Format of Symantec Network Security incident log data
| Article:TECH112754 | | | Created: 2005-01-02 | | | Updated: 2005-01-30 | | | Article URL http://www.symantec.com/docs/TECH112754 |
Problem
This document describes the contents of log entries for Symantec Network Security (SNS) incidents when those entries are in a text format.
Solution
A text-formatted incident log entry displays the log data as a list of fields. The first six fields are separated (delimited) by a pipe character (|). The remaining fields are separated by semicolons (:) and use the field_name:value format.
Here is an example of an incident log entry in text format:
6/20/2004 7:13:11|8|6|AF|AFIncAdd|40d598faad3bf746|iid:40d598faad3bf746;cid:;typ:221002;cls:sniffer;tim:6/20/2004 7:13:11;ctt:6/20/2004 7:02:34;rel:6;sev:8;did:MH1;dnm:Default Node 1;nme:3;flc:%%10.10.10.103:32851/10.10.10.106:23#0,10.10.10.150:32791/10.10.10.150:0#0;evt:1;irf:;sta:0;vie:0;sevstr:High;
The following two tables describe the fields. The Date/time modified, Severity, Reliability, and Incident ID fields are listed twice in each entry.
 Field | Example value | Description |
Date/time modified | 6/20/2004 7:13:11 | This is the date and time that the incident was last modified. |
Severity | 8 | Possible values for this field are 0 through 10. |
Reliability | 6 | Possible values for this field are 0 through 10. |
Module | AF | The module is usually AF, which is Analysis Framework. |
Action Performed | AFIncAdd | This field indicates which action was performed. The AFIncAdd action indicates that an event is being added to an incident. |
Incident ID | 40d598faad3bf746 | This field is a unique identifier generated by SNS for the incident. |
Field | Example field name and value | Description |
Incident ID | iid:40d598faad3bf746 | |
Customer ID | cid: | This is the customer ID that was entered in the Network Security console topology for the interface at which the highest priority event was detected. |
Event type | typ:221002 | This field indicates the most common type of event in the incident. |
Event class | cls:sniffer | This field indicates the class of the most common type of event in that incident. |
Date/time modified | tim:6/20/2004 7:13:11 | |
Date/time created | ctt:6/20/2004 7:02:34 | This field indicates the date and time incident that the incident was created. |
Reliability | rel:6 | |
Severity | sev:8 | |
Device ID | did:MH1 | The ID of the device at which the highest priority event was detected. |
Device Name | dnm:Default Node 1 | The name of the device at which the last event occurred. |
Correlation number | nme:3 | The number of events correlated in this incident. |
Flowcookie | flc:%%10.10.10.103:32851/10.10.10.106:23#0,10.10.10.150:32791/10.10.10.150:0#0 | Represents the flowcookie of the event. This is a string which lists details about the event, such as IP addresses, attack details, and ports. |
Event number | evt:1 | The event that best represents this incident; which is usually the event that has the highest severity. |
Incident references | irf: | An incident may include multiple related events and references to other related incidents. This field is a list of related incidents that are referenced by this incident. |
Incident state | sta:0 | A value of 1 indicates that the incident is active. A value of 0 indicates that the incident is closed. |
Viewed | vie:0 | This field indicates whether the incident has been viewed in the Network Security console.
|
Severity string | sevstr:High | This is the severity rating for the highest severity event that is in the incident. |
References
For information on how to read event log data, see Format of Symantec Network Security event log data.
|
|
Legacy ID
2005060208041853
Article URL http://www.symantec.com/docs/TECH112754
Terms of use for this information are found in Legal Notices
Thank you.