Format of Symantec Network Security incident log data

Article:TECH112754  |  Created: 2005-01-02  |  Updated: 2005-01-30  |  Article URL http://www.symantec.com/docs/TECH112754
Article Type
Technical Solution

Product(s)

Issue



This document describes the contents of log entries for Symantec Network Security (SNS) incidents when those entries are in a text format.


Solution



A text-formatted incident log entry displays the log data as a list of fields. The first six fields are separated (delimited) by a pipe character (|). The remaining fields are separated by semicolons (:) and use the field_name:value format.

Here is an example of an incident log entry in text format:

6/20/2004 7:13:11|8|6|AF|AFIncAdd|40d598faad3bf746|iid:40d598faad3bf746;cid:;typ:221002;cls:sniffer;tim:6/20/2004 7:13:11;ctt:6/20/2004 7:02:34;rel:6;sev:8;did:MH1;dnm:Default Node 1;nme:3;flc:%%10.10.10.103:32851/10.10.10.106:23#0,10.10.10.150:32791/10.10.10.150:0#0;evt:1;irf:;sta:0;vie:0;sevstr:High;


The following two tables describe the fields. The Date/time modified, Severity, Reliability, and Incident ID fields are listed twice in each entry.


Field

Example value

Description

Date/time modified

6/20/2004 7:13:11

This is the date and time that the incident was last modified.

Severity

8

Possible values for this field are 0 through 10.

Reliability

6

Possible values for this field are 0 through 10.

Module

AF

The module is usually AF, which is Analysis Framework.

Action Performed

AFIncAdd

This field indicates which action was performed. The AFIncAdd action indicates that an event is being added to an incident.

Incident ID

40d598faad3bf746

This field is a unique identifier generated by SNS for the incident.


Field

Example field name and value

Description

Incident ID

iid:40d598faad3bf746


Customer ID

cid:

This is the customer ID that was entered in the Network Security console topology for the interface at which the highest priority event was detected.

Event type

typ:221002

This field indicates the most common type of event in the incident.

Event class

cls:sniffer

This field indicates the class of the most common type of event in that incident.

Date/time modified

tim:6/20/2004 7:13:11


Date/time created

ctt:6/20/2004 7:02:34

This field indicates the date and time incident that the incident was created.

Reliability

rel:6


Severity

sev:8


Device ID

did:MH1

The ID of the device at which the highest priority event was detected.

Device Name

dnm:Default Node 1

The name of the device at which the last event occurred.

Correlation number

nme:3

The number of events correlated in this incident.

Flowcookie

flc:%%10.10.10.103:32851/10.10.10.106:23#0,10.10.10.150:32791/10.10.10.150:0#0

Represents the flowcookie of the event. This is a string which lists details about the event, such as IP addresses, attack details, and ports.

Event number

evt:1

The event that best represents this incident; which is usually the event that has the highest severity.

Incident references

irf:

An incident may include multiple related events and references to other related incidents. This field is a list of related incidents that are referenced by this incident.

Incident state

sta:0

A value of 1 indicates that the incident is active. A value of 0 indicates that the incident is closed.

Viewed

vie:0

This field indicates whether the incident has been viewed in the Network Security console.
  • 0 means that the incident has not been viewed.
  • 1 means that the incident has been viewed.
  • 2 means the incident changed significantly since it was last viewed.

Severity string

sevstr:High

This is the severity rating for the highest severity event that is in the incident.




References
For information on how to read event log data, see Format of Symantec Network Security event log data.





Legacy ID



2005060208041853


Article URL http://www.symantec.com/docs/TECH112754


Terms of use for this information are found in Legal Notices