diff --git a/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md b/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md index 0c2faec9a5..95736f16f1 100644 --- a/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md +++ b/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md @@ -30,7 +30,7 @@ description: Parse the common fields in your Akamai Cloud Monitor log using the "reqPath":"/jobs", "respCT":"", "respLen":"", - "bytes":"", + "bytes":"3278", "UA":"Chrome/35.0.1916.114", "fwdHost":"" }, @@ -52,7 +52,7 @@ description: Parse the common fields in your Akamai Cloud Monitor log using the "downloadTime":"19", "netOriginLatency":"00", "originName":"down", - "originIP":"", + "originIP":"65.07.36.537", "originInitIP":"10.10.10.10", "originRetry":"0", "lastMileRTT":"46", @@ -60,7 +60,7 @@ description: Parse the common fields in your Akamai Cloud Monitor log using the "firstByte":"1", "lastByte":"1", "asnum":"4812", - "edgeIP":"" + "edgeIP":"65.07.36.537" }, "geo":{ "country":"us", @@ -86,11 +86,11 @@ parse "\"reqMethod\":\"*\"" as method, "\"status\":\"*\"" as status, "\"fwdHost\ **Resulting Fields:** | Field | Description | Example | -|:-----------|:-----------------|:--------------| -| method |   | GET | -| status |   | 200 | -| origin |   |   | -| bytes |   |   | -| edgeip |   |   | -| country |   | us | -| cookie |   | 898051433939 | +|:-|:-|:-| +| method | HTTP request method. | GET | +| status | HTTP response status code.  | 200 | +| origin | Host of the request.  | example.com  | +| bytes | Size of the response in bytes.  | 3267  | +| edgeip | IP address of the edge server.  | `65.07.36.537`  | +| country | Base country of the request.  | us | +| cookie | Cookies sent with the request.  | `898051433939` | diff --git a/docs/manage/field-extractions/fer-templates/apache-access-logs.md b/docs/manage/field-extractions/fer-templates/apache-access-logs.md index cd43706934..cb72c12b7e 100644 --- a/docs/manage/field-extractions/fer-templates/apache-access-logs.md +++ b/docs/manage/field-extractions/fer-templates/apache-access-logs.md @@ -26,10 +26,10 @@ parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | Field | Description | Example | |:--|:--|:--| -| src_ip | IP address of the client (remote host) which made the request to the server | 221.125.19.252 | -| method | Method used by the client | GET | -| url | Resource requested by the client | `v` | -| status_code | Status code that the server sends back to the client | 200 | -| size | Size of the object returned to the client | 8825 | -| referrer | Site that the client reports having been referred from | [http://www.google.com/url?sa=t&rct=j...source=web&cd=4](http://www.google.com/url?sa=t&rct=j&q=log-reduce&source=web&cd=4) | -| user_agent | Identifying information that the client browser reports about itself | Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Chrome/19.0.1084.30 Safari/536.5 | +| src_ip | IP address of the client (remote host) from which the request is made to the server. | 221.125.19.252 | +| method | Method used by the client. | GET | +| url | Resource requested by the client. | `/_js/master.js` | +| status_code | Status code that the server sends back to the client. | 200 | +| size | Size of the object returned to the client. | 8825 | +| referrer | Displays the site that the client reports having been referred from. | `http://www.google.com/url?sa=t&rct=j...source=web&cd=4` | +| user_agent | Identifying information that the client browser reports about itself. | Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us)
AppleWebKit/533.21.1 (KHTML, like Gecko)
Chrome/19.0.1084.30
Safari/536.5 | diff --git a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md index fed7822df1..1dd3f174ec 100644 --- a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md +++ b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md @@ -10,7 +10,6 @@ description: Create a field extraction rule for Apache Tomcat 7 Access Logs. **Rule Description:** Parse the Remote IP address, Method, Requested URL path, HTTP status code, Time Taken, and Bytes Sent. - **Sample Log:** ``` @@ -27,11 +26,11 @@ description: Create a field extraction rule for Apache Tomcat 7 Access Logs. | Field Name | Description | Example | |:--|:--|:--| -| ip |   | 192.100.20.135 | -| method |   | GET | -| url |   | /ServiceAPI/mappings/123456/load | -| status |   | 200 | -| time_taken |   | 1414 | -| bytes_sent |   | 6234 | - -  +| ip | The client IP address.  | 192.100.20.135 | +| method | HTTP request method.  | GET | +| url | Resource requested by the client. | `/ServiceAPI/mappings/123456/load` | +| status | HTTP response status code.  | 200 | +| time_taken | Time taken to process the request. | 1414 | +| bytes_sent | Count of bytes sent. | 6234 | + + diff --git a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md index eb0efcef94..86ba47a25d 100644 --- a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md +++ b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md @@ -4,12 +4,9 @@ title: Apache Tomcat Access Logs description: Parse the common fields in your Apache Tomcat Access Logs using the FER template. --- - - **Log Type**: Apache Tomcat Access -**Template Description**: Parsing the common fields in your Apache -Tomcat Access log. +**Template Description**: Parsing the common fields in your Apache Tomcat Access log. **Sample Log**: @@ -32,9 +29,9 @@ parse regex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" | Field | Description | Example | |:--|:--|:--| -| ip | The Client IP | 250.67.103.48 | -| method | Request method | POST | -| url | Resource requested by the client | /blog/index.php | -| status | Status code that the server sends back to the client | 200 | -| time_taken | Time taken to process the request | 3280 | -| bytes_sent | Bytes sent count | 4 | +| ip | The client IP address.  | `250.67.103.48` | +| method | HTTP request method. | POST | +| url | Resource requested by the client. | `/blog/index.php`| +| status | HTTP response status code. | 200 | +| time_taken | Time taken to process the request. | 3280 | +| bytes_sent | Count of bytes sent. | 4 | diff --git a/docs/manage/field-extractions/fer-templates/aws-cloudtrail-logs.md b/docs/manage/field-extractions/fer-templates/aws-cloudtrail-logs.md index fcb6080a01..eb8f1e77d6 100644 --- a/docs/manage/field-extractions/fer-templates/aws-cloudtrail-logs.md +++ b/docs/manage/field-extractions/fer-templates/aws-cloudtrail-logs.md @@ -4,11 +4,9 @@ title: AWS CloudTrail Logs description: Parse the common fields in your AWS CloudTrail Logs using the FER template. --- - **Log Type**: AWS CloudTrail -**Template Description**: Parsing the common fields in your AWS -CloudTrail log. +**Template Description**: Parsing the common fields in your AWS CloudTrail log. **Sample Log**: @@ -56,10 +54,10 @@ parse "eventSource\":\"*\"" as event_source | Field | Description | Example | |:--|:--|:--| -| event_source | The service that the request was made to | IAM | -| source_ipaddress | The IP address that the request was made from | 34.87.4.6 | -| event_name | The requested action, which is one of the actions in the API for that service | GetAccountPasswordPolicy | -| aws_Region | The AWS region that the request was made to | us-west-2 | -| user | The friendly name of the identity that made the call | bsmith | +| event_source | The service that the request was made for. | IAM | +| source_ipaddress | The IP address from which the request was made. | `34.87.4.6` | +| event_name | Describes the requested action, which is one of the actions in the API for the respective service. | GetAccountPasswordPolicy | +| aws_Region | The AWS region that the request was made for. | us-west-2 | +| user | The friendly name of the identity that made the call. | bsmith |   diff --git a/docs/manage/field-extractions/fer-templates/aws-elastic-load-balancing-logs.md b/docs/manage/field-extractions/fer-templates/aws-elastic-load-balancing-logs.md index 9e448a4a6c..f9575d03d1 100644 --- a/docs/manage/field-extractions/fer-templates/aws-elastic-load-balancing-logs.md +++ b/docs/manage/field-extractions/fer-templates/aws-elastic-load-balancing-logs.md @@ -4,8 +4,6 @@ title: AWS Elastic Load Balancing Logs description: Parse the common fields in your AWS Elastic Load Balancing Logs using the FER template. --- - - **Log Type**: AWS Elastic Load Balancing **Template Description:** Parsing the common fields in your AWS Elastic @@ -27,21 +25,21 @@ parse "* * *:* *:* * * * * * * * \"* *://*:*/* HTTP" as datetime, ELB_Server, cl | Field | Description | Example | |:--|:--|:--| -| datetime | Time when the load balancer received the request from the client | 2017-08-10T18:25:56 | -| ELB_Server | Name of the load balancer | stag-www-lb | -| clientIP | IP address of the requesting client | 137.190.87.41 | -| port | Port of the requesting client | 52888 | -| backend | IP address of the registered instance that processed this request | 10.168.203.134 | -| backend_port | Port of the registered instance that processed this request | 23667 | -| requestProc | [HTTP listener] The total time elapsed, in seconds, from the time the load balancer received the request until the time it sent it to a registered instance.
[TCP listener] The total time elapsed, in seconds, from the time the load balancer accepted a TCP/SSL connection from a client to the time the load balancer sends the first byte of data to a registered instance | 0.000803 | -| ba_Response | [HTTP listener] The total time elapsed, in seconds, from the time the load balancer sent the request to a registered instance until the instance started to send the response headers.
[TCP listener] The total time elapsed, in seconds, for the load balancer to successfully establish a connection to a registered instance | 0.048702 | -| cli_Response | [HTTP listener] The total time elapsed (in seconds) from the time the load balancer received the response header from the registered instance until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the back end.
[TCP listener] The total time elapsed, in seconds, from the time the load balancer received the first byte from the registered instance until it started to send the response to the client | 0.002085 | -| ELB_StatusCode | The status code of the response from the load balancer | 200 | -| be_StatusCode | The status code of the response from the registered instance | 200 | -| rcvd | The size of the request, in bytes, received from the client | 2836 | -| send | The size of the response, in bytes, sent to the client | 1169667 | -| method | The request method from the client | POST | -| protocol | The request protocol from the client | https | -| domain | The request domain from the client | dinihou.bounceme.net | -| server_port | The request server port from the client | 443 | -| path | The request path from the client | api/v1/search/jobs/597F6F78E33C7C00 | +| datetime | Timestamp when the load balancer received the request from the client. | 2017-08-10T18:25:56 | +| ELB_Server | Name of the load balancer. | stag-www-lb | +| clientIP | The client IP address.  | `137.190.87.41` | +| port | The client port number. | 52888 | +| backend | IP address of the registered instance that processed this request. | `10.168.203.134` | +| backend_port | Port number of the registered instance that processed this request. | 23667 | +| requestProc | [HTTP listener] The total time elapsed, in seconds, from the time the load balancer received the request until the time it sent it to a registered instance.
[TCP listener] The total time elapsed, in seconds, from the time the load balancer accepted a TCP/SSL connection from a client to the time the load balancer sends the first byte of data to a registered instance. | 0.000803 | +| ba_Response | [HTTP listener] The total time elapsed, in seconds, from the time the load balancer sent the request to a registered instance until the instance started to send the response headers.
[TCP listener] The total time elapsed, in seconds, for the load balancer to successfully establish a connection to a registered instance. | 0.048702 | +| cli_Response | [HTTP listener] The total time elapsed (in seconds) from the time the load balancer received the response header from the registered instance until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the back end.
[TCP listener] The total time elapsed, in seconds, from the time the load balancer received the first byte from the registered instance until it started to send the response to the client. | 0.002085 | +| ELB_StatusCode | The status code of the response from the load balancer. | 200 | +| be_StatusCode | The status code of the response from the registered instance. | 200 | +| rcvd | The size of the request, in bytes, received from the client. | 2836 | +| send | The size of the response, in bytes, sent to the client. | 1169667 | +| method | HTTP request method. | POST | +| protocol | The request protocol from the client. | https | +| domain | The request domain from the client. | dinihou.bounceme.net | +| server_port | The request server port from the client .| 443 | +| path | The path requested from the client. | `api/v1/search/jobs/597F6F78E33C7C00` | diff --git a/docs/manage/field-extractions/fer-templates/aws-s3-usage-logs.md b/docs/manage/field-extractions/fer-templates/aws-s3-usage-logs.md index d5a8d4b2e1..74d8412bdd 100644 --- a/docs/manage/field-extractions/fer-templates/aws-s3-usage-logs.md +++ b/docs/manage/field-extractions/fer-templates/aws-s3-usage-logs.md @@ -4,8 +4,6 @@ title: Amazon S3 Usage Logs description: Parse the common fields in your Amazon S3 Usage Logs using the FER template. --- - - **Log Type**: Amazon S3 Usage **Template Description:** Parsing the common fields in your Amazon S3 @@ -28,20 +26,20 @@ parse "* * [*] * * * * * \"* HTTP/1.1\" * * * * * * * \"*\" *" as bucket_owner, | Field | Description | Example | |:--|:--|:--| | bucket_owner | The canonical user ID of the owner of the source bucket. | 6ec976a42247d687d5d1c87bb53e87c60c925765f87415f472d240c5d18337a7 | -| bucket | The name of the bucket that the request was processed against | stag-bloomfilter-000000000000141d | -| time | The time at which the request was received | 2017-07-13 | -| remoteIP | The apparent Internet address of the requester | 62.118.225.244 | -| requester | The canonical user ID of the requester, or a - for unauthenticated requests | user/stag-bloomfilter | -| request_ID | The request ID is a string generated by Amazon S3 to uniquely identify each request | B5C788A74FDFA7E7 | +| bucket | The name of the bucket that the request was processed against. | stag-bloomfilter-000000000000141d | +| time | The timestamp at which the request was received. | 2017-07-13 | +| remoteIP | The apparent internet address of the requester. | 62.118.225.244 | +| requester | The canonical user ID of the requester, or "-" for unauthenticated requests. | user/stag-bloomfilter | +| request_ID | The request ID is a string generated by Amazon S3 to uniquely identify each request. | B5C788A74FDFA7E7 | | operation | The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type,WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT | REST.PUT.OBJECT | -| key | The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter | 636C271B3F171BB8-000000000138CE3D-1405616382510-v1 | -| request_URI | The Request-URI part of the HTTP request | GET /636C271B3F171BB8-000000000138CE3D-1405616382510-v1 | -| status_code | The numeric HTTP status code of the response | 200 | -| error_code | The Amazon S3 Error Code, or "-" if no error occurred | NoSuchKey | -| bytes_sent | The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero | 5982 | -|  object_size | The total size of the object in question |  50768 | -|  total_time | The number of milliseconds the request was in flight from the server's perspective |  27 | -|  turn_time |  The number of milliseconds that Amazon S3 spent processing your request |  24 | -|  referrer |  The value of the HTTP Referrer header, if present |  "http://www.amazon.com/webservice" | -|  user_agent |  The value of the HTTP User-Agent header |  aws-sdk-java/1.7.11 Linux/3.2.0-57-virtual OpenJDK_64-Bit_Server_VM/23.2-b09/1.7.0_09 | -|  version_ID |  The version ID in the request, or "-" if the operation does not take a versionId parameter |  3HL4kqtJvjVBH40Nrjfkd | +| key | The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter. | 636C271B3F171BB8-000000000138CE3D-1405616382510-v1 | +| request_URI | HTTP request method. | GET /636C271B3F171BB8-000000000138CE3D-1405616382510-v1 | +| status_code | HTTP response status code. | 200 | +| error_code | The Amazon S3 Error Code, or "-" if no error occurred. | NoSuchKey | +| bytes_sent | The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero. | 5982 | +|  object_size | The total size of the object in question. |  50768 | +|  total_time | The number of milliseconds that the request was in flight from the server's perspective. |  27 | +|  turn_time |  The number of milliseconds that the Amazon S3 spent processing your request. |  24 | +|  referrer |  The website from which the client reports are referred. |  "http://www.amazon.com/webservice" | +|  user_agent |  Information about the client browser. |  aws-sdk-java/1.7.11 Linux/3.2.0-57-virtual OpenJDK_64-Bit_Server_VM/23.2-b09/1.7.0_09 | +|  version_ID |  The version ID in the request, or "-" if the operation does not take a versionId parameter. |  3HL4kqtJvjVBH40Nrjfkd | diff --git a/docs/manage/field-extractions/fer-templates/microsoft-iis-logs.md b/docs/manage/field-extractions/fer-templates/microsoft-iis-logs.md index 7990232dd5..54f745b891 100644 --- a/docs/manage/field-extractions/fer-templates/microsoft-iis-logs.md +++ b/docs/manage/field-extractions/fer-templates/microsoft-iis-logs.md @@ -24,16 +24,16 @@ parse regex "^[^#].*?(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?\S | Field | Description | Example | |:--|:--|:--| -| s_ip | IP address of the server on which the log file entry was generated | 10.0.0.103 | -| cs_method | Requested action | POST | -| cs_uri_stem | Target of the action | /ConfigWeb/ManageUsers.aspx | -| cs_uri_query | The query, if any, that the client was trying to perform | name=.NET+StockTrader+Web+Application&cfgSvc=Trade.StockTraderWebApplicationConfigurationImplementation.ConfigurationService&version=Version+5.0&hoster=Microsoft+Corporation&platform=Windows+Server+2008+R2+with+.NET+Framework+v4.0.30319&action=addUser&identify=0 | -| s_port | Server port number that is configured for the service | 80 | -| cs_username | Name of the authenticated user who accessed your server | localadmin | -| c_ip | IP address of the client that made the request | 164.110.188.119 | +| s_ip | IP address of the server on which the log file entry was generated. | `10.0.0.103` | +| cs_method | HTTP request method | POST | +| cs_uri_stem | Target URL for the action.| `/ConfigWeb/ManageUsers.aspx` | +| cs_uri_query | The query that the client was trying to perform. | name=.NET+StockTrader+Web+Application&cfgSvc=Trade.StockTraderWebApplicationConfigurationImplementation.ConfigurationService&version=Version+5.0&hoster=Microsoft+Corporation&platform=Windows+Server+2008+R2+with+.NET+Framework+v4.0.30319&action=addUser&identify=0 | +| s_port | Server port number that is configured for the service. | 80 | +| cs_username | Name of the authenticated user who accessed your server. | localadmin | +| c_ip | IP address of the client that made the request. | `164.110.188.119` | | cs_User_Agent | Browser type that the client used | 500 | -| cs_Referer | Site that the user last visited | 0 | -| sc_status | HTTP status code | 0 | -| sc_substatus | Substatus error code | 4786 | -| sc_win32_status | Windows status code | 194110 | -| time_taken | Length of time that the action took, in milliseconds | 552 | +| cs_Referer | The website from which the client reports are referred. | 0 | +| sc_status | HTTP response status code. | 0 | +| sc_substatus | Substatus of the error code. | 4786 | +| sc_win32_status | Windows status code. | 194110 | +| time_taken | Time taken to complete the action (in milliseconds). | 552 | diff --git a/docs/manage/field-extractions/fer-templates/nginx-logs.md b/docs/manage/field-extractions/fer-templates/nginx-logs.md index 4a5244bbc9..41112c1f3a 100644 --- a/docs/manage/field-extractions/fer-templates/nginx-logs.md +++ b/docs/manage/field-extractions/fer-templates/nginx-logs.md @@ -27,10 +27,10 @@ parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | Field | Description | Example | |:--|:--|:--| -| src_ip | IP from which request was made | 205.197.2.175 | -| method | HTTP request type | GET | -| url | Resource requested by the client | /wp-content/uploads/Screen-Shot-2017-04-13-at-7.12.35-PM-231x300.png | -| status_code | HTTP response code from server | 304 | -|  size | Size of server response in bytes | 0 | -|  referrer | Referral URL | [https://www.sumologic.com/aws/elb/aws-elastic-load-balancers-classic-vs-application/](https://www.sumologic.com/aws/elb/aws-elastic-load-balancers-classic-vs-application/) | -|  user_agent | Information about the client browser | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0 | +| src_ip | The source IP address. | `205.197.2.175` | +| method | HTTP request method. | GET | +| url | Resource requested by the client. | `/wp-content/uploads/Screen-Shot-2017-04-13-at-7.12.35-PM-231x300.png` | +| status_code | HTTP response status code. | 304 | +|  size | The size of the object returned to the client. | 0 | +|  referrer | The website from which the client reports are referred. | `https://www.sumologic.com/aws/elb/aws-elastic-load-balancers-classic-vs-application` | +|  user_agent | Information about the client browser. | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0 | diff --git a/docs/manage/field-extractions/fer-templates/palo-alto-networks.md b/docs/manage/field-extractions/fer-templates/palo-alto-networks.md index e95dd9aa40..61dcd342ec 100644 --- a/docs/manage/field-extractions/fer-templates/palo-alto-networks.md +++ b/docs/manage/field-extractions/fer-templates/palo-alto-networks.md @@ -25,45 +25,45 @@ parse "*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,* | Field | Description | Example | |:--|:--|:--| -| f1 |   | Jul 13 20:39:44 1 | -| recvTime |   | 2017/07/13 20:39:44 | -| serialNum |   | 0009C101317 | -| type |   | TRAFFIC | -| subtype |   | end | -|  f2 |   |  1 | -|  genTime |   |  2017/07/13 20:39:44 | -|  src_ip |   |  10.183.12.108 | -|  dest_ip |   |  10.183.51.49 | -|  natsrc_ip |   | 0.0.0.0 | -|  natdest_ip |   | 0.0.0.0  | -|  ruleName |   |  WinDomain_AUTH_TO_DC | -| src_user |   | sumologic\\tvadmin | -| dest_user |   | sumo\\mkwan | -| app |   | msrpc | -|  vsys |   |  vsys1 | -|  src_zone |   |  ENG_USER | -|  dest_zone |   |  ENG_INFRA | -|  ingress_if |   | ivlan_712  | -|  egress_if |   |  ivlan_751 | -|  logProfile |   |  Syslog | -|  f3 |   |  2017/07/13 20:39:44 | -|  sessionID |   |  1070831 | -|  repeatCnt |   |  1 | -|  src_port |   |  65123 | -|  dest_port |   |  135 | -|  natsrc_port |   |  0 | -|  natdest_port |   |  0 | -|  flags |   |  0x0 | -| protocol  |   |  tcp | -| action  |   |  allow | -| misc  |   |  1194 | -| threatID  |   |  644 | -|  cat |   |  550 | -| severity  |   |  12 | -| direction  |   |  2017/07/13 20:39:44 | -| seqNum  |   |  40 | -|  action_flags |   |  any | -|  src_loc |   |  0 | -|  dest_loc |   |  3297977305 | -|  f4 |   |  0x0 | -|  content_type |   |  10.0.0.0_10.255.255.255,10.0.0.0_10.255.255.255,0,7,5 | +| f1 | The timestamp of the log. | Jul 13 20:39:44 1 | +| recvTime | Time the log was received.  | 2017/07/13 20:39:44 | +| serialNum | Serial number of the firewall that generated the log.  | 0009C101317 | +| type | The type of log.  | TRAFFIC | +| subtype | Subtype of the system log.  | end | +|  f2 | Catchall field. |  1 | +|  genTime | Time the log was generated on the dataplane.  |  2017/07/13 20:39:44 | +|  src_ip | The source IP address.  |  10.183.12.108 | +|  dest_ip | The destination IP address.  |  10.183.51.49 | +|  natsrc_ip | The source IP address after Network Address Translation (NAT).  | 0.0.0.0 | +|  natdest_ip | The destination IP address after NAT.  | 0.0.0.0  | +|  ruleName | The name of the rule that the session matched.  |  WinDomain_AUTH_TO_DC | +| src_user | Username of the user who initiated the session.  | sumologic\\tvadmin | +| dest_user | Username of the user to which the session was destined.  | sumo\\mkwan | +| app | Application associated with the session.  | msrpc | +|  vsys | Virtual system associated with the session.  |  vsys1 | +|  src_zone | The zone from which the session was sourced.  |  ENG_USER | +|  dest_zone | The zone from which the session was destined.  |  ENG_INFRA | +|  ingress_if | The interface from which the session was sourced.  | ivlan_712  | +|  egress_if | The interface from which the session was destined.  |  ivlan_751 | +|  logProfile | The log profile associated with the rule.  |  Syslog | +|  f3 | Catchall field.  |  2017/07/13 20:39:44 | +|  sessionID | An internal numerical identifier applied for each session.  |  1070831 | +|  repeatCnt | Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.  |  1 | +|  src_port | Source port utilized by the session.  |  65123 | +|  dest_port | Destination port utilized by the session.  |  135 | +|  natsrc_port | Post-NAT source port.  |  0 | +|  natdest_port | Post-NAT destination port.  |  0 | +|  flags | A 32-bit field that provides details about the session.  |  0x0 | +| protocol  | IP protocol associated with the session.  |  tcp | +| action  | The action taken for the session. |  allow | +| misc  | Field with variable length(URL/Filename).  |  1194 | +| threatID  | Palo Alto Networks identifier for known and custom threats.  |  644 | +|  cat | For **URL** Subtype, it is the URL Category; For **WildFire** subtype, it is the verdict on the file that is either ‘malware’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.  |  550 | +| severity  | Severity associated with the threat. |  12 | +| direction  | Indicates the direction of the attack.  |  2017/07/13 20:39:44 | +| seqNum  | Sequentially incremented identifier.  |  40 | +|  action_flags | A bit field indicating if the log was forwarded to Panorama.  |  any | +|  src_loc | Source country or Internal region for private addresses.  |  0 | +|  dest_loc | Destination country or Internal region for private addresses.  |  3297977305 | +|  f4 | Catchall field.  |  0x0 | +|  content_type | Content type of the HTTP response data.  |  10.0.0.0_10.255.255.255,10.0.0.0_10.255.255.255,0,7,5 | diff --git a/docs/manage/field-extractions/fer-templates/varnish-logs.md b/docs/manage/field-extractions/fer-templates/varnish-logs.md index c3123675a4..6412080466 100644 --- a/docs/manage/field-extractions/fer-templates/varnish-logs.md +++ b/docs/manage/field-extractions/fer-templates/varnish-logs.md @@ -26,10 +26,10 @@ parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | Field | Description | Example | |:--|:--|:--| -| src_ip | The IP address of the client (remote host) which made the request to the server | 101.92.120.16 | -| method | The method used by the client | GET | -| url | The resource requested by the client | /_includes/wp/blog/wp-content/plugins/us/31063765-bpfull.phpi?&w=50&id=6&random=1331063765 | -| status_code | The status code that the server sends back to the client | 304 | -| size | The size of the object returned to the client | 5201 | -| referrer | The site that the client reports having been referred from | [http://search.yahoo.com/mobile/s?rew...0logs&pintl=en](http://search.yahoo.com/mobile/s?rewrite=72&.tsrc=log&first=1&p=AWS-logs&pintl=en) | -| user_agent | The identifying information that the client browser reports about itself | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0 | +| src_ip | The source IP address.  | `101.92.120.16` | +| method | HTTP request method. | GET | +| url | Resource requested by the client. | `/_includes/wp/blog/wp-content/plugins/us/31063765-bpfull.phpi?&w=50&id=6&random=1331063765` | +| status_code | HTTP response status code. | 304 | +| size | The size of the object returned to the client. | 5201 | +| referrer | The website from which the client reports are referred. | `http://search.yahoo.com/mobile/s?rewrite=72&.tsrc=log&first=1&p=AWS-logs&pintl=en` | +| user_agent | Information about the client browser. | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0 |