-
Notifications
You must be signed in to change notification settings - Fork 13
/
SCHEMAS.txt
90 lines (82 loc) · 3.73 KB
/
SCHEMAS.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
Schama: root
Status: experimental
Description: root level schema
This schema defines the fields that exist above all schemas.
Name-value pairs here do not use a prefix.
Attributes:
NV pair name Mandatory Description
details N Misc information that relates to the event.
Schema: usracct
Status: experimental
Description: User Accounting Schema
This schema is used to describe user accounting data (e.g. login/logout events)
Attributes:
NV pair name Mandatory Description
usracct.type Y "login" or "logout"
usracct.username Y the name of the user (or the string "n/a" where the info is not available"
usracct.sessionid Y an identifier of this session to match login/logout records
usracct.service N the service that the given user was using if applicable ("terminal", "ras", "desktop", etc.)
usracct.application N the application that implemented the service if applicable (e.g. "sshd", "vncserver", etc.)
usracct.object N the object being accessed if applicable (e.g. file name, database, etc.)
usracct.device N the device that was used for the access if applicable (client computer, terminal line, etc)
usracct.authmethod N authentication method
Schema: flowevt
Status: experimental
Description: Events related to an IP flow
This schema is used to describe events that are related to an IP flow (connection).
Attributes:
NV pair name Mandatory Description
flowevt.proto Y IP transport protocol (TCP, UDP, SCTP, ESP, ...)
flowevt.src_ip Y Source IP address
flowevt.src_port Y Source port number if applicable
flowevt.dst_ip Y Destination IP address
flowevt.dst_port Y Destination port number if applicable
flowevt.in_iface N Input interface name if applicable
flowevt.out_iface N Output interface name if applicable
flowevt.in_zone N Zone name if applicable
flowevt.out_zone N Zone name if applicable
flowevt.size_bytes N The size of the transaction if applicable
flowevt.size_packets N The number of packets of the transaction if applicable.
Schema: secevt
Status: experimental
Description: Security Event Schema
This schema describes events that either explicitly authorize or
reject something. It is not usually used alone, as it is important
to know what was rejected. The "what" can be described by a
different schema (like flowevt + security can describe firewall events)
Attributes:
NV pair name Mandatory Description
secevt.verdict N The verdict (ACCEPT, REJECT, ...), would need to be uniformized
Schema: natevt
Status: experimental
Description: NAT Event Schema
This schema describes events that perform Network Address
Translation events. It is not common to use this without also using
flowevt as the base flow information is described there.
Attributes:
NV pair name Mandatory Description
natevt.src_ip Y Source IP address after NAT is performed.
natevt.src_port Y Source port number after NAT is performed.
natevt.dst_ip Y Destination IP address after NAT is performed.
natevt.dst_port Y Destination port number after NAT is performed.
Schema: dnsqry
Status: experimental
Description: DNS query logs
This schema is describing DNS query logs. Strongly bind inspired.
Attributes:
NV pair name Mandatory Description
dnsqry.client_ip N Source IP address of the DNS request.
dnsqry.client_port N Source port
dnsqry.view N DNS view
dnsqry.query Y DNS query.
dnsqry.class Y DNS class (IN for internet)
dnsqry.type Y DNS record type to query (e.g. A, PTR, etc)
dnsqry.flags N DNS Request flags.
Schema: dnslame
Status: experimental
Description: DNS logs for lame delegation.
This schema is for DNS lame logs, strongly bind inspired.
Attributes:
NV pair name Mandatory Description
dnslame.reason N The reason the DNS request couldn't be fulfilled.
dnslame.zone N The lame zone.