Version:

Log Samples

Expected Log Format Sample

Unix Nullmailer

<30>Nov 16 05:01:50 xxx nullmailer-send[515886]: Rescanning queue.

Expected Log Format Sample

Unix Scponly

<86>Nov 16 04:07:59 xxx scponly[1710658]: running: /usr/lib64/misc/sftp-server (username: c10005(10005), IP/port: 1.1.1.1 59774 22)

Expected Log Format Sample

Unix Dovecot

<22>Jan 03 09:18:08 daserver dovecot[609314]: imap-login: Login: user=<MESSAGEIDORMAIL@example.com>, method=PLAIN, rip=1.1.1.1, lip=1.1.1.2, mpid=977535, TLS, session=<HNTJkOPQD82sFgBz> <22>Jan 03 04:06:07 daserver dovecot[609314]: imap-login: Login: user=<MESSAGEIDORMAIL@example.com>, method=PLAIN, rip=1.1.1.3, lip=1.1.1.4, mpid=735023, secured, session=<a4/vNN/QLNd/AAAB>

Expected Log Format Sample

IPtable

<30>Apr 21 16:23:01 xxxxx iptables.init[22335]: iptables: Setting chains to policy ACCEPT: filter [ OK ]

Expected Log Format Sample

Meinberg NTP Server

Sep 7 21:11:39 xxxxx ntpd[7782]: proto: precision = 1.938 usec Mar 15 13:35:17 xxxxx ntpd[12948]: precision = 3.000 usec

Expected Log Format Sample

Unix Sysmon

<14>Oct 15 10:29:40 server-hostname-abc sysmon: <Event><System><Provider Name="Linux Sysmon" Guid="{xxxxxxxxxxxxxxxxxxxxxxxxx}"/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2021-10-15T10:29:40.544390000Z"/><EventRecordID>12345</EventRecordID><Correlation/><Execution ProcessID="15341" ThreadID="15352"/><Channel>Linux-Sysmon/Operational</Channel><Computer>server-hostname-abc</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2021-10-15 10:29:40.541</Data><Data Name="ProcessGuid">{xxxx-xxxxx-xxxx-xxx-xxxx}</Data><Data Name="ProcessId">1267</Data><Data Name="Image">/opt/ds_agent/ds_am</Data><Data Name="User">-</Data><Data Name="Protocol">udp</Data><Data Name="Initiated">true</Data><Data Name="SourceIsIpv6">false</Data><Data Name="SourceIp">1.1.1.1</Data><Data Name="SourceHostname">-</Data><Data Name="SourcePort">12345</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">false</Data><Data Name="DestinationIp">1.1.1.2</Data><Data Name="DestinationHostname">-</Data><Data Name="DestinationPort">53</Data><Data Name="DestinationPortName">-</Data></EventData></Event>

Expected Log Format Sample

Unix Named

Aug 29 15:33:13 xxxxx named[464]: client 1.1.1.1#1036: query (cache) denied

Expected Log Format Sample

Unix Xrdp

<30>Nov 28 16:11:02 xxx xrdp[28904]: [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem <30>Nov 28 16:12:52 xxx xrdp[28941]: [INFO ] Using default X.509 key file: /etc/xrdp/key.pem

Expected Log Format Sample

Unix Solaris OS

Jul 2 09:30:52 xxx Had[1906]: [ID 702911 daemon.notice] VCS ERROR V-16-1-40174 TargetCount dropped below zero for group xxxxx; setting to zero.

Expected Log Format Sample

Unix Log

Expected Log Format

<datetime> <hostname> <process>[<process_id>]: <message_part>

Modified Log Format

<datetime> <hostname> <process> <process_id> - - <message_part>

2020-05-13T15:33:21.038630+03:00 xxxxx snmpd 56789 - - Connection from UDP: [1.1.1.1]:12345->[1.1.1.2]:123

Expected Log Format Sample

Common Unix System

Jul 23 06:27:39 xxxxx? su[9233]: FAILED su for xxxxx by xxxxx

Expected Log Format Sample

Unix SSHD

<166>Jun 2 14:41:27 ssss sshd[39844]: Starting session: shell on pts/0 for ddddd from 192.168.12.6 port 59021 id 0

Expected Log Format Sample

Unix Cron

[86]1 2020-05-13T15:25:01.256154+03:00 myserver-1 CRON 1357 - - pam_unix(cron:session): session opened for user root by (uid=0)

Expected Log Format Sample

Unix SU

<86>Jul 5 10:30:51 xxxxx su: pam_unix(su:session): session closed for user xxxxx

Expected Log Format Sample

Unix Sudo

<85>Apr 19 08:58:13 xxxxx sudo: pam_unix(sudo:auth): authentication failure; logname=xxxxx uid=603 euid=0 tty=/dev/pts/0 ruser=xxxxx rhost= user=xxxxx

Expected Log Format Sample

Unix Crond

10.177.145.50/10.177.145.50 crond[11814]: xxxx_xxx[11814]: keytab: FILE:/etc/xxxxx.xxxxx

Expected Log Format Sample

Unix Bash

10.177.145.50/10.177.145.50 crond[11814]: xxxx_xxx[11814]: keytab: FILE:/etc/xxxxx.xxxxx

Expected Log Format Sample

Unix Passwd

<85>Jun 21 17:12:27 xxxxx passwd: pam_unix(passwd:************): password changed for xxxxx

Expected Log Format Sample

Unix Auditd

<29>Nov 6 01:00:01 eru062 auditd[2908]: Audit daemon rotating log files

Expected Log Format Sample

Unix Bash

May 23 16:55:41 xxxxx bash[31854]: xxxxx(7320):xxxxx(12345): df

Expected Log Format Sample

Unix Runuser

<86>runuser: pam_unix(runuser-l:session): session opened for user xxxxx by (xxxxx)

Expected Log Format Sample

Unix Smbd

<27>Apr 2 23:59:04 xxxxx smbd[28739]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

Expected Log Format Sample

Unix Systemd

<30>Apr 26 11:08:00 xxxxx systemd: Starting Cleanup of Temporary Directories...
Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support