty cs4Label=Vectra Event URL cs4=$href cs5Label=triaged cs5=$triaged dst=$dd_dst_ip dhost=$dd_dst_dns proto=$dd_proto dpt=$dd_dst_port out=$dd_bytes_sent in=$dd_bytes_rcvd start=$UTCTimeStartCEF end=$UTCTimeEndCEF	

JSON

{"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "detection_id": $detection_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "severity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "version": "$version", "host_name": "$host_name", "threat": $threat, "dd_dst_ip": "$dd_dst_ip", "dd_proto": "$dd_proto", "d_type": "$d_type"}			

Detail:

Key Type Description
$category  str The category of the detection (e.g., EXFILTRATION)
$certainty  int The certainty of the detection
$d_type_vname  str The name of the detection, which may include the following:
Abnormal Ad Activity
Abnormal Web Activity
Automated Replication
Brute-Force
Cryptocurrency Mining
Data Smuggler
External Remote Access
Fake Browser Activity
File Share Enumeration
Hidden DNS Tunnel
Hidden HTTP Tunnel
Hidden HTTPS Tunnel
Hidden Tunnel
Internal Darknet Scan
Internal Port Scan
Internal Stage Loader
Kerberos Account Scan
Kerberos Brute-Force
Kerberos Client Activity
Kerberos Server Access
Kerberos Server Activity
Malware Update
Multi-home Fronted Tunnel
Outbound DoS
Outbound Port Sweep
Outbound Scan
Outbound Spam
Peer-to-Peer
Port Scan
Port Sweep
Privilege Anomaly: Unusual Account on Host
Privilege Anomaly: Unusual Host
Privilege Anomaly: Unusual Service
Privilege Anomaly: Unusual Service from Host
Privilege Anomaly: Unusual Trio
Protocol Abuse
Pulling Instructions
Push Instructions
RDP Recon
RPC Recon
Ransomware File Activity
SMB Account Scan
SMB Brute-Force
SQL Injection Activity
Shell Knocker Client
Shell Knocker Server
Smash and Grab
Stealth HTTP Post
Suspect Domain Activity
Suspicious Admin
Suspicious HTTP
Suspicious Kerberos Account
Suspicious Kerberos Client
Suspicious LDAP Query
Suspicious Relay
Suspicious Remote Desktop
Suspicious Remote Execution
TOR Activity
Threat Intelligence Match Custom Model detection names may include the following:
Custom model dcerpc botnet_activity
Custom model dcerpc command_and_control
Custom model dcerpc exfiltration
Custom model dcerpc info
Custom model dcerpc lateral_movement
Custom model dcerpc reconnaissance
Custom model dhcp botnet_activity
Custom model dhcp command_and_control
Custom model dhcp exfiltration
Custom model dhcp info
Custom model dhcp lateral_movement
Custom model dhcp reconnaissance
Custom model dnsrecordinfo botnet_activity
Custom model dnsrecordinfo command_and_control
Custom model dnsrecordinfo exfiltration
Custom model dnsrecordinfo info
Custom model dnsrecordinfo lateral_movement
Custom model dnsrecordinfo reconnaissance
Custom model httpsessioninfo botnet_activity
Custom model httpsessioninfo command_and_control
Custom model httpsessioninfo exfiltration
Custom model httpsessioninfo info
Custom model httpsessioninfo lateral_movement
Custom model httpsessioninfo reconnaissance
Custom model isession botnet_activity
Custom model isession command_and_control
Custom model isession exfiltration
Custom model isession info
Custom model isession lateral_movement
Custom model isession reconnaissance
Custom model kerberos_txn botnet_activity
Custom model kerberos_txn command_and_control
Custom model kerberos_txn exfiltration
Custom model kerberos_txn info
Custom model kerberos_txn lateral_movement
Custom model kerberos_txn reconnaissance
Custom model ldap botnet_activity
Custom model ldap command_and_control
Custom model ldap exfiltration
Custom model ldap info
Custom model ldap lateral_movement
Custom model ldap reconnaissance
Custom model ntlm botnet_activity
Custom model ntlm command_and_control
Custom model ntlm exfiltration
Custom model ntlm info
Custom model ntlm lateral_movement
Custom model ntlm reconnaissance
Custom model rdp botnet_activity
Custom model rdp command_and_control
Custom model rdp exfiltration
Custom model rdp info
Custom model rdp lateral_movement
Custom model rdp reconnaissance
Custom model smbfiles botnet_activity
Custom model smbfiles command_and_control
Custom model smbfiles exfiltration
Custom model smbfiles info
Custom model smbfiles lateral_movement
Custom model smbfiles reconnaissance
Custom model smbmapping botnet_activity
Custom model smbmapping command_and_control
Custom model smbmapping exfiltration
Custom model smbmapping info
Custom model smbmapping lateral_movement
Custom model smbmapping reconnaissance
Custom model ssh botnet_activity
Custom model ssh command_and_control
Custom model ssh exfiltration
Custom model ssh info
Custom model ssh lateral_movement
Custom model ssh reconnaissance
Custom model ssl botnet_activity
Custom model ssl command_and_control
Custom model ssl exfiltration
Custom model ssl info
Custom model ssl lateral_movement
Custom model ssl reconnaissance
Custom model x509 botnet_activity
Custom model x509 command_and_control
Custom model x509 exfiltration
Custom model x509 info
Custom model x509 lateral_movement
Custom model x509 reconnaissance
$dd_bytes_rcvd  int  Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0
$dd_bytes_sent  int  The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0
$dd_dst_dns  str  The destination domain name of detection event
$dd_dst_ip  str  The destination IP address of detection event
$dd_dst_port  int  The port of the attacked host. Defaults to 80
$dd_proto  str  The protocol over which this detection fired (e.g., tcp). Does not apply to all detections. Defaults to empty string
$dvchost  str  The hostname of the Cognito Brain
$host_name  str  The hostname for attacking host
$host_ip  str  The IP of the host that triggered the detection
$href  str  A link to this detection in the UI
$threat  int  The threat score of this detection
$triaged  bool Whether the detection has been triaged yet or not
$UTCTimeEnd  int  Seconds since epoch for the event end
$UTCTimeStart  int  Seconds since epoch for the event start

 

Account Detection

Standard

DETECT [detection@41261 category="$category" type="$d_type_vname" account="$account" threat="$threat" certainty="$certainty" URL="$href" DestinationIP="$dd_dst_ip" DestinationDomain="$dd_dst_dns" DestinationPort="$dd_dst_port" triaged="$triaged" BytesSent="$dd_bytes_sent" BytesRcvd="$dd_bytes_rcvd" UTCTimeStart="$UTCTimeStart" UTCTimeEnd="$UTCTimeEnd"]			

CEF

CEF:0|Vectra |X Series|$version|$d_type|$d_type_vname|$severity|externalId=$detection_id cat=$category dvc=$headend_addr account=$account flexNumber1Label=threat flexNumber1=$threat flexNumber2Label=certainty flexNumber2=$certainty cs4Label=Vectra Event URL cs4=$href cs5Label=triaged cs5=$triaged dst=$dd_dst_ip dhost=$dd_dst_dns dpt=$dd_dst_port out=$dd_bytes_sent in=$dd_bytes_rcvd start=$UTCTimeStartCEF end=$UTCTimeEndCEF			

JSON

{"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "href": "$href", "detection_id": $detection_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "severity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "account_uid": "$account_uid", "version": "$version", "threat": $threat, "dd_dst_ip": "$dd_dst_ip", "d_type": "$d_type"}			

Detail:

Key Type Description
$account_uid  str  The account name
$category  str  The category of the detection (e.g., EXFILTRATION)
$certainty  int  The certainty of the detection
$detection_id  int  The ID of the detection
$d_type  str  The Vectra internal representation of detection name (e.g.,smash_n_grab, or sql_injection)
$d_type_vname  str  The name of the detection, which may include the following:
Abnormal Ad Activity
Abnormal Web Activity
Automated Replication
Brute-Force
Cryptocurrency Mining
Data Smuggler
External Remote Access
Fake Browser Activity
File Share Enumeration
Hidden DNS Tunnel
Hidden HTTP Tunnel
Hidden HTTPS Tunnel
Hidden Tunnel
Internal Darknet Scan
Internal Port Scan
Internal Stage Loader
Kerberos Account Scan
Kerberos Brute-Force
Kerberos Client Activity
Kerberos Server Access
Kerberos Server Activity
Malware Update
Multi-home Fronted Tunnel
Outbound DoS
Outbound Port Sweep
Outbound Scan
Outbound Spam
Peer-to-Peer
Port Scan
Port Sweep
Privilege Anomaly: Unusual Account on Host
Privilege Anomaly: Unusual Host
Privilege Anomaly: Unusual Service
Privilege Anomaly: Unusual Service from Host
Privilege Anomaly: Unusual Trio
Protocol Abuse
Pulling Instructions
Push Instructions
RDP Recon
RPC Recon
Ransomware File Activity
SMB Account Scan
SMB Brute-Force
SQL Injection Activity
Shell Knocker Client
Shell Knocker Server
Smash and Grab
Stealth HTTP Post
Suspect Domain Activity
Suspicious Admin
Suspicious HTTP
Suspicious Kerberos Account
Suspicious Kerberos Client
Suspicious LDAP Query
Suspicious Relay
Suspicious Remote Desktop
Suspicious Remote Execution
TOR Activity
Threat Intelligence Match
Custom Model detection names may include the following:
Custom model dcerpc botnet_activity
Custom model dcerpc command_and_control
Custom model dcerpc exfiltration
Custom model dcerpc info
Custom model dcerpc lateral_movement
Custom model dcerpc reconnaissance
Custom model dhcp botnet_activity
Custom model dhcp command_and_control
Custom model dhcp exfiltration
Custom model dhcp info
Custom model dhcp lateral_movement
Custom model dhcp reconnaissance
Custom model dnsrecordinfo botnet_activity
Custom model dnsrecordinfo command_and_control
Custom model dnsrecordinfo exfiltration
Custom model dnsrecordinfo info
Custom model dnsrecordinfo lateral_movement
Custom model dnsrecordinfo reconnaissance
Custom model httpsessioninfo botnet_activity
Custom model httpsessioninfo command_and_control
Custom model httpsessioninfo exfiltration
Custom model httpsessioninfo info
Custom model httpsessioninfo lateral_movement
Custom model httpsessioninfo reconnaissance
Custom model isession botnet_activity
Custom model isession command_and_control
Custom model isession exfiltration
Custom model isession info
Custom model isession lateral_movement
Custom model isession reconnaissance
Custom model kerberos_txn botnet_activity
Custom model kerberos_txn command_and_control
Custom model kerberos_txn exfiltration
Custom model kerberos_txn info
Custom model kerberos_txn lateral_movement
Custom model kerberos_txn reconnaissance
Custom model ldap botnet_activity
Custom model ldap command_and_control
Custom model ldap exfiltration
Custom model ldap info
Custom model ldap lateral_movement
Custom model ldap reconnaissance
Custom model ntlm botnet_activity
Custom model ntlm command_and_control
Custom model ntlm exfiltration
Custom model ntlm info
Custom model ntlm lateral_movement
Custom model ntlm reconnaissance
Custom model rdp botnet_activity
Custom model rdp command_and_control
Custom model rdp exfiltration
Custom model rdp info
Custom model rdp lateral_movement
Custom model rdp reconnaissance
Custom model smbfiles botnet_activity
Custom model smbfiles command_and_control
Custom model smbfiles exfiltration
Custom model smbfiles info
Custom model smbfiles lateral_movement
Custom model smbfiles reconnaissance
Custom model smbmapping botnet_activity
Custom model smbmapping command_and_control
Custom model smbmapping exfiltration
Custom model smbmapping info
Custom model smbmapping lateral_movement
Custom model smbmapping reconnaissance
Custom model ssh botnet_activity
Custom model ssh command_and_control
Custom model ssh exfiltration
Custom model ssh info
Custom model ssh lateral_movement
Custom model ssh reconnaissance
Custom model ssl botnet_activity
Custom model ssl command_and_control
Custom model ssl exfiltration
Custom model ssl info
Custom model ssl lateral_movement
Custom model ssl reconnaissance
Custom model x509 botnet_activity
Custom model x509 command_and_control
Custom model x509 exfiltration
Custom model x509 info
Custom model x509 lateral_movement
Custom model x509 reconnaissance
$dd_bytes_rcvd  int  Meaning differs depending on detection type. Does not apply to all detections. Defaults to 0
$dd_bytes_sent  int  The number of bytes in the traffic that caused the detection. Does not apply to all detections. Defaults to 0
$dd_dst_dns  str  The destination domain name of detection event
$dd_dst_ip  str  The destination IP address of detection event
$dd_dst_port  int  The port of the attacked host. Defaults to 80
$dvchost  str  The hostname of the Cognito Brain
$headend_addr  str  The IP of the Cognito Brain
$href  str  A link to this detection in the UI
$severity  int  A score proportional to threat
$threat  int  The threat score of this detection
$timestamp  int  Timestamp in seconds since epoch
$triaged  bool Whether the detection has been triaged yet or not
$version  str  The version of the Vectra platform running the Cognito Brain

 

Account Lockdown

Standard

LOCKDOWN [lockdown@41261 category="$category" accountName="$account_name" action="$action" success="$success" dvc="$headend_addr" user="$user" URL="$href" UTCTime="$UTCTime"]			

CEF

CEF:0|Vectra Networks|X Series|$version|lockdown|Account Lockdown|3|externalId=$account_id cat=$category dvc=$headend_addr suser=$user account=$account_name cs1Label=action cs1=$action cs2Label=success cs2=$success cs4Label=Vectra Event URL cs4=$href start=$UTCTimeStart end=$UTCTimeEnd		

JSON

{"category": "$category", "account_id": $account_id, "success": $success, "href": "$href", "vectra_timestamp": "$UTCTime", "headend_addr": "$headend_addr", "user": "$user", "version": "$version", "action": "$action", "account_uid": "$account_name"}			

Detail:

Key  Type Description
$account_id  int  The ID of the account.
$account_name  str  The name of the account.
$action  str  The action was taken on the account (e.g., lock or unlock)
$category  str  The category of the event (e.g., LOCKDOWN)
$headend_addr  str  The IP of the Cognito Brain.
$user  int  The username of the person that performed the lockdown action.
$success  bool Confirmation if the lockdown action was successful.
$href  str  A link to the account in the UI.
$UTCTime  int  Seconds since epoch for this event
$version  str  The version of the Vectra platform running the Cognito Brain

 

Campaign

Campaign messages are generated upon the initial creation of a campaign and on campaign closure.

Standard

CAMPAIGN [campaign@41261 id="$campaign_id" action="$action" reason="$reason" dvc="$headend_addr" dvchost="$dvchost" detectionId="$det_id" hostname="$src_name" currentIP="$src_ip" source_id="$src_hid" URL="$campaign_link" dstHost="$dest_name" DestinationIP="$dest_ip" destID="$dest_id" timestamp="$timestamp"]			

CEF

CEF:0|Vectra |X Series|$version|campaigns|$campaign_name|2| externalId=$campaign_id cat=CAMPAIGNS act=$action dvc=$headend_addr dvchost=$dvchost shost=$src_name src=$src_ip suid=$src_hid cs4Label=VectraEventURL cs4=$campaign_link dhost=$dest_name dst=$dest_ip duid=$dest_id rt=$timestamp reason=$reason cs6Label=VectraDetectionID cs6=$det_id			

JSON

Example:

{"src_hid": $src_hid, "timestamp": $syslog_timestamp, "dvchost": "$dvchost", "campaign_id": $campaign_id, "reason": "$reason", "src_name": "$src_name", "campaign_name": "$campaign_name", "campaign_link": "$campaign_link", "headend_addr": "$headend_addr", "dest_name": "$dest_name", "dest_id": "$dest_id", "vectra_timestamp": "$vectra_timestamp", "src_ip": "$src_ip", "version": "$version", "action": "$action", "dest_ip": "$dest_ip", "det_id": $det_id}			

Detail:

Key  Type Description
$action  str  The action that caused the message to be logged (e.g., START, TRIAGED, TIMEOUT)
$campaign_id  int  The id of the campaign
$campaign_link  str  The link to the campaign in the UI
$dest_id  str  The destination of the campaign. Defaults to 'external'
$dest_ip  str  The destination IP address the campaign is targeting
$dest_name  str  The external domain of the campaign destination
$det_id  int  The ID of the detection that caused the campaign creation
$dvchost  str  The hostname of the Cognito Brain
$headend_addr  str  The IP of the Cognito Brain
$reason  str  The event name of the campaign
$src_hid  int  The original host ID of the member host in this campaign
$src_ip  str  The host IP of the source host
$src_name  str  The hostname of the source host
$timestamp  int  Timestamp in seconds since epoch

Audit

Audit logs are generated for login events (both successful and failed), logout events, as well as other user actions that can impact the security posture of the product (such as creating a triage filter, marking detections as fixed, creating users, creating roles). For more information about audit refer:  Audit Data And User Activity In Cognito

Standard

AUDIT [dvc="$headend_addr" dvchost="$dvchost" version="$version" user="$user" role="$role" source="$source_ip" type="user_action" outcome="$result" message="$message]	

CEF

CEF:0|Vectra |X Series|$version|audit|user_action|0|dvc=$headend_addr dvchost=$dvchost suser=$user spriv=$role src=$source_ip deviceFacility=13 cat=user_action outcome=$result msg=$message			

JSON

{"source_ip": "$source_ip", "dvchost": "$dvchost", "version": "$version", "role": "$role", "user": "$user", "message": "$message", "vectra_timestamp": "$vectra_timestamp", "headend_addr": "$headend_addr", "result": $result}			

Detail:

Key  Type  Description
$dvchost  str  The hostname of the Cognito Brain
$headend_addr  str  The IP of the Cognito Brain
$message  str  A message explaining the cause/nature of the log
$result  bool  True, False, or pending
$role  str  Role of the user who caused the log (e.g., admin, super admin, etc.)
$source_ip  str  The IP address of the machine that initiated the user action
$user  str  Username of the user who caused the log
$vectra_timestamp  int  The epoch timestamp for when the event occurred (e.g.,1550014653)
$version  str  The version of the Vectra platform running the Cognito Brain

Health

System health logs are generated for specific events that can impact the health and operation of the product. These include changes to sensor connectivity, capture interface status, and disk health status. Further, system health Syslog includes periodic heartbeat messages that indicate the status of the headend.

Standard

HEALTH [dvc="$headend_addr" dvchost="$dvchost" version="$version" type="$type" outcome="$result" message="$message"]		

CEF

CEF:0|Vectra |X Series|$version|health|$type|0|dvc=$headend_addr dvchost=$dvchost deviceFacility=14 outcome=$result msg=$message		

JSON

{"vectra_timestamp": "$vectra_timestamp", "version": "$version", "result": "$result", "type": "$type", "source_ip": "$source_ip", "message": "$message", "dvchost": "$dvchost", "headend_addr": "$headend_addr"}			

Detail:

Key  Type Description
$dvchost  str  The hostname of the Cognito Brain
$headend_addr  str  The IP of the Cognito Brain
$message  str  A message explains the cause/nature of the log
$result  str  A string indicating either a success or failure
$source_ip  str  IP address of the machine that initiated the action
$type  str  A string to indicate what type of health message this is.Valid types include:
sensor_connectivity,
disk_hardware_raid_check, system_cpuflags_valid,
disk_ro_mount_check, capture_interface_flap_status,
capture_interface_bandwidth_status,
colossus_packet_drop_rate, heartbeat_check, and
stream_health
$vectra_timestamp  int The epoch timestamp for when the event occurred (e.g.,1550014653)
$version  str The version of the Vectra platform running the Cognito Brain

 

Support

For more information please contact support at  support@vectra.ai

Was this article helpful?
1 out of 1 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.