- This topic has 0 replies, 1 voice, and was last updated 5 years ago by
.
- Posts
When dealing with custom data:
To transmit a syslog message with pre-populated WitFoo Artifact fields, transmit the message over 514/udp, 514/tcp or 6514/tls using the following format:
WitFoo-Artifact ::: <artifact_field>=<value> ::: <artifact_field>=<value> ::: ...NOTE: there are spaces between the
:::.Below are the current fields in the Artifact Schema:
– message
– senderHost
– pipelineName
– pipelineEntrypoint
– streamName
– sensitivity
– messageType
– startTimeUTC
– endTimeUTC
– vendorCode
– program
– pid
– application
– priority
– severityCode
– severityLabel
– facilityCode
– facilityLabel
– protocol
– clientIP
– clientPort
– clientMAC
– clientHostname
– clientPackets
– clientBytes
– clientSYN
– clientACK
– clientFIN
– clientURG
– clientPSH
– clientRST
– clientGUID
– serverIP
– serverPort
– serverMAC
– serverHostname
– serverPackets
– serverBytes
– serverSYN
– serverACK
– serverFIN
– serverURG
– serverPSH
– serverRST
– serverGUID
– totalBytes
– localIP
– localHostname
– userName
– fileName
– filePath
– fileHash
– fileHashType
– emailTo
– emailFrom
– emailSubject
– emailSendingServer
– emailClient
– uri
– fqdn
– action
– ruleName
– ruleCategory
– tags
– netflowInterfaces
– cve
– created_at
– cveDescription
- You must be logged in to reply to this topic.