...
Centripetal log is a space-delimited syslog with observed 19 20 mandatory fields. Parsing of Centripetal syslogs is done by identifying mandatory fields and putting them in the Snare event map. The optional fields are all appended in SnareDataMap.
...
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format is ISO 8601 and RFC 3339 |
SYSTEM | The source system |
CRITICALITY | 14 |
TABLE | Centripetal |
DEVNAME | Device name |
DEVID | Serial number of the device for the traffic’s origin |
TYPE | Event type is traffic |
SUBTYPE | Event subtype is apf-flow |
EVENTID | Eventid is 10 digit hexadecimal value |
DIRECTION | IN, OUT |
OBSERVED | Observed network types used |
RX_BYTES | Received transmission bytes |
PACKET_COUNT | Received packet count |
ACTION | Status of the session |
ACTION_CONTEXT | List of executed actions per network type sessions detected. e.g. logged, captured, logged&captured, etc. |
CTI_TRIGGER | IP address of the triggering CTI system |
CTI_PROVIDER | Name of the IP Reputation checking system |
CTI_FEED | CTI system that does the IP Reputation check |
CTI_TYPE | Cross triggering interface type. e.g URL, MD, IP, FQDN |
PROTO | Interface of the traffic's destination |
SRCIP | IP address of the traffic’s origin |
SRCPORT | Port number of the traffic's origin |
DSTIP | Destination IP address for the web |
DSTPORT | Port number of the traffic's destination |
SNAREDATAMAP | All other data in the event will be pushed to this field |
...