Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Overview

The Snare advanced events search capability allows you to build structured queries using the Snare Query Language (SnareQL) to search for events.

With SnareQL, you can specify advanced criteria using tools such as:

  • Operators such as =, !=, >, LIKE, CONTAINS or regular expressions,

  • Specific field comparisons, such as USERNAME=AJSmith

  • Advanced date limitations such as DATE='last monday'

  • Precedence using parentheses, such as EVENTID='login' AND (TIME < 08:00:00 OR TIME > 17:00:00)

Note, SnareQL is not a database query language, even though it uses a subset and superset of SQL syntax.

SnareQL

SnareQL queries consist of query components, joined by logic operators.

Each query component consists of a field, an operator, and a value. For example:

USERNAME='AJSMITH'

This query will search for events that have a field called “USERNAME” that contains (=) the value “AJSMITH”.

Snare Central is capable of storing massive amounts of forensic data. A simple search like this one, without date/time range limitations could potentially take a very long time to run, since it will attempt to search the entire Snare Central data store.

The Snare Central advanced query tool will impose a query timeout on queries by default, to help you narrow down your search criteria in a reasonable timeframe.

A more complex query may look like this:

USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND SYSTEM REGEX '^(AU|US|UK)-' AND ((DATE='WEEKDAY' AND (TIME < '08:00:00' OR TIME > '17:00:00')) OR DATE='WEEKEND')

This query will search for 'out of hours' logins by AJSmith, from systems with a hostname that identifies them as Australia, US or UK.

Different log types will often contain different fields, and event fields with the same names may be formatted slightly differently. Windows uses numeric identifiers for the field EVENTID (eg: 512, 4593), whereas Solaris and Linux will use more descriptive terms such as “login - ftp”.

DATE and TIME fields, though stored in the format YYYY-MM-DD and HH:MM:SS respectively within the Snare Central data store, can support indirect values such as “this time last week” or “the first day of this month”, or “last saturday”, or “5” (which translates to ‘now minus 5 days’, in the case of DATE, or ‘now minus 5 seconds’ in the case of TIME) .

In addition, some functions are available that can modify field contents.

USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND MINUTE(TIME) < 15 AND DATE='today'

This query will search for logins by AJSmith, in the first 15 minutes of each hour of the current day.

Precedence and Grouping in Queries

Snare query components prioritise ANDs over NOTs, and NOTs over ORs - however precedence can be explicitly specified using brackets.

SYSTEM=EMU OR SYSTEM=MAGPIE AND SYSTEM=FROGMOUTH

In this case, the following query components will be evaluated first: SYSTEM=MAGPIE AND SYSTEM=FROGMOUTH

This will return no data (no systems can be both MAGPIE and FROGMOUTH), and the final query element (OR SYSTEM=EMU) will be evaluated, resulting in events that have a system name of EMU being returned.

(SYSTEM=EMU OR SYSTEM=MAGPIE) AND SYSTEM=FROGMOUTH

This will select any events that have a SYSTEM name of either EMU or MAGPIE, and then attempt to find events in that group that ALSO have a system name of FROGMOUTH

Since events cannot have a system name that is both FROGMOUTH and something else, no data will be returned.

SYSTEM=EMU OR SYSTEM=MAGPIE AND TABLE=WinSecurity

Since our AND will be evaluated first, this will look for Windows Security events for MAGPIE, and then ALSO introduce all events for EMU, regardless of whether the table was Windows, Solaris or Firewall logs.

(SYSTEM=EMU OR SYSTEM=MAGPIE) AND TABLE=WinSecurity

This will ONLY look for Windows security logs - from either EMU or MAGPIE

USERNAME='AJSMITH' AND EVENTID LIKE '%login' AND SYSTEM REGEX '^(AU|US|UK)-' AND ((DATE='WEEKDAY' AND (TIME < '08:00:00' OR TIME > '17:00:00')) OR DATE='WEEKEND')

Multiple levels of brackets are supported - in this case, we are looking for login events by AJSmith from systems that start with AU, US or UK, on either the weekend, or out of normal work hours during the week.

Restricted words and characters

The range of characters you can use in your search values depends significantly on the operator you have chosen.

For all operators, the space, single quotes (') and double quotes (“) characters are considered special. If you wish to use these as part of your search, the following rules apply:

  • Content that includes space characters must be surrounded by EITHER single or double quotes.

    • EVENTID=login

    • EVENTID=”login failed”

  • If you wish to use single or double quotes as part of your search criteria, they must be escaped with the backslash character (\)

    • STRINGS CONTAINS “User: \”Fred\””

The INCLUDES operator uses commas to separate potential values. If you wish to use the comma as part of your search criteria, it is recommend that you use regular expressions instead.

The LIKE operator uses the percent sign “%” to represent an arbitrary number of characters.

The REGEX operators (REGEX, !REGEX, REGEXI, !REGEXI) have a range of reserved characters that represent particular features within a regular expression. These characters must be escaped with the backslash character (\) when used as a literal value, in most instances.


Reference


Description

Reference

Field

A field in SnareQL is a word that represents a field within a particular log type.

Events within each logtype are guaranteed by the Snare Central collection subsystem to include the following fields:

  • DATE

    • In the format YYYY-MM-DD, for example 2020-02-23

  • TIME

    • In the format: HH:MM:SS, for example: 16:23:49

  • SYSTEM

    • Upper case system name or IP Address.

  • TABLE

    • The source log type

Depending on the source log type, events may also include fields such as:

  • EventID (eg: “deny packet”, or “login - ssh”, or “512”.

  • SourceIP (eg: 193.32.113.12)

  • User (eg: AJSmith)

  • URL (eg: https://prophecyinternational.com/)

The fields available for each type of log are detailed in a table below. Note that new log types are added on a regular basis.

Operator

An operator in SnareQL is one or more symbols or words that compare the value of a field on its left with one or more values on its right. Some operators may use the negate symbol (!) to reverse the meaning - eg: !=, !REGEX

  • =

    • Standard equality. Case insensitive.

  • !=

    • Standard inequality. Case insensitive.

  • <

    • Less than. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • <=

    • Less than or equal to. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • >

    • Greater than. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • >=

    • Greater than or equal to. Case insensitive in strings.

    • Note: TIME is considered a unique value, and is not linked to date. ie: 15:00:00 < 15:00:01 is true - even if the first DATE is in 2019, and the second DATE is 1979

      • True date/time comparisons would require (DATE < X OR (DATE = X AND TIME < Y))

  • LIKE

    • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insentitive.

  • !LIKE

    • SQL-style like criteria. "%" symbols are considered to be wildcards. Case insentitive.

  • CONTAINS

    • The target string, contains the supplied string. Case insensitive.

    • eg: STRINGS CONTAINS "userid" would be true for a STRINGS of "The following userID logged off: Fred"

  • !CONTAINS

    • The target string, does not contain the supplied string. Case insensitive.

    • eg: STRINGS !CONTAINS "userid" would be true for a STRINGS of "This string does not contain the string"

  • INCLUDES

    • The value is one of the supplied comma-separated values. Case insensitive.

    • eg: STRINGS INCLUDES "Fred,Barney,Wilma" would be true for the String "Fred", but not "Frederick"

    • The equivalent of (STRINGS = "FRED" OR STRINGS = "BARNEY" OR STRINGS = "WILMA")

  • !INCLUDES / EXCLUDES

    • That value contains NONE of the supplied comma-separated values. Case insensitive.

    • EXCLUDES is an alias for !INCLUDES

    • eg: STRINGS EXCLUDES "Fred,Barney,Wilma" would be true for the String "BamBam", and would also be true for "Frederick", but not "Fred"

    • The equivalent of (STRINGS != "FRED" AND STRINGS != "BARNEY" AND STRINGS != "WILMA")

  • REGEX

    • The value matches the supplied regular expression.

    • Regex is CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).

  • !REGEX

    • The value does not match the supplied regular expression.

    • Regex is CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).

  • REGEXI

    • The value matches the supplied regular expression.

    • Regex is NOT CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).

  • !REGEXI

    • The value does not match the supplied regular expression.

    • Regex is NOT CASE SENSITIVE

    • Regex is assumed to be a valid RE2 expression (note that Snare Server version 7 uses PCRE).

  • HAS

    • Like CONTAINS, but assumes that the supplied match string, are entire words.

    • Significantly more friendly from an index-perspective; queries that use HAS may return significantly faster than queries that use CONTAINS.

    • Case insensitive.

    • eg: STRINGS HAS "Fred" would match: "The user Fred logged in", but not "The user Frederick logged in".

    • eg: STRINGS CONTAINS "Fred" would match: "The user Fred logged in" and "The user Frederick logged in".

Logical Element

A logical element in SnareQL is a word that joins two or more clauses together to forma a complex SnareQL query

  • AND

  • OR

  • NOT

Value

A string designed to represent the contents of a field in an event within the Snare Central datastore. The value may be a simple string, or a complex regular expression, depending on the operator selected.

Quotations are optional for simple values comprising a single word. Single or double quotes are recommended for more complex values such as regular expressions, and are required for strings that contain whitespace.

  • AJSmith

  • “Tony Smith”

  • “^(AU|US|UK)-[0-9]”

  • “Tony%”

  • yesterday

Function

A function in SnareQL appears as a word followed by parentheses, which may contain a field.

A function performs a calculation on the contents of the field (the value) and returns the results.

  • 15MIN(TIME):

    • Return the number of 15 minute quadrant associated with the supplied time (0-95).

    • The day will be divided into 96 quadrants.

      00:12:03 will become 0
      00:15:01 will become 1
      12:01:00 will become 48
      12:14:59 will become 48
      12:15:01 will become 49
      14:45:00 will become 59

  • 15MINFLOOR(TIME)

    • Return the time to the nearest low 15 minute segment of the day

      12:01:00 will become 12:00:00
      12:14:59 will become 12:00:00
      12:15:01 will become 12:15:00
      14:45:00 will become 14:45:00
      15:59:00 will become 15:45:00

  • HOUR(TIME)

    • Returns just the hour associated with the supplied time

      12:01:12 will return 12

      17:23:34 will return 17

  • HOURMINUTE(TIME)

    • Returns the hour and the minute, with a colon deliminiter
      17:23:49 becomes 17:23

  • MINUTE(TIME)

    • Returns just the minute component of the supplied time

      12:01:12 will return 01
      17:23:34 will return 23

  • SECONDS(TIME)

    • Returns just the seconds component of the supplied time

      12:01:12 will return 12
      17:23:34 will return 34

  • DAYOFWEEK(DATE)

    • Returns the number of the day of the week for a particular date.

    • 1: Sunday

    • 2: Monday

    • 3: Tuesday

    • 4: Wednesday

    • 5: Thursday

    • 6: Friday

    • 7: Saturday

Log Type / Table

Fields

ACF2Log

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • RESOURCE

  • LOGTYPE

  • EVENTID

  • RETURN

  • DATA

AgentHeartBeat

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • AGENTTYPE

  • VERSION

  • ACTION

  • STRINGS

AIXAudit

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • EVENTCOUNT

  • RUID

  • EUID

  • PROCESS

  • PID

  • PPID

  • RETURNCODE

  • STRINGS

  • TARGET

ApacheLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

AppleBSM

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTCOUNT

  • EVENTID

  • AUID

  • EUID

  • EGID

  • RUID

  • RGID

  • PID

  • RETURNCODE

  • STRINGS

  • TARGET

Browser

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • USERNAME

  • EVENT

  • MESSAGE

  • REFERRER

  • LENGTH

  • RESPONSE

CarbonBlack

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • TYPE

  • STRINGS

CISCORouterLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • ACTION

  • PROTO

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • STRING

CuramAuthenticationLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • LOGINFAILURES

  • LASTLOGIN

  • LOGINSTATUS

  • LOGID

  • VERSIONNO

  • LASTWRITTEN

CuramAuthorisationLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • LOGID

  • IDENTIFIERNAME

  • LASTWRITTEN

CuramOpAuditLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERID

  • PROGRAMNAME

  • TRANTYPE

  • LASTWRITTEN

CyberGuardFirewallLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • PROTO

  • SRCINT

  • SRCADDR

  • SRCPORT

  • DSTINT

  • DSTADDR

  • DSTPORT

DhcpSrvLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • TYPE

  • ID

  • MACADDR

  • IPADDR

  • HOSTNAME

  • DESCRIPTION

Exch2008MTLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • EVENTID

  • USER

  • SOURCEADDR

  • DESTADDR

  • SOURCESYSTEM

  • DESTSYSTEM

  • MESSAGEID

  • BYTES

  • STATUS

  • STRING

ExchMTLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • EVENTID

  • USER

  • SOURCEADDR

  • DESTADDR

  • SOURCESYSTEM

  • DESTSYSTEM

  • MESSAGEID

  • BYTES

  • STATUS

  • STRING

F5Violations

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • MANAGEMENTIPADDRESS

  • HTTPCLASSNAME

  • WEBAPPLICATIONNAME

  • POLICYNAME

  • POLICYAPPLYDATE

  • VIOLATIONS

  • SUPPORTID

  • REQUESTSTATUS

  • RESPONSECODE

  • ROUTEDOMAIN

  • METHOD

  • HTTPPROTOCOL

  • QUERYSTRING

  • XFORWARDEDFORHEADERVALUE

  • SIGIDS

  • SIGNAMES

  • SEVERITY

  • ATTACKTYPE

  • GEOLOCATION

  • IPADDRESSINTELLIGENCE

  • USERNAME

  • SESSIONID

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

  • SUBVIOLATIONS

  • VIRUSNAME

  • URI

  • REQUEST

  • STRINGS

Firewall1Log

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • INTERFACE

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

  • RULE

  • MESSAGE

Fortigate

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • VERSION

  • ACTION

  • CATEGORY

  • TYPE

  • SUBTYPE

  • RULENAME

  • PROTO

  • USRNAME

  • SERIALNUMBER

  • NATSRCIP

  • NATDSTIP

  • SOURCEUSER

  • DESTINATIONUSER

  • APPLICATION

  • VIRTUALSYSTEM

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • SOURCEZONE

  • DESTINATIONZONE

  • INGRESSINTERFACE

  • EGRESSINTERFACE

  • LOGFORWARDINGPROFILE

  • SESSIONID

  • REPEATCOUNT

  • NATSOURCEPORT

  • NATDESTPORT

  • FLAGS

  • BYTES

  • PACKETS

  • ELAPSEDTIME

  • URLCATEGORY

  • BYTESIN

  • BYTESOUT

  • SEVERITY

  • STRING

FWOBJActionsLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • APPLICATION

  • TRANSID

  • RECTYPE

  • FOLDERCODE

  • USER

  • COMMENT

  • ACTION

FWOBJActionsRawLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SEQUENCE

  • FILENUMBER

  • CLIENTID

  • CLIENTTYPE

  • ACTIONMETHOD

  • OFFICER

  • OBJNAME

  • OBJMETHOD

  • COMMENTS

  • OBJNAMEMETHOD

GauntletFirewallLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • PROXY

  • ACTION

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

  • STRING

GenericLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • SOURCE

  • DETAILS

IISWebLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

IPTablesFirewall

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • INTERFACE

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

  • STRINGS

IrixSAT

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • EVENTTYPE

  • COMMAND

  • AUID

  • EUID

  • EGID

  • TARGET

  • RETURNCODE

  • EVENTCOUNT

  • STRINGS

ISAFWSLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • PROTO

  • ACTION

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • STATUS

  • RULE

  • APPLICATION

  • STRINGS

ISAWebLogDVA

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

ISAWebLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

ISAWebLogImport

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

LinuxAudit

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTCOUNT

  • EVENTID

  • RUID

  • RGID

  • EUID

  • EGID

  • PROCESS

  • RETURNCODE

  • SUCCESS

  • TARGET

  • STRINGS

LinuxKAudit

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTCOUNT

  • EVENTID

  • RUID

  • RGID

  • EUID

  • EGID

  • PROCESS

  • RETURNCODE

  • SUCCESS

  • TARGET

  • STRINGS

LotusNotesLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • EVENT

MailLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • EVENTID

  • USER

  • SOURCEADDR

  • DESTADDR

  • SOURCESYSTEM

  • DESTSYSTEM

  • MESSAGEID

  • BYTES

  • STATUS

  • STRING

MSDNSServer

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • STRING

  • DNSNAME

MSProxySvr

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

MSSQLLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • CLASS

  • SPID

  • DBNAME

  • USERNAME

  • OBJECTNAME

  • ROLENAME

  • TARGETUSERNAME

  • DBUSERNAME

  • TARGETLOGINNAME

  • STRINGS

MSWinEventLog

  • DATE

  • TIME

  • DATETIME

  • SYSTEM

  • TABLE

  • EVENTCOUNT

  • EVENTID

  • SOURCE

  • USER

  • SOURCETYPE

  • RETURN

  • DATA

  • STRINGS

MSWinEventLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTCOUNT

  • EVENTID

  • SOURCE

  • USER

  • SOURCETYPE

  • RETURN

  • DATA

  • STRINGS

NCRATMLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • EVENTID

  • UID

  • SEQNUM

  • STRINGS

NetgearFirewallLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • MODULE

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

  • MESSAGE

NetgearRouterLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

  • MESSAGE

NetscalerLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • SOURCE

  • EVENTID

  • USER

  • CLIENTIP

  • EVENTCOUNT

  • EVENT

NetScreenFirewall

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • PROTO

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • DURATION

  • SENT

  • RECEIVED

  • DIRECTION

  • DETAILS

NortelVPNRouter

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • LOGSOURCE

  • USERID

  • CPU

  • LOGTYPE

  • DETAILS

ObjectAccess

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • OBJECT

  • OWNER

  • OWNERTYPE

  • ACCESS

  • CAPABILITIES

  • SOURCE

ObjectStarLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • IDGEN_KEY

  • USER

  • USER_CLEARANCE

  • OBJECT

  • OBJECT_CLASSFCTN

  • ACCESS_ALLOWED

  • MESSAGE_NO

  • PARAM1

  • PARAM2

  • ACTIVITY

  • OBJECT_TYPE

OracleLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • NODE

  • INSTANCE

  • SESSIONID

  • ENTRYID

  • STATEMENT

  • USERID

  • USERHOST

  • TERMINAL

  • ACTION

  • RETURNCODE

  • COMMENTS

  • OSUSERID

  • PRIV

  • STRINGS

OS400Log

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • JOURNALCODE

  • JOURNALENTRYCODE

  • JOBNAME

  • JOBUSER

  • JOBNUMBER

  • PROGRAM

  • OFNAME

  • OFLIBRARY

  • OFTYPE

  • STRINGS

PIXLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • EVENTID

  • ACTION

  • PROTO

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • STRING

QUASARSAudit

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • IDENTITY

  • ACTION

  • IDTYPE

  • IDVALUE

  • AUDITTABLE

  • FIELD

  • OLDVALUE

  • NEWVALUE

RACFLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • JOBNAME

  • SOURCE

  • RESOURCE

  • ACTION

  • USERID

  • USERNAME

  • USERFLAGS

  • GROUPID

  • RETURN

  • RESULT

  • DATA

SidewinderFirewallLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • PROTO

  • SRCINT

  • SRCADDR

  • SRCPORT

  • DSTINT

  • DSTADDR

  • DSTPORT

  • FAC

  • AREA

  • TYPE

  • PRIORITY

  • PID

  • RUID

  • EUID

  • PGID

  • LOGID

  • COMMAND

  • DOMAIN

  • EDOMAIN

  • CATEGORY

  • ATTACKADDR

  • ATTACKINT

  • SERVICENAME

  • USERNAME

  • AUTHMETHOD

  • ACLID

  • CACHEHIT

  • REASON

SidewinderLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • AUTHMETHOD

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

  • EVENT

  • TYPE

  • REASON

  • STRINGS

SMTPSvcLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • EVENTID

  • USER

  • SOURCEADDR

  • DESTADDR

  • SOURCESYSTEM

  • DESTSYSTEM

  • MESSAGEID

  • BYTES

  • STATUS

  • STRING

SnareServerLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SOURCE

  • USERNAME

  • RESOURCE

  • ACTION

  • RETURN

  • DETAILS

SNMPTrap

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • STRINGS

Snort

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • PRIORITY

  • CLASSIFICATION

  • DESCRIPTION

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • PROTO

SOCKSLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • MESSAGE

SolarisBSM

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTCOUNT

  • EVENTID

  • AUID

  • EUID

  • EGID

  • RUID

  • RGID

  • PID

  • RETURNCODE

  • STRINGS

  • TARGET

SonicWall

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • CATEGORY

  • PRIORITY

  • FWADDR

  • PROTO

  • SRCADDR

  • SRCPORT

  • DSTADDR

  • DSTPORT

  • MESSAGE

  • STRINGS

SonicWallSSLVPN

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • ACTION

  • PRIORITY

  • FWADDR

  • SRCADDR

  • DSTADDR

  • PORTAL

  • DOMAIN

  • USER

  • MESSAGE

  • AGENT

  • STRING

SophosDataControlLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • COMPUTER

  • SOURCEPATH

  • DESTINATIONPATH

  • FILENAME

  • DESTTYPE

  • STRINGS

SophosWeb

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • USERNAME

  • CRITICALITY

  • CATEGORY

  • RULE

  • REASON

  • THREAT

  • DOMAIN

  • METHOD

  • URL

  • PROTOCOL

  • SRCIP

  • DESTIP

  • AGENT

  • OS

  • BYTESIN

  • BYTESOUT

  • REFERRER

  • STRINGS

SquidProxyLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

TandemLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • PSGUSER

  • PSGUSERID

  • PCGUSER

  • POOBJECTTYPE

  • POOPERATION

  • POOWNUSER

  • POOWNUSERID

  • PSTERM

  • PCTERM

  • RETURN

TopicLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CLIENT

  • USERNAME

  • OPERATION

  • QUERY

  • TITLE

  • COLLECTIONS

  • SERIAL

  • PATH

  • RULE

TrendDSM

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • CRITICALITY

  • EVENTNUMBER

  • TITLE

  • TARGET

  • ACTIONBY

  • DESCRIPTION

  • TAGS

Tru64Audit

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • USERID

  • AUID

  • RUID

  • EUID

  • PID

  • PPID

  • RETURNCODE

  • STRINGS

  • TARGET

VMSLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • EVENTTYPE

  • USERNAME

  • SYSTEMID

  • PID

  • TERMINALNAME

  • PROCESSNAME

  • PROCESSOWNER

  • REMOTEUSERNAME

  • REMOTENODENAME

  • IMAGENAME

  • COMMANDLINE

  • OBJECTCLASSNAME

  • AUDITINGFLAGS

  • ALARMFLAGS

  • STATUS

  • DATA

VWActionsLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • SEQUENCE

  • CLIENTID

  • METHODCODE

  • OFFICERCODE

  • FOLDERCODE

  • CLIENTTYPE

WebLog

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • HOSTNAME

  • USERNAME

  • URL

  • RETURNCODE

  • BYTES

  • REFERRER

  • AGENT

  • PROTOCOL

  • LOGTYPE

  • CATEGORY

  • STRINGS

WinDHCP

  • DATE

  • TIME

  • SYSTEM

  • TABLE

  • EVENTID

  • DESCRIPTION

  • IPADDRESS

  • HOSTNAME

  • MACADDRESS

  • No labels