WitFoo Artifact Syslog format

Welcome Forums Integrations WitFoo Artifact Syslog format

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #2145
    Charles HerringCharles Herring
    Keymaster

    When dealing with custom data:

    To transmit a syslog message with pre-populated WitFoo Artifact fields, transmit the message over 514/udp, 514/tcp or 6514/tls using the following format:

    WitFoo-Artifact ::: <artifact_field>=<value> ::: <artifact_field>=<value> ::: ...

    NOTE: there are spaces between the :::.

    Below are the current fields in the Artifact Schema:
    – message
    – senderHost
    – pipelineName
    – pipelineEntrypoint
    – streamName
    – sensitivity
    – messageType
    – startTimeUTC
    – endTimeUTC
    – vendorCode
    – program
    – pid
    – application
    – priority
    – severityCode
    – severityLabel
    – facilityCode
    – facilityLabel
    – protocol
    – clientIP
    – clientPort
    – clientMAC
    – clientHostname
    – clientPackets
    – clientBytes
    – clientSYN
    – clientACK
    – clientFIN
    – clientURG
    – clientPSH
    – clientRST
    – clientGUID
    – serverIP
    – serverPort
    – serverMAC
    – serverHostname
    – serverPackets
    – serverBytes
    – serverSYN
    – serverACK
    – serverFIN
    – serverURG
    – serverPSH
    – serverRST
    – serverGUID
    – totalBytes
    – localIP
    – localHostname
    – userName
    – fileName
    – filePath
    – fileHash
    – fileHashType
    – emailTo
    – emailFrom
    – emailSubject
    – emailSendingServer
    – emailClient
    – uri
    – fqdn
    – action
    – ruleName
    – ruleCategory
    – tags
    – netflowInterfaces
    – cve
    – created_at
    – cveDescription

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.