AnsweredAssumed Answered

Mapping between log messages and Meta data

Question asked by Ray Blair on Jul 10, 2020
Latest reply on Jul 10, 2020 by Dave Glover

Where is the mapping defined between NetWitness and syslog messages?  For example if I want to see a failed ssh login on a RedHat system I could look for the following in /var/log/messages:

#     type=USER_AUTH

#     $msg contains the following; ‘op=PAM’  exe=”/usr/sbin/sshd”  res=failed

#     acct=username can identify who performed the ssh (root)

 

What information is used from the syslog to populate alert.id, event.desc etc?

Also is there a list of all possible values of alert.id?.

Outcomes