Collect Nix System logs
This document describes how you can collect Nix System logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how log fields of Nix System logs map to Google Security Operations Unified Data Model (UDM) fields.
For more information, see Data ingestion to Google Security Operations.
A typical deployment consists of Nix System logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.
The deployment contains the following components:
- Google Cloud: The Google Cloud services and products from which you collect logs. 
- Nix System logs: The Nix System logs that are enabled for ingestion into Google Security Operations. 
- Google Security Operations: Google Security Operations retains and analyzes the logs from Nix System. 
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information into this document applies to the parser
with the NIX_SYSTEM ingestion label.
The following log source paths are supported by the Nix System parser:
- /var/log/apache2/access.log
- /var/log/apache2/error.log
- /var/log/nginx/access.log
- /var/log/nginx/error.log
- /var/log/rkhunter.log
- /var/log/auth.log
- /var/log/kern.log
- /var/log/rundeck/service.log
- /var/log/samba/log.winbindd
- /var/log/mail.log
- /var/log/audit/audit.log
- /var/log/syslog
- /var/log/openvpnas.log
Before you begin
- Set up NixOS on Google Compute Engine. For more information, see Install NixOS on GoogleCompute Engine.
- Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Configure Google Cloud to ingest Nix System logs
Nix System is deployed on Google Cloud. You must configure Google Cloud to ingest Nix System logs to Google Security Operations, see Ingest Google Cloud logs to Google Security Operations.
If you encounter issues when you ingest Nix System logs, contact Google Security Operations support.
Supported Nix System log formats
The Nix System parser supports logs in JSON,SYSLOG+JSON and KV format.
Supported Nix System sample logs
- JSON - { "_path": "ssl", "_system_name": "zeek-sensor", "_write_ts": "2021-12-21T00:58:02.468587Z", "ts": "2021-12-21T00:58:02.440196Z", "uid": "CzXKYpiKYBEHtfte1", "id.orig_h": "198.51.100.0", "id.orig_p": 17682, "id.resp_h": "198.51.100.1", "id.resp_p": 443, "version": "TLSv13", "cipher": "TLS_AES_256_GCM_SHA384", "curve": "x25519", "server_name": "dummy.domain.com", "resumed": true, "established": true, "ja3": "598872011444709307b861ae817a4b60", "ja3_version": "771", "ja3_ciphers": "4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53", "ja3_extensions": "0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513-41", "ja3_ec": "29-23-24", "ja3_ec_fmt": "0", "ja3s": "2253c82f03b621c5144709b393fde2c9", "ja3s_version": "771", "ja3s_cipher": "4866", "ja3s_extensions": "43-51-41" }
- SYSLOG+JSON - <13>1 2021-12-21T23: 51: 25-08: 00 dummyhostname bro_http - - - { "ts": 1640159484.694295, "uid": "dummyuid", "id.orig_h": "198.51.100.0", "id.orig_p": 58729, "id.resp_h": "198.51.100.1", "id.resp_p": 8088, "trans_depth": 2284, "method": "POST", "host": "198.51.100.2", "uri": "/system/gateway", "version": "1.1", "user_agent": "Java/11.0.11", "request_body_len": 304, "response_body_len": 203, "status_code": 200, "status_msg": "OK", "tags": [], "orig_fuids": [ "FefIdu4i8dzFTUONb5" ], "orig_mime_types": [ "application/xml" ], "resp_fuids": [ "Flqz7L3yyQR1eSN4Kf" ], "resp_mime_types": [ "application/xml" ] }
- KV - <85>Aug 1 19:55:40 dummyhostname sshd[86907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.17.42.6 user=dummyuser
Field mapping reference
Field mapping reference: Event Identifier to Event Type for Audit logs
The following table lists the Audit logs log types and their corresponding UDM event types.
| Event Identifier | Event Type | Security Category | 
|---|---|---|
| ADD_GROUP | GROUP_CREATION | |
| ADD_USER | USER_CREATION | |
| ANOM_ABEND | PROCESS_TERMINATION | |
| ANOM_ACCESS_FS | FILE_READ | |
| ANOM_ADD_ACCT | USER_CREATION | |
| ANOM_AMTU_FAIL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ANOM_CRYPTO_FAIL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ANOM_DEL_ACCT | USER_DELETION | |
| ANOM_EXEC | FILE_UNCATEGORIZED | |
| ANOM_LOGIN_ACCT | USER_LOGIN | |
| ANOM_LOGIN_FAILURES | USER_LOGIN | AUTH_VIOLATION | 
| ANOM_LOGIN_LOCATION | USER_LOGIN | |
| ANOM_LOGIN_SESSIONS | USER_LOGIN | |
| ANOM_LOGIN_TIME | USER_LOGIN | |
| ANOM_MAX_DAC | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ANOM_MAX_MAC | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ANOM_MK_EXEC | FILE_UNCATEGORIZED | |
| ANOM_MOD_ACCT | USER_UNCATEGORIZED | |
| ANOM_PROMISCUOUS | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ANOM_RBAC_FAIL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ANOM_RBAC_INTEGRITY_FAIL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ANOM_ROOT_TRANS | USER_CHANGE_PERMISSIONS | |
| AVC | GENERIC_EVENT | |
| AVC_PATH | GENERIC_EVENT | |
| BPRM_FCAPS | USER_UNCATEGORIZED | |
| CAPSET | PROCESS_UNCATEGORIZED | |
| CHGRP_ID | GROUP_MODIFICATION | |
| CHUSER_ID | USER_UNCATEGORIZED | |
| CONFIG_CHANGE | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| CRED_ACQ | USER_LOGIN | |
| CRED_DISP | USER_LOGOUT | |
| CRED_REFR | USER_LOGIN | |
| CRYPTO_FAILURE_USER | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| CRYPTO_KEY_USER | USER_RESOURCE_ACCESS | |
| CRYPTO_LOGIN | USER_LOGIN | |
| CRYPTO_LOGOUT | USER_LOGOUT | |
| CRYPTO_PARAM_CHANGE_USER | USER_CHANGE_PERMISSIONS | |
| CRYPTO_REPLAY_USER | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| CRYPTO_SESSION | NETWORK_CONNECTION | |
| CRYPTO_TEST_USER | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| CWD | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| DAC_CHECK | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| DAEMON_ABORT | PROCESS_TERMINATION | |
| DAEMON_ACCEPT | NETWORK_CONNECTION | |
| DAEMON_CLOSE | NETWORK_CONNECTION | |
| DAEMON_CONFIG | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| DAEMON_END | PROCESS_TERMINATION | |
| DAEMON_RESUME | PROCESS_UNCATEGORIZED | |
| DAEMON_ROTATE | PROCESS_UNCATEGORIZED | |
| DAEMON_START | PROCESS_LAUNCH | |
| DEL_GROUP | GROUP_DELETION | |
| DEL_USER | USER_DELETION | |
| DEV_ALLOC | USER_RESOURCE_CREATION | |
| DEV_DEALLOC | USER_RESOURCE_DELETION | |
| EOE | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| EXECVE | PROCESS_LAUNCH | |
| FD_PAIR | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| FS_RELABEL | FILE_UNCATEGORIZED | |
| GRP_AUTH | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| INTEGRITY_DATA | PROCESS_LAUNCH | |
| INTEGRITY_HASH | PROCESS_LAUNCH | |
| INTEGRITY_METADATA | PROCESS_LAUNCH | |
| INTEGRITY_PCR | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| INTEGRITY_RULE | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| INTEGRITY_STATUS | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| IPC | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| IPC_SET_PERM | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| KERNEL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| KERNEL_OTHER | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| LABEL_LEVEL_CHANGE | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| LABEL_OVERRIDE | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| LOGIN | USER_LOGIN | |
| MAC_CIPSOV4_ADD | USER_UNCATEGORIZED | |
| MAC_CIPSOV4_DEL | USER_UNCATEGORIZED | |
| MAC_CONFIG_CHANGE | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_IPSEC_EVENT | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_MAP_ADD | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_MAP_DEL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_POLICY_LOAD | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_STATUS | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_UNLBL_ALLOW | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_UNLBL_STCADD | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MAC_UNLBL_STCDEL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MMAP | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MQ_GETSETATTR | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MQ_NOTIFY | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MQ_OPEN | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| MQ_SENDRECV | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| NETFILTER_CFG | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| NETFILTER_PKT | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| OBJ_PID | PROCESS_UNCATEGORIZED | |
| PATH | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_ACCT_LOCK | USER_UNCATEGORIZED | |
| RESP_ACCT_LOCK_TIMED | USER_UNCATEGORIZED | |
| RESP_ACCT_REMOTE | USER_UNCATEGORIZED | |
| RESP_ACCT_UNLOCK_TIMED | USER_UNCATEGORIZED | |
| RESP_ALERT | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_ANOMALY | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_EXEC | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_HALT | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_KILL_PROC | PROCESS_TERMINATION | |
| RESP_SEBOOL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_SINGLE | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_TERM_ACCESS | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| RESP_TERM_LOCK | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| ROLE_ASSIGN | USER_CHANGE_PERMISSIONS | |
| ROLE_MODIFY | USER_CHANGE_PERMISSIONS | |
| ROLE_REMOVE | USER_CHANGE_PERMISSIONS | |
| SELINUX_ERR | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| SERVICE_START | SERVICE_START | |
| SERVICE_STOP | SERVICE_STOP | |
| SOCKADDR | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| SOCKETCALL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| SYSCALL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| SYSTEM_BOOT | STATUS_STARTUP | |
| SYSTEM_RUNLEVEL | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| SYSTEM_SHUTDOWN | STATUS_SHUTDOWN | |
| TEST | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| TRUSTED_APP | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| TTY | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| USER_ACCT | USER_UNCATEGORIZED | |
| USER_AUTH | USER_LOGIN | |
| USER_AVC | USER_UNCATEGORIZED | |
| USER_CHAUTHTOK | USER_RESOURCE_UPDATE_CONTENT | |
| USER_CMD | USER_UNCATEGORIZED | |
| USER_END | USER_LOGOUT | |
| USER_ERR | USER_UNCATEGORIZED | |
| USER_LABELED_EXPORT | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| USER_LOGIN | USER_LOGIN | |
| USER_LOGOUT | USER_LOGOUT | |
| USER_MAC_POLICY_LOAD | RESOURCE_READ | |
| USER_MGMT | USER_UNCATEGORIZED | |
| USER_ROLE_CHANGE | USER_CHANGE_PERMISSIONS | |
| USER_SELINUX_ERR | USER_UNCATEGORIZED | |
| USER_START | USER_LOGIN | |
| USER_TTY | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| USER_UNLABELED_EXPORT | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| USYS_CONFIG | USER_RESOURCE_UPDATE_CONTENT | |
| VIRT_CONTROL | STATUS_UPDATE | |
| VIRT_MACHINE_ID | USER_RESOURCE_ACCESS | |
| VIRT_RESOURCE | USER_RESOURCE_ACCESS | |
| BPF  | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| SECCOMP  | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| PROCTITLE | PROCESS_UNCATEGORIZED | 
Field mapping reference: Audit logs
The following table lists the log fields of the Audit logs log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| exit | additional.fields[exit] | |
| a0 | additional.fields[a0] | |
| a1 | additional.fields[a1] | |
| a2 | additional.fields[a2] | |
| a3 | additional.fields[a3] | |
| arch | additional.fields[arch] | |
| cap_fi | additional.fields[cap_fi] | |
| cap_fp | additional.fields[cap_fp] | |
| cap_pe | additional.fields[cap_pe] | |
| cap_pi | additional.fields[cap_pi] | |
| cap_pp | additional.fields[cap_pp] | |
| capability | additional.fields[capability] | |
| cwd | additional.fields[cwd] | If the namelog field value doesn't contains one of the following values, then thecwdlog field is mapped to theadditional.fieldsUDM field.
  | 
| data | additional.fields[data] | |
| dev | additional.fields[dev] | |
| devmajor | additional.fields[devmajor] | |
| devminor | additional.fields[devminor] | |
| flags | additional.fields[flags] | |
| item | additional.fields[item] | |
| list | additional.fields[list] | The additional.fieldsUDM field is set to one of the following values:
 | 
| msgtype | additional.fields[msgtype] | |
| obj_gid | additional.fields[obj_gid] | |
| obj_role | additional.fields[obj_role] | If the obj_rolelog field value doesn't contains one of the following values, then theobj_rolelog field is mapped to theadditional.fieldsUDM field.
  | 
| obj_uid | additional.fields[obj_uid] | |
| ocomm | additional.fields[ocomm] | If the eventTypelog field value is not equal toOBJ_PID, then theocommlog field is mapped to theadditional.fieldsUDM field. | 
| old_prom | additional.fields[old_prom] | |
| old-disk | additional.fields[old-disk] | |
| old-mem | additional.fields[old-mem] | |
| old-net | additional.fields[old-net] | |
| old-vcpu | additional.fields[old-vcpu] | |
| opid | additional.fields[opid] | If the eventTypelog field value is not equal toOBJ_PID, then theopidlog field is mapped to theadditional.fieldsUDM field. | 
| oses | additional.fields[oses] | If the eventTypelog field value is not equal toOBJ_PID, then theoseslog field is mapped to theadditional.fieldsUDM field. | 
| pid | additional.fields[pid] | If the eventTypelog field value is equal toOBJ_PID, then thepidlog field is mapped to theadditional.fieldsUDM field. | 
| prom | additional.fields[prom] | |
| ses | additional.fields[ses] | If the eventTypelog field value is equal toOBJ_PID, then theseslog field is mapped to theadditional.fieldsUDM field. | 
| subj_clr | additional.fields[subj_clr] | |
| subj_role | additional.fields[subj_role] | |
| subj_sen | additional.fields[subj_sen] | |
| subj | additional.fields[subj] | |
| syscall | additional.fields[syscall] | |
| tty | additional.fields[tty] | |
| extensions.auth.type | If the eventTypelog field value contains one of the following values, then theextensions.auth.typeUDM field is set toMACHINE.
  | |
| type | metadata.product_event_type | |
| network.application_protocol | If the eventTypelog field value contains one of the following values, then thenetwork.application_protocolUDM field is set toSSH.
  | |
| direction | network.direction | If the directionlog field value is equal tofrom-client, then thenetwork.directionUDM field is set toOUTBOUND.Else, if the directionlog field value is equal tofrom-server, then thenetwork.directionUDM field is set toINBOUND. | 
| family | network.ip_protocol | The network.ip_protocolUDM field is set to one of the following values:
 | 
| proto | network.ip_protocol | The network.ip_protocolUDM field is set to one of the following values:
 | 
| icmptype | network.ip_protocol | If the icmptypelog field value doesn't contains one of the following values, then thenetwork.ip_protocolUDM field is set toICMP.
  | 
| network.ip_protocol | If the eventTypelog field value contains one of the following values, then thenetwork.ip_protocolUDM field is set toTCP.
  | |
| ksize | network.sent_bytes | |
| oses | network.session_id | If the eventTypelog field value is equal toOBJ_PID, then theoseslog field is mapped to thenetwork.session_idUDM field. | 
| ses | network.session_id | If the eventTypelog field value is not equal toOBJ_PID, then theoseslog field is mapped to thenetwork.session_idUDM field. | 
| cipher | network.tls.cipher | |
| pfs | network.tls.curve | |
| hostname | principal.hostname | If the eventTypelog field value doesn't contains one of the following values, then thehostnamelog field is mapped to theprincipal.hostnameUDM field.
  | 
| addr | principal.ip | The addrlog field is mapped to theprincipal.ipUDM field if all of the following conditions are met:
 | 
| ip | principal.ip | If the iplog field value doesn't contains one of the following values, then
theiplog field is mapped to theprincipal.ipUDM field.
  | 
| laddr | principal.ip | To determine if the laddrfield contains a valid IP address, the following conditions are evaluated:
 new_laddrfield is not empty, then theprincipal.ipfield is set to the value ofnew_laddrfield. | 
| dvc | principal.ip | To filter events that have a device identifier but are not related to login activity, the following conditions are evaluated: 
 principal.ipandintermediary.ipfields are set with the value of the device identifier. If the device identifier is not a valid IP address, theprincipal.hostnameandintermediary.hostnamefields are set with the value of  the device identifier. | 
| lport | principal.port | |
| cgroup | principal.process.file.full_path | |
| spid | principal.process.pid | |
| uid | principal.user.userid | The principal_useridfield is set totrueandprincipal.user.useridfield is set torootif the following conditions are met:
 principal.user.useridfield is set with the value of theuidfield andprincipal_useridfield is set totrue. | 
| auid | principal.user.attribute.labels[auid] | The principal_useridfield is set totrueandprincipal.user.useridfield is set to the value of theauidfield if the following conditions are met:
 principal.user.attribute.labelsfield is set with the value of theauidfield. | 
| euid | principal.user.attribute.labels[euid] | The principal_useridfield is set totrueandprincipal.user.useridfield is set to the value of theeuidfield if the following conditions are met:
 principal.user.attribute.labelsfield is set with the value of theeuidfield. | 
| fsuid | principal.user.attribute.labels[fsuid] | The principal_useridfield is set totrueandprincipal.user.useridfield is set to the value of thefsuidfield if the following conditions are met:
 principal.user.attribute.labelsfield is set with the value of thefsuidfield. | 
| oauid | principal.user.attribute.labels[oauid] | The principal_useridfield is set totrueandprincipal.user.useridfield is set to the value of theoauidfield if the following conditions are met:
 principal.user.attribute.labelsfield is set with the value of theoauidfield. | 
| ouid | principal.user.attribute.labels[ouid] | The principal_useridfield is set totrueandprincipal.user.useridfield is set to the value of theouidfield if the following conditions are met:
 principal.user.attribute.labelsfield is set with the value of theouidfield. | 
| suid | principal.user.attribute.labels[suid] | The principal_useridfield is set totrueandprincipal.user.useridfield is set to the value of thesuidfield if the following conditions are met:
 principal.user.attribute.labelsfield is set with the value of thesuidfield. | 
| inode_gid | principal.user.attribute.labels[inode_gid] | |
| inode_uid | principal.user.attribute.labels[inode_uid] | |
| security_result.action | If the reslog field value matches the regular expression patternsuccess, then thesecurity_result.actionUDM field is set toALLOW.Else, if the reslog field value matches the regular expression patternfail, then thesecurity_result.actionUDM field is set toBLOCK. | |
| key | security_result.detection_fields[key] | If the keylog field value doesn't contains one of the following values, then thekeylog field is mapped to thesecurity_result.detection_fields.keyUDM field.
  | 
| saddr | security_result.detection_fields[saddr] | |
| sig | security_result.detection_fields[sig] | |
| res | security_result.summary | If the reslog field value doesn't contains one of the following values, then thereslog field is mapped to thesecurity_result.summaryUDM field.
  | 
| result | security_result.summary | If the resultlog field value doesn't contains one of the following values, then theresultlog field is mapped to thesecurity_result.summaryUDM field.
  | 
| reason | security_result.summary | If the reasonlog field value doesn't contains one of the following values, then thereasonlog field is mapped to thesecurity_result.summaryUDM field.
  | 
| success | security_result.summary | If the eventTypelog field value is equal toSYSCALL, then if thesuccesslog field value is equal toyes, then thesecurity_result.summaryUDM field is set tosystemcall was successful.If the eventTypelog field value is equal toSYSCALL, then if thesuccesslog field value is equal tono, then thesecurity_result.summaryUDM field is set tosystemcall was failed. | 
| name | src.file.full_path | If the eventTypelog field value is equal toPATH, then if theitemlog field value is not equal to0, then thenamelog field is mapped to thesrc.file.full_pathUDM field. | 
| src | src.ip | |
| terminal | additional.fields[terminal] | If the eventTypelog field value doesn't contains one of the following values, then theterminallog field is mapped to theadditional.fields.terminalUDM field.
  | 
| terminal | target.application | The terminallog field is mapped to thetarget.applicationUDM field when all of the following conditions are met:
 | 
| terminal | principal.application | The terminallog field is mapped to theprincipal.applicationUDM field when all of the following conditions are met:
 | 
| ocomm | target.process.command_line | If the eventTypelog field value is equal toOBJ_PID, then theocommlog field is mapped to thetarget.process.command_lineUDM field. | 
| cmd | target.process.command_line | If the eventTypelog field value is not equal toOBJ_PID, then thetarget.process.command_lineUDM field is mapped based on the following conditions:
 | 
| comm | target.process.command_line | If the eventTypelog field value is not equal toOBJ_PID, then thetarget.process.command_lineUDM field is mapped based on the following conditions:
 | 
| proctitle | target.process.command_line | If the eventTypelog field value is not equal toOBJ_PID, then thetarget.process.command_lineUDM field is mapped based on the following conditions:
 | 
| unit | additional.fields[unit] | |
| name | target.file.full_path | The namelog field is mapped to thetarget.file.full_pathUDM field when all of the following conditions are met:
 | 
| cwd | target.file.full_path | If the cwdlog field value doesn't contains one of the following values, then thecwdlog field is mapped to thetarget.file.full_pathUDM field.
  | 
| path | target.file.full_path | If the pathlog field value doesn't contains one of the following values, then thepathlog field is mapped to thetarget.file.full_pathUDM field.
  | 
| filetype | target.file.mime_type | If the filetypelog field value doesn't contains one of the following values, then thefiletypelog field is mapped to thetarget.file.mime_typeUDM field.
  | 
| gid | target.group.product_object_id | The target_groupidfield is set totrueandtarget.group.product_object_idfield is set to the value of thegidfield if thegidfield is not empty or doesn't contain the?value. | 
| egid | target.group.attribute.labels[egid] | The target_groupidfield is set totrueandtarget.group.product_object_idfield is set to the value of theegidfield if the following conditions are met:
 target.group.attribute.labelsfield is set with the value of theegidfield. | 
| fsgid | target.group.attribute.labels[fsgid] | The target_groupidfield is set totrueandtarget.group.product_object_idfield is set to the value of thefsgidfield if the following conditions are met:
 target.group.attribute.labelsfield is set with the value of thefsgidfield. | 
| new_gid | target.group.attribute.labels[new_gid] | The target_groupidfield is set totrueandtarget.group.product_object_idfield is set to the value of thenew_gidfield if the following conditions are met:
 target.group.attribute.labelsfield is set with the value of thenew_gidfield. | 
| ogid | target.group.attribute.labels[ogid] | The target_groupidfield is set totrueandtarget.group.product_object_idfield is set to the value of theogidfield if the following conditions are met:
 target.group.attribute.labelsfield is set with the value of theogidfield. | 
| sgid | target.group.attribute.labels[sgid] | The target_groupidfield is set totrueandtarget.group.product_object_idfield is set to the value of thesgidfield if the following conditions are met:
 target.group.attribute.labelsfield is set with the value of thesgidfield. | 
| grp | target.group.group_display_name | |
| id | target.group.product_object_id | If the eventTypelog field value is equal toADD_GROUP, then theidlog field is mapped to thetarget.group.product_object_idUDM field. | 
| hostname | target.hostname | If the eventTypelog field value contains one of the following values, then thehostnamelog field is mapped to thetarget.hostnameUDM field.
  | 
| addr | target.ip | The addrfield is mapped totarget.ipUDM field when all of the following conditions are met:
 | 
| dvc | target.ip | To filter events that have a device identifier but are related to login activity, the following conditions are evaluated: 
 target.ipandintermediary.ip fields are set with the value of the device identifier. If the device identifier is not a valid IP address, thetarget.hostnameandintermediary.hostnamefields are set with the value of  the device identifier. | 
| new-net | target.mac | |
| ppid | target.process.parent_process.pid | |
| rport | target.port | |
| exe | target.process.file.full_path | If the eventTypelog field value doesn't contains one of the following values, then theexelog field is mapped to thetarget.process.file.full_pathUDM field.
  | 
| opid | target.process.pid | If the eventTypelog field value is equal toOBJ_PID, then theopidlog field is mapped to thetarget.process.pidUDM field. | 
| pid | target.process.pid | If the eventTypelog field value is not equal toOBJ_PID, then theopidlog field is mapped to thetarget.process.pidUDM field. | 
| new-mem | target.resource.attribute.labels[new-mem] | |
| new-vcpu | target.resource.attribute.labels[new-vcpu] | |
| obj_lev_high | target.resource.attribute.labels[obj_lev_high] | |
| obj_lev_low | target.resource.attribute.labels[obj_lev_low] | |
| mode | target.resource.attribute.permissions.name | If the mode field value matches one of the following values: admin_perm, group_perm, or others_perm, the permissions are set. If the admin_permvalue is equal to7, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to6, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to5, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to4, then thetarget.resource.attribute.permissions.nameUDM field is set toAdmin - Read.Else, if the admin_permvalue is equal to3, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to2, then thetarget.resource.attribute.permissions.nameUDM field is set toAdmin - Write.Else, if the admin_permvalue is equal to1, then thetarget.resource.attribute.permissions.nameUDM field is set toAdmin - Execute.Else, if the admin_permvalue is equal to0, then thetarget.resource.attribute.permissions.nameUDM field is set toAdmin - Nopermissions.If the group_permvalue is equal to7, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to6, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to5, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to4, then thetarget.resource.attribute.permissions.nameUDM field is set toGroup - Read.Else, if the group_permvalue is equal to3, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to2, then thetarget.resource.attribute.permissions.nameUDM field is set toGroup - Write.Else, if the group_permvalue is equal to1, then thetarget.resource.attribute.permissions.nameUDM field is set toGroup - Execute.Else, if the group_permvalue is equal to0, then thetarget.resource.attribute.permissions.nameUDM field is set toGroup - Nopermissions.If the others_permvalue is equal to7, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to6, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to5, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to4, then thetarget.resource.attribute.permissions.nameUDM field is set toOthers - Read.Else, if the others_permvalue is equal to3, then thetarget.resource.attribute.permissions.nameUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to2, then thetarget.resource.attribute.permissions.nameUDM field is set toOthers - Write.Else, if the others_permvalue is equal to1, then thetarget.resource.attribute.permissions.nameUDM field is set toOthers - Execute.Else, if the others_permvalue is equal to0, then thetarget.resource.attribute.permissions.nameUDM field is set toOthers - Nopermissions. | 
| perm | target.resource.attribute.permissions.name | |
| mode | target.resource.attribute.permissions.type | If the mode field value matches one of the following values: admin_perm, group_perm, or others_perm, the permissions are set. If the admin_permvalue is equal to7, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to6, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to5, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to4, then thetarget.resource.attribute.permissions.typeUDM field is set toADMIN_READ.Else, if the admin_permvalue is equal to3, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the admin_permvalue is equal to2, then thetarget.resource.attribute.permissions.typeUDM field is set toADMIN_WRITE.Else, if the admin_permvalue is equal to1, then thetarget.resource.attribute.permissions.typeUDM field is set toUNKNOWN_PERMISSION_TYPE.Else, if the admin_permvalue is equal to0, then thetarget.resource.attribute.permissions.typeUDM field is set toAdmin - Nopermissions.If the group_permvalue is equal to7, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to6, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to5, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to4, then thetarget.resource.attribute.permissions.typeUDM field is set toDATA_READ.Else, if the group_permvalue is equal to3, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the group_permvalue is equal to2, then thetarget.resource.attribute.permissions.typeUDM field is set toDATA_WRITE.Else, if the group_permvalue is equal to1, then thetarget.resource.attribute.permissions.typeUDM field is set toUNKNOWN_PERMISSION_TYPE.Else, if the group_permvalue is equal to0, then thetarget.resource.attribute.permissions.typeUDM field is set toGroup - Nopermissions.If the others_permvalue is equal to7, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to6, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to5, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to4, then thetarget.resource.attribute.permissions.typeUDM field is set toDATA_READ.Else, if the others_permvalue is equal to3, then thetarget.resource.attribute.permissions.typeUDM field is set to the following permissions:
 Else, if the others_permvalue is equal to2, then thetarget.resource.attribute.permissions.typeUDM field is set toDATA_WRITE.Else, if the others_permvalue is equal to1, then thetarget.resource.attribute.permissions.typeUDM field is set toUNKNOWN_PERMISSION_TYPE.Else, if the others_permvalue is equal to0, then thetarget.resource.attribute.permissions.typeUDM field is set toOthers - Nopermissions. | 
| exe | target.resource.name | If the eventTypelog field value contains one of the following values, then theexelog field is mapped to thetarget.resource.nameUDM field.
  | 
| new-disk | target.resource.name | If the new-disklog field value doesn't contains one of the following values, then thenew-disklog field is mapped to thetarget.resource.nameUDM field.
  | 
| obj | target.resource.name | If the objlog field value doesn't contains one of the following values, then theobjlog field is mapped to thetarget.resource.nameUDM field.
  | 
| vm | target.resource.name | If the vmlog field value doesn't contains one of the following values, then thevmlog field is mapped to thetarget.resource.nameUDM field.
  | 
| inode | target.resource.product_object_id | |
| ino | target.resource.product_object_id | |
| target.resource.resource_subtype | If the permlog field value is not empty, then thetarget.resource.resource_subtypeUDM field is set toFile. | |
| target.resource.resource_type | If the eventTypelog field value contains one of the following values and theexelog field value is not empty, then thetarget.resource.resource_typeUDM field is set toSETTING.
 If the inodelog field value is not empty or theinolog field value is not empty, then thetarget.resource.resource_typeUDM field is set toSTORAGE_OBJECT.If the objlog field value doesn't contains one of the following values, then thetarget.resource.resource_typeUDM field is set toSTORAGE_OBJECT.
 If the vmlog field value doesn't contains one of the following values, then thetarget.resource.resource_typeUDM field is set toVIRTUAL_MACHINE.
 If the new-disklog field value is not empty, then thetarget.resource.resource_typeUDM field is set toDISK.If the permlog field value is not empty, then thetarget.resource.resource_typeUDM field is set toSTORAGE_OBJECT.If the eventTypelog field value contains one of the following values, then thetarget.resource.resource_typeUDM field is set toDEVICE.
  | |
| uid | target.user.userid | The target_useridfield is set totrueandtarget.user.useridfield is set torootif the following conditions are met:
 target.user.useridfield is set with the value of theuidfield andtarget_useridfield is set totrue. | 
| auid | target.user.attribute.labels[auid] | The target_useridfield is set totrueandtarget.user.useridfield is set to the value of theauidfield if the following conditions are met:
 target.user.attribute.labelsfield is set with the value of theauidfield. | 
| euid | target.user.attribute.labels[euid] | The target_useridfield is set totrueandtarget.user.useridfield is set to the value of theeuidfield if the following conditions are met:
 target.user.attribute.labelsfield is set with the value of theeuidfield. | 
| fsuid | target.user.attribute.labels[fsuid] | The target_useridfield is set totrueandtarget.user.useridfield is set to the value of thefsuidfield if the following conditions are met:
 target.user.attribute.labelsfield is set with the value of thefsuidfield. | 
| oauid | target.user.attribute.labels[oauid] | The target_useridfield is set totrueandtarget.user.useridfield is set to the value of theoauidfield if the following conditions are met:
 target.user.attribute.labelsfield is set with the value of theoauidfield. | 
| ouid | target.user.attribute.labels[ouid] | The target_useridfield is set totrueandtarget.user.useridfield is set to the value of theouidfield if the following conditions are met:
 target.user.attribute.labelsfield is set with the value of theouidfield. | 
| suid | target.user.attribute.labels[suid] | The target_useridfield is set totrueandtarget.user.useridfield is set to the value of thesuidfield if the following conditions are met:
 target.user.attribute.labelsfield is set with the value of thesuidfield. | 
| id | target.user.attribute.labels[id] | If the eventTypelog field value is equal toADD_USER, then theidlog field is mapped to thetarget.user.useridUDM field.Else, if the eventTypelog field value is equal toADD_GROUP, then theidlog field is mapped to thetarget.group.product_object_idUDM field.Else, the idlog field is mapped to thetarget.user.attribute.labelsUDM field. | 
| sauid | target.user.attribute.labels[sauid] | |
| acct | target.user.user_display_name | If the acctlog field value doesn't contains one of the following values, then theacctlog field is mapped to thetarget.user.user_display_nameUDM field.
  | 
| subj_user | target.user.user_display_name | If the subj_userlog field value doesn't contains one of the following values, then thesubj_userlog field is mapped to thetarget.user.user_display_nameUDM field.
  | 
| obj_user | target.user.user_display_name | If the obj_userlog field value doesn't contains one of the following values, then theobj_userlog field is mapped to thetarget.user.user_display_nameUDM field.
  | 
| id | target.user.userid | If the eventTypelog field value contains one of the following values, then theidlog field is mapped to thetarget.user.useridUDM field.
  | 
Field mapping reference: Event Identifier to Event Type for all Log source paths
The following table lists all the remaining log types and their corresponding UDM event types.
| Event Identifier | Event Type | 
|---|---|
| /var/log/apache2/error.log | NETWORK_UNCATEGORIZED | 
| /var/log/apache2/error.log | NETWORK_UNCATEGORIZED | 
| /var/log/apache2/error.log | NETWORK_UNCATEGORIZED | 
| /var/log/apache2/error.log | NETWORK_HTTP | 
| /var/log/apache2/error.log | NETWORK_UNCATEGORIZED | 
| /var/log/apache2/error.log | NETWORK_UNCATEGORIZED | 
| /var/log/apache2/error.log | NETWORK_UNCATEGORIZED | 
| /var/log/apache2/access.log | NETWORK_HTTP | 
| /var/log/apache2/access.log | NETWORK_HTTP | 
| /var/log/apache2/access.log | NETWORK_HTTP | 
| /var/log/apache2/access.log | NETWORK_HTTP | 
| /var/log/apache2/access.log | NETWORK_HTTP | 
| /var/log/apache2/access.log | GENERIC_EVENT | 
| var/log/apache2/other_vhosts_access.log | NETWORK_HTTP | 
| var/log/apache2/other_vhosts_access.log | NETWORK_HTTP | 
| var/log/nginx/access.log | NETWORK_HTTP | 
| var/log/nginx/error.log | NETWORK_HTTP | 
| /var/log/kern.log | NETWORK_CONNECTION | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/kern.log | GENERIC_EVENT | 
| /var/log/rundeck/service.log | GENERIC_EVENT | 
| var/log/rundeck/rundeck.api.log | STATUS_UPDATE | 
| var/log/openvpnas.log | NETWORK_CONNECTION | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | NETWORK_UNCATEGORIZED | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| var/log/openvpnas.log | GENERIC_EVENT | 
| /var/log/mail.log | GENERIC_EVENT | 
| /var/log/mail.log | EMAIL_UNCATEGORIZED | 
| /var/log/mail.log | GENERIC_EVENT | 
| /var/log/mail.log | EMAIL_UNCATEGORIZED | 
| /var/log/mail.log | GENERIC_EVENT | 
| /var/log/mail.log | EMAIL_UNCATEGORIZED | 
| /var/log/auth.log | USER_LOGOUT | 
| /var/log/auth.log | USER_LOGIN | 
| /var/log/auth.log | USER_LOGIN | 
| /var/log/auth.log | USER_LOGIN | 
| /var/log/auth.log | USER_UNCATEGORIZED | 
| /var/log/auth.log | USER_UNCATEGORIZED | 
| /var/log/auth.log | USER_LOGIN | 
| /var/log/auth.log | USER_LOGOUT | 
| /var/log/auth.log | STATUS_UPDATE | 
| /var/log/auth.log | USER_LOGIN | 
| var/log/samba/log.winbindd | GENERIC_EVENT | 
| var/log/samba/log.winbindd | GENERIC_EVENT | 
| var/log/samba/log.winbindd | GENERIC_EVENT | 
| var/log/rkhunter.log | GENERIC_EVENT | 
| var/log/rkhunter.log | GENERIC_EVENT | 
| var/log/rkhunter.log | GENERIC_EVENT | 
| /var/log/syslog.log | NETWORK_CONNECTION | 
| /var/log/syslog.log | GENERIC_EVENT | 
| /var/log/syslog.log | GENERIC_EVENT | 
| /var/log/syslog.log | GENERIC_EVENT | 
| /var/log/syslog.log | GENERIC_EVENT | 
| /var/log/syslog.log | GENERIC_EVENT | 
| /var/log/syslog.log | GENERIC_EVENT | 
| /var/log/syslog.log | GENERIC_EVENT | 
Field mapping reference: /var/log/apache2/error.log
The following table lists the log fields of the /var/log/apache2/error.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| timestamp | metadata.event_timestamp | |
| log_module | principal.resource.name | |
| severity | security_result.severity | If the severitylog field value is equal toinfo, then thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if the severitylog field value is equal toerror, then thesecurity_result.severityUDM field is set toERROR.Else, if the severitylog field value is equal tocrit, then thesecurity_result.severityUDM field is set toCRITICAL.Else, if the severitylog field value is equal tonotice, then thesecurity_result.severityUDM field is set toMEDIUM.Else, if the severitylog field value is equal toemerg, then thesecurity_result.severityUDM field is set toHIGH. | 
| tid | target.process.pid | If the tidlog field value is not empty and thepidlog field value is not empty, then thetidlog field is mapped to thetarget.process.pidUDM field. | 
| pid | target.process.pid | If the tidlog field value is empty and thepidlog field value is not empty, then thepidlog field is mapped to thetarget.process.pidUDM field. | 
| pid | target.process.parent_process.pid | If the tidlog field value is not empty, then thepidlog field is mapped to thetarget.process.parent_process.pidUDM field. | 
| principal_ip | principal.ip | |
| principal_port | principal.port | |
| error_message | security_result.description | |
| referer_url | network.http.referral_url | If the referer_urllog field value doesn't contains one of the following values, then thereferer_urllog field is mapped to thenetwork.http.referral_urlUDM field.
  | 
| target_ip | target.ip | |
| connection_id | network.session_id | |
| request_id | security_result.detection_fields[request] | |
| file_path | target.file.full_path | |
| network.application_protocol | The network.application_protocolUDM field is set toHTTP. | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| metadata.event_type | If the principal_iplog field value is not empty and thetarget_iplog field value is not empty, then themetadata.event_typeUDM field is set toNETWORK_HTTP.Else, if the principal_iplog field value is not empty, then themetadata.event_typeUDM field is set toSTATUS_UPDATE.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | 
Field mapping reference: /var/log/apache2/access.log
The following table lists the log fields of the /var/log/apache2/access.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| principal_ip | principal.ip | |
| principal_user_userid | principal.user.userid | If the principal_user_useridlog field value doesn't contains one of the following values, then theprincipal_user_useridlog field is mapped to theprincipal.user.useridUDM field.
  | 
| timestamp | metadata.event_timestamp | |
| http_method | network.http.method | |
| resource_name | principal.resource.name | |
| protocol | network.application_protocol | |
| result_status | network.http.response_code | |
| object_size | network.sent_bytes | |
| referer_url | network.http.referral_url | If the referer_urllog field value doesn't contains one of the following values, then thereferer_urllog field is mapped to thenetwork.http.referral_urlUDM field.
  | 
| user_agent | network.http.user_agent | If the user_agentlog field value doesn't contains one of the following values, then theuser_agentlog field is mapped to thenetwork.http.user_agentUDM field.
  | 
| target_host | target.hostname | |
| target_host | target.asset.hostname | |
| target_port | target.port | |
| host | principal.hostname | |
| network.ip_protocol | The network.ip_protocolUDM field is set toTCPwhen all of the following conditions are met:
 | |
| network.direction | The network.directionUDM field is set toOUTBOUND. | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| metadata.event_type | If the principal.iplog field value is not empty and thetarget.hostnamelog field value is not empty, then themetadata.event_typeUDM field is set toNETWORK_HTTP.Else, if the principal.iplog field value is not empty, then themetadata.event_typeUDM field is set toSTATUS_UPDATE.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | |
| target.url | If the referer_urllog field value doesn't contains one of the following values, then the%{referer_url}%{resource_name}log field is mapped to thetarget.urlUDM field.
  | 
Field mapping reference: /var/log/nginx/access.log
The following table lists the log fields of the /var/log/nginx/access.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| principal_ip | principal.ip | |
| principal_user_userid | principal.user.userid | |
| timestamp | metadata.event_timestamp | |
| http_method | network.http.method | |
| resource_name | principal.resource.name | |
| protocol | network.application_protocol | |
| result_status | network.http.response_code | |
| object_size | network.sent_bytes | |
| referer_url | network.http.referral_url | |
| user_agent | network.http.user_agent | |
| target_host | target.hostname | |
| target_host | target.asset.hostname | |
| target_port | target.port | |
| host | principal.hostname | |
| network.ip_protocol | The network.ip_protocolUDM field is set toTCPwhen all of the following conditions are met:
 | |
| network.direction | The network.directionUDM field is set toOUTBOUND. | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| metadata.event_type | If the principal.iplog field value is not empty and thetarget.hostnamelog field value is not empty, then themetadata.event_typeUDM field is set toNETWORK_HTTP.Else, if the principal.iplog field value is not empty, then themetadata.event_typeUDM field is set toSTATUS_UPDATE.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | |
| target.url | If the referer_urllog field value doesn't contains one of the following values, then the%{referer_url}%{resource_name}log field is mapped to thetarget.urlUDM field.
  | 
Field mapping reference: /var/log/nginx/error.log
The following table lists the log fields of the /var/log/nginx/error.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| thread_id | principal.process.pid | |
| severity | security_result.severity | If the severitylog field value is equal todebug, then thesecurity_result.severityUDM field is set toUNKNOWN_SEVERITY.Else, if the severitylog field value is equal toinfo, then thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if the severitylog field value is equal tonotice, then thesecurity_result.severityUDM field is set toLOW.Else, if the severitylog field value is equal towarn, then thesecurity_result.severityUDM field is set toMEDIUM.Else, if the severitylog field value is equal toerror, then thesecurity_result.severityUDM field is set toERROR.Else, if the severitylog field value is equal tocrit, then thesecurity_result.severityUDM field is set toCRITICAL.Else, if the severitylog field value is equal toalert, then thesecurity_result.severityUDM field is set toHIGH. | 
| year | metadata.event_timestamp | If the yearlog field value is not empty and thedaylog field value is not empty and themonthlog field value is not empty and thetimelog field value is not empty, then the%{year}/%{day}/%{month} %{time}log field is mapped to themetadata.event_timestampUDM field. | 
| day | metadata.event_timestamp | If the yearlog field value is not empty and thedaylog field value is not empty and themonthlog field value is not empty and thetimelog field value is not empty, then the%{year}/%{day}/%{month} %{time}log field is mapped to themetadata.event_timestampUDM field. | 
| month | metadata.event_timestamp | If the yearlog field value is not empty and thedaylog field value is not empty and themonthlog field value is not empty and thetimelog field value is not empty, then the%{year}/%{day}/%{month} %{time}log field is mapped to themetadata.event_timestampUDM field. | 
| time | metadata.event_timestamp | If the yearlog field value is not empty and thedaylog field value is not empty and themonthlog field value is not empty and thetimelog field value is not empty, then the%{year}/%{day}/%{month} %{time}log field is mapped to themetadata.event_timestampUDM field. | 
| target_file_full_path | target.file.full_path | |
| principal_ip | principal.ip | |
| target_hostname | target.hostname | |
| http_method | network.http.method | |
| resource_name | principal.resource.name | |
| target_ip | target.ip | |
| target_port | target.port | |
| security_description | security_result.description | |
| pid | principal.process.parent_process.pid | |
| network.ip_protocol | The network.ip_protocolUDM field is set toTCP. | |
| network.direction | The network.directionUDM field is set toOUTBOUND. | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| network.application_protocol | The network.application_protocolUDM field is set toHTTP. | |
| metadata.event_type | The metadata.event_typeUDM field is set toNETWORK_HTTP. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | 
Field mapping reference: /var/log/kern.log
The following table lists the log fields of the /var/log/kern.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| timestamp | metadata.event_timestamp | |
| principal_hostname | principal.hostname | |
| principal_hostname | principal.asset.hostname | |
| metadata_product_event_type | metadata.product_event_type | |
| target_ip_addr | target.ip | |
| principal_ip | principal.ip | |
| target_user_userid | target.user.userid | |
| metadata_description | metadata.description | |
| file_path | principal.process.file.full_path | |
| pid | principal.process.pid | |
| principal_asset_hardware_cpu_model | principal.asset.hardware.cpu_model | |
| principal.platform | The principal.platformUDM field is set toLINUX. | |
| metadata.event_type | If the target.iplog field value is not empty, then themetadata.event_typeUDM field is set toNETWORK_CONNECTION.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| network.application_protocol | If the target.iplog field value is not empty, then thenetwork.application_protocolUDM field is set toHTTP. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | |
| principal_port | principal.port | |
| target_port | target.port | 
Field mapping reference: /var/log/rundeck/service.log
The following table lists the log fields of the /var/log/rundeck/service.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| timestamp | metadata.event_timestamp | |
| severity | security_result.severity | |
| security_description | security_result.description | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| metadata.event_type | The metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| summary | security_result.summary | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | 
Field mapping reference: /var/log/openvpnas.log
The following table lists the log fields of the /var/log/openvpnas.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| timestamp | metadata.event_timestamp | |
| severity | security_result.severity | If the severitylog field value matches the regular expression patterninfo, then thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if the severitylog field value matches the regular expression patternerr, then thesecurity_result.severityUDM field is set toERROR.Else, if the severitylog field value matches the regular expression patternwarn, then thesecurity_result.severityUDM field is set toMEDIUM.Else, if the severitylog field value is not empty, then thesecurity_result.severityUDM field is set toUNKNOWN_SEVERITY. | 
| target_ip_addr | target.ip | |
| target_hostname1 | target.hostname | |
| target_hostname1 | target.asset.hostname | |
| target_port | target.port | |
| common_name | target.user.user_display_name | |
| ip | principal.ip | |
| local_ip | principal.ip | |
| summary | security_result.summary | |
| command_line | target.process.command_line | |
| status | principal.user.user_authentication_status | If the statuslog field value is equal to0, then theprincipal.user.user_authentication_statusUDM field is set toUNKNOWN_AUTHENTICATION_STATUS.Else, if the statuslog field value is equal to1, then theprincipal.user.user_authentication_statusUDM field is set toACTIVE.Else, if the statuslog field value is equal to2, then theprincipal.user.user_authentication_statusUDM field is set toSUSPENDED.Else, if the statuslog field valueis equal to3, then theprincipal.user.user_authentication_statusUDM field is set toNO_ACTIVE_CREDENTIALS.Else, if the statuslog field valueis equal to4, then theprincipal.user.user_authentication_statusUDM field is set toDELETED. | 
| principal.platform | The principal.platformUDM field is set toLINUX. | |
| metadata.event_type | The metadata.event_typeUDM field is set toNETWORK_UNCATEGORIZEDwhen the following conditions are met:
 If the target_ip_addrlog field value is not empty or thetarget_hostname1log field value is not empty and thelocal_iplog field value is not empty, then themetadata.event_typeUDM field is set toNETWORK_CONNECTION.Else, the metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| network.application_protocol | The network.application_protocolUDM field is set toHTTP. | |
| network.ip_protocol | The network.ip_protocolUDM field is set toTCP. | |
| network.direction | The network.directionUDM field is set toOUTBOUND. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | |
| msg | metadata.description | |
| metadata_description | metadata.description | |
| intermediary_ip | intermediary.ip | |
| reason | security_result.description | 
Field mapping reference: /var/log/mail.log
The following table lists the log fields of the /var/log/mail.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| timestamp | metadata.event_timestamp | |
| relay | target.ip | |
| target_ip_addr | target.ip | |
| target_hostname1 | target.hostname | If the target_iplog field value is empty, then thetarget_hostname1log field is mapped to thetarget.hostnameUDM field. | 
| application | target.application | |
| pid | target.process.pid | |
| resource_name | target.resource.name | |
| size | network.received_bytes | |
| metadata.event_type | The metadata.event_typeUDM field is set to one of the following values:
 | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | |
| target_hostname1 | target.asset.hostname | If the target_iplog field value is empty, then thetarget_hostname1log field is mapped to thetarget.asset.hostnameUDM field. | 
| from | network.email.from | If the fromlog field value matches the regular expression pattern@, then thefromlog field is mapped to thenetwork.email.fromUDM field. | 
| to | network.email.to | If the tolog field value matches the regular expression pattern@, then thetolog field is mapped to thenetwork.email.toUDM field. | 
| status | metadata.description | |
| security_description1 | security_result.description | 
Field mapping reference: /var/log/auth.log
The following table lists the log fields of the /var/log/auth.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| _timestamp | metadata.event_timestamp | |
| dvc | target.hostname | If the processlog field value does not match the regular expression patternCRON, then thedvclog field is mapped to thetarget.hostnameUDM field. | 
| dvc | principal.hostname | If the processlog field value matches the regular expression patternCRON, then thedvclog field is mapped to theprincipal.hostnameUDM field.Else, if the eventTypelog field value matches the regular expression pattern(su|sudo):.*authentication failure, then thedvclog field is mapped to theprincipal.hostnameUDM field. | 
| dvc | intermediary.hostname | |
| process | target.application | |
| pid | target.process.pid | If the messagelog field value does not match the regular expression patternsudo(.*)TTY=(.*)COMMAND=(.*), then thepidlog field is mapped to thetarget.process.pidUDM field. | 
| pid | principal.process.pid | If the messagelog field value matches the regular expression patternsudo(.*)TTY=(.*)COMMAND=(.*), then thepidlog field is mapped to theprincipal.process.pidUDM field. | 
| srcUser | principal.user.userid | If the messagelog field value matches the regular expression patternsudo(.*)TTY=(.*)COMMAND=(.*), then thesrcUserlog field is mapped to theprincipal.user.useridUDM field. | 
| username | target.user.userid | |
| src_user | target.user.userid | |
| srcIp | principal.ip | |
| srcPort | principal.port | |
| command_line, command_line_2 | principal.process.command_line | If the command_linelog field value is not empty and thecommand_line_2log field value is not empty, then the%{command_line}%{command_line_2}log field is mapped to theprincipal.process.command_lineUDM field. | 
| sessionId | network.session_id | |
| action | security_result.description | If the actionlog field value does not match the regular expression patternauthentication failure, then theactionlog field is mapped to thesecurity_result.descriptionUDM field. | 
| reason | security_result.description | If the reasonlog field value is not empty, then thereasonlog field is mapped to thesecurity_result.descriptionUDM field. | 
| description | security_result.description | If the descriptionlog field value is not empty, then thedescriptionlog field is mapped to thesecurity_result.descriptionUDM field. | 
| action | security_result.summary | If the actionlog field value matches the regular expression patternauthentication failure, then theactionlog field is mapped to thesecurity_result.summaryUDM field. | 
| network.application_protocol | If the protolog field value is equal tosshor theprotolog field value is equal tossh2, then thenetwork.application_protocolUDM field is set toSSH. | |
| extensions.auth.type | The extensions.auth.typeUDM field is set toAUTHTYPE_UNSPECIFIED. | |
| extensions.auth.mechanism | The extensions.auth.mechanismUDM field is set toUSERNAME_PASSWORD. | |
| metadata.event_type | The metadata.event_typelog field is set to one of the following values:
 | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| security_result.action | The security_result.actionUDM field is set toBLOCK. | |
| command | target.process.command_line | If the messagelog field value matches the regular expression patternsudo(.*)TTY=(.*)COMMAND=(.*), then thecommandlog field is mapped to thetarget.process.command_lineUDM field. | 
| pwd | target.file.full_path | If the messagelog field value matches the regular expression patternsudo(.*)TTY=(.*)COMMAND=(.*), then thepwdlog field is mapped to thetarget.file.full_pathUDM field. | 
| rhost | additional.fields[rhost] | |
| msg1 | additional.fields[additional_msg] | |
| euid | additional.fields[euid] | |
| logname | additional.fields[logname] | |
| ruser | additional.fields[ruser] | |
| tty | additional.fields[tty] | |
| uid | additional.fields[uid] | |
| user | additional.fields[user] | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | |
| eventType | metadata.product_event_type | |
| eventType | target.application | |
| reason | metadata.description | |
| metadata.product_log_id | If the sevlog field value is equal to0, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to1, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to2, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to3, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to4, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to5, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to6, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to7, then themetadata.product_log_idUDM field is set tokernand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to8, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to9, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to10, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to11, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to12, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to13, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to14, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to15, then themetadata.product_log_idUDM field is set touserand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to16, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to17, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to18, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to19, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to20, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to21, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to22, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to23, then themetadata.product_log_idUDM field is set tomailand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to24, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to25, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to26, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to27, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to28, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to29, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to30, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to31, then themetadata.product_log_idUDM field is set todaemonand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to32, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to33, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to34, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to35, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to36, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to37, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to38, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to39, then themetadata.product_log_idUDM field is set toauthand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to40, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to41, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to42, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to43, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to44, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to45, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to46, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to47, then themetadata.product_log_idUDM field is set tosyslogand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to48, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to49, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to50, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to51, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to52, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to53, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to54, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to55, then themetadata.product_log_idUDM field is set tolprand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to56, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to57, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to58, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to59, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to60, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to61, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to62, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to63, then themetadata.product_log_idUDM field is set tonewsand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to64, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to65, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to66, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to67, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to68, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to69, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to70, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to71, then themetadata.product_log_idUDM field is set touucpand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to72, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to73, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to74, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to75, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to76, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to77, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to78, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to79, then themetadata.product_log_idUDM field is set tocronand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to80, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to81, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to82, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to83, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to84, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to85, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to86, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to87, then themetadata.product_log_idUDM field is set toauthprivand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to88, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to89, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to90, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to91, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to92, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to93, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to94, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to95, then themetadata.product_log_idUDM field is set toftpand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to96, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to97, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to98, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to99, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to100, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to101, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to102, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to103, then themetadata.product_log_idUDM field is set tontpand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to104, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to105, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to106, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to107, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to108, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to109, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to110, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to111, then themetadata.product_log_idUDM field is set toauditand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to112, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to113, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to114, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to115, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to116, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set towarning.Else, if the sevlog field value is equal to117, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set tonotice.Else, if the sevlog field value is equal to118, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set toinformational.Else, if the sevlog field value is equal to119, then themetadata.product_log_idUDM field is set toalertand thesecurity_result.severity_detailsUDM field is set todebug.Else, if the sevlog field value is equal to120, then themetadata.product_log_idUDM field is set toclockand thesecurity_result.severity_detailsUDM field is set toemergency.Else, if the sevlog field value is equal to121, then themetadata.product_log_idUDM field is set toclockand thesecurity_result.severity_detailsUDM field is set toalert.Else, if the sevlog field value is equal to122, then themetadata.product_log_idUDM field is set toclockand thesecurity_result.severity_detailsUDM field is set tocritical.Else, if the sevlog field value is equal to123, then themetadata.product_log_idUDM field is set toclockand thesecurity_result.severity_detailsUDM field is set toerror.Else, if the sevlog field value is equal to | |
| sevs | security_result.severity_details | |
| security_result.severity | If the security_result.severity_detailslog field value contains one of the following values, then thesecurity_result.severityUDM field is set toHIGH.
 Else, if the security_result.severity_detailslog field value is equal tocritical, then thesecurity_result.severityUDM field is set toCRITICAL.Else, if the security_result.severity_detailslog field value is equal tonotice, then thesecurity_result.severityUDM field is set toMEDIUM.Else, if the security_result.severity_detailslog field value contains one of the following values, then thesecurity_result.severityUDM field is set toLOW.
  | 
Field mapping reference: /var/log/samba/log.winbindd
The following table lists the log fields of the /var/log/samba/log.winbindd log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| timestamp | metadata.event_timestamp | |
| pid | principal.process.pid | |
| effective_user | principal.user.attribute.labels | |
| effective_group | principal.group.attribute.labels | |
| principal_user_userid | principal.user.userid | |
| effective_group_id | principal.group.product_object_id | |
| metadata_description | metadata.description | |
| security_description | security_result.description | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| metadata.event_type | The metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | 
Field mapping reference: /var/log/rkhunter.log
The following table lists the log fields of the /var/log/rkhunter.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| time | metadata.event_timestamp | |
| security_description | security_result.description | |
| metadata_description | metadata.description | |
| file_path | target.file.full_path | |
| target.platform | The target.platformUDM field is set toLINUX. | |
| metadata.event_type | The metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| security_result.severity | ||
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | 
Field mapping reference: /var/log/syslog.log
The following table lists the log fields of the /var/log/syslog.log log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic | 
|---|---|---|
| timestamp | metadata.event_timestamp | |
| hostname | principal.hostname | |
| pid | principal.process.pid | |
| user_id | principal.user.userid | |
| http_method | network.http.method | |
| response_code | network.http.response_code | |
| resource_name | target.url | |
| target_ip_addr | target.ip | |
| target_hostname1 | target.hostname | |
| target_hostname1 | target.asset.hostname | |
| received_bytes | network.received_bytes | |
| command_line | principal.process.command_line | |
| severity | security_result.severity | If the severitylog field value is equal toINFO, then thesecurity_result.severityUDM field is set toINFORMATIONAL.Else, if the severitylog field value is equal toERROR, then thesecurity_result.severityUDM field is set toERROR. | 
| security_description1 | security_result.description | If the security_description1log field value is not empty or thereasonlog field value is not empty, then the%{security_description1} %{reason}log field is mapped to thesecurity_result.descriptionUDM field. | 
| reason | security_result.description | If the security_description1log field value is not empty or thereasonlog field value is not empty, then the%{security_description1} %{reason}log field is mapped to thesecurity_result.descriptionUDM field. | 
| msg | metadata.description | |
| principal.platform | The principal.platformUDM field is set toLINUX. | |
| metadata.event_type | The metadata.event_typeUDM field is set toGENERIC_EVENT. | |
| metadata.product_name | The metadata.product_nameUDM field is set toUnix System. | 
What's next
Need more help? Get answers from Community members and Google SecOps professionals.