When parsing logs in Logsign USO, following best practices is crucial for meaningful log analysis and correlation. This guide provides a detailed explanation of the most commonly used fields and how to properly parse them.
Fields Related to the Event Source
“Fields starting with ‘EventSource’ contain information about the log source. These fields may vary depending on the source.”
Category → The general category of the log (e.g., Security, Network, Application).
Collector → The intermediary or system component collecting logs.
Description → A short description of the event or log entry.
Directory → The directory/path where the event or object is stored.
EventSourceID → A unique identifier for the log source (e.g., Windows Event ID).
FileName → The name of the file involved in the event.
Host → The name or identifier of the system that generated the log.
HostName → The fully qualified domain name (FQDN) or NetBIOS name of the system.
ID → A unique identifier assigned to the log event.
IP → The IP address related to the log source.
Name → A general naming reference related to the log entry.
PrefixID → A specific prefix identifier used within the log.
Product → The product or service associated with the log.
Serial → The serial number of the device or system.
SourceName → The name of the source system or software component.
Tag → A label or category assigned to the log for better organization.
Type → The type of event (e.g., Successful Login, Error, Alarm, Allowed Traffic).
Vendor → The manufacturer or provider of the system generating the log.
Version → The version of the software or system related to the log entry.
Fields Related to Source, Destination, Event, Process, and Object
“These fields may vary based on the source and typically contain user, system, network, or security-related data.”
User, Identity, and Security Fields
ADGroup → The Active Directory group name.
Domain → The domain to which the user or system belongs.
UserName → The name of the user involved in the event.
UserID → A unique identifier for the user in the system.
UserType → The type of user (e.g., Admin, Regular User, Service Account).
DisplayName → The display name of the user.
Mail → The user’s email address.
Company → The company where the user works.
FirstName → The user’s first name.
LastName → The user’s last name.
Phone → The user’s phone number.
FailureUserName → The username associated with a failed login attempt.
LogonMethod → The authentication method used by the user (e.g., Kerberos, NTLM, Password).
SecurityID → The security identifier (SID) of the user.
Network and IP Address Fields
City → The city associated with the log event.
Country → The country associated with the log event.
IP → The IP address related to the event.
IPV6 → The IPv6 address related to the event.
MAC → The MAC address of the device.
NatIP → The translated IP address if NAT is applied.
NatPort → The translated port number if NAT is applied.
NatInterface → The network interface where NAT is applied.
NatRuleName → The name of the NAT rule applied.
OriginalIP → The original IP address before translation (e.g., before NAT or proxy forwarding).
XForwardedIP → The original client IP address forwarded through a proxy or load balancer.
RemoteIP → The IP address of the remote client.
RemotePort → The port number used by the remote client.
Zone → The security zone where the event occurred (e.g., DMZ, Internet, Internal Network).
Network Interfaces and Protocols
Interface → The network interface involved in the event.
InterfaceName → The name of the network interface used.
Port → The port number associated with the connection or event.
PortName → The name of the specific port.
Protocol → The communication protocol used (e.g., TCP, UDP, ICMP).
Security and Authentication Fields
Request → The request details (e.g., HTTP request, API request).
Response → The response details (e.g., HTTP response, API response).
UserAgent → Information about the user’s system or browser.
UserAgentVersion → The version of the User-Agent.
HostKey → The authentication key used in SSH or similar connections.
RemoteUser → The username associated with a remote login.
Gateway → The gateway through which the event passed (e.g., VPN, Firewall).
Process and Malware Fields
ProcessID → The unique identifier of the process involved in the event.
ThreadID → The identifier of the thread involved in the event.
Command → The command or process executed.
MalwareSignature → The malware signature detected.
Object and File Handling Fields
ObjectName → The name of the object involved in the event (e.g., File, Registry, Service).
DomainName → The associated domain name.
Region → The region where the event occurred.
NetworkName → The name of the associated network.
HostType → The type of host (e.g., Server, Workstation, IoT Device).
Workstation → The workstation name where the event occurred.
Best Practices for Log Parsing in Logsign USO
Ensure Proper Field Mapping
- Identify standard fields based on the log source and map them correctly to Logsign USO’s schema.
- Use consistent field names, avoiding duplication (e.g., use “UserName” instead of “User”).
Differentiate Essential and Non-Essential Fields
- Ensure critical fields are always captured (e.g., IP, EventType, UserName, Timestamp).
- Allow flexibility for source-specific fields but avoid redundant data.
Standardize Date and Time Formats
- Under the “Time” field, different formats exist—choose the one that fits your needs.
Capture Accurate User and IP Information
- Always check X-Forwarded-For or OriginalIP for logs passing through proxies or NAT devices.
- Maintain both UserName and UserID separately for accurate authentication tracking.
Automate and Manually Validate Parsing
- Test parsed logs against multiple scenarios to ensure accuracy.
- Regularly improve parsing rules by reviewing incorrectly mapped fields.
These fields can also be used when developing custom plugins.
This guide outlines the best practices for parsing logs in Logsign USO while providing a detailed breakdown of the most common fields and their meanings. Following these principles will help ensure efficient log analysis and event correlation. 🚀