...
The tags beginning with cef0.sonicwall
identify events in CEF format generated by Snort SonicWall.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
...
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
app |
|
| |
cat |
|
| |
c6a4Label |
|
| |
cn1Label |
|
| |
cn2Label |
|
| |
cn3Label |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs4Label |
|
| |
cs6 |
|
| |
deviceInboundInterface |
|
| |
deviceOutboundInterface |
|
| |
dmac |
|
| |
dst |
|
| |
dpt |
|
| |
dvc |
|
| |
in |
|
| |
out |
|
| |
reason |
|
| |
request |
|
| |
rt |
|
| |
smac |
|
| |
src |
|
| |
spt |
|
| |
ad_dnpt |
|
| |
ad_dpi |
|
| |
ad_fw__action |
|
| |
ad_gcat |
|
| |
ad_snpt |
|
| |
agentZoneURI |
|
| |
agt |
|
| |
ahost |
|
| |
aid |
|
| |
amac |
|
| |
art |
|
| |
at |
|
| |
atz |
|
| |
av |
|
| |
customerURI |
|
| |
destinationZoneURI |
|
| |
deviceSeverity |
|
| |
deviceZoneURI |
|
| |
dtz |
|
| |
eventId |
|
| |
geid |
|
| |
sourceZoneURI |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
app |
|
| |
cat |
|
| |
c6a4Label |
|
| |
cn1Label |
|
| |
cn1 |
|
| |
cn2Label |
|
| |
cn2 |
|
| |
cn3Label |
|
| |
cs1Label |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs4Label |
|
| |
cs5Label |
|
| |
cs6 |
|
| |
deviceInboundInterface |
|
| |
deviceOutboundInterface |
|
| |
dmac |
|
| |
dst |
|
| |
dpt |
|
| |
dvc |
|
| |
in |
|
| |
msg |
|
| |
out |
|
| |
rt |
|
| |
smac |
|
| |
src |
|
| |
spt |
|
| |
ad_dnpt |
|
| |
ad_dpi |
|
| |
ad_dstV6 |
|
| |
ad_fw__action |
|
| |
ad_gcat |
|
| |
ad_snpt |
|
| |
ad_srcV6 |
|
| |
ad_susr |
|
| |
agentZoneURI |
|
| |
agt |
|
| |
ahost |
|
| |
aid |
|
| |
amac |
|
| |
art |
|
| |
at |
|
| |
atz |
|
| |
av |
|
| |
categoryBehavior |
|
| |
categoryDeviceGroup |
|
| |
categoryObject |
|
| |
categoryOutcome |
|
| |
categorySignificance |
|
| |
customerURI |
|
| |
destinationZoneURI |
|
| |
deviceSeverity |
|
| |
deviceZoneURI |
|
| |
dtz |
|
| |
eventId |
|
| |
geid |
|
| |
sourceZoneURI |
|
| |
type |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
app |
|
| |
cat |
|
| |
c6a4Label |
|
| |
cn1Label |
|
| |
cn2Label |
|
| |
cn3Label |
|
| |
cs3Label |
|
| |
cs4Label |
|
| |
deviceInboundInterface |
|
| |
deviceOutboundInterface |
|
| |
dmac |
|
| |
dst |
|
| |
dpt |
|
| |
dvc |
|
| |
in |
|
| |
out |
|
| |
rt |
|
| |
smac |
|
| |
src |
|
| |
spt |
|
| |
ad_appName |
|
| |
ad_dpi |
|
| |
ad_fw__action |
|
| |
ad_gcat |
|
| |
agentZoneURI |
|
| |
agt |
|
| |
ahost |
|
| |
aid |
|
| |
amac |
|
| |
art |
|
| |
at |
|
| |
atz |
|
| |
av |
|
| |
categoryBehavior |
|
| |
categoryDeviceGroup |
|
| |
categoryObject |
|
| |
categoryOutcome |
|
| |
categorySignificance |
|
| |
customerURI |
|
| |
destinationZoneURI |
|
| |
deviceSeverity |
|
| |
deviceZoneURI |
|
| |
dtz |
|
| |
eventId |
|
| |
geid |
|
| |
sourceZoneURI |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
app |
|
| |
cat |
|
| |
c6a4Label |
|
| |
cn1Label |
|
| |
cn2Label |
|
| |
cn3Label |
|
| |
cs1 |
|
| |
cs3Label |
|
| |
cs4Label |
|
| |
cs5Label |
|
| |
deviceInboundInterface |
|
| |
deviceOutboundInterface |
|
| |
dmac |
|
| |
dst |
|
| |
dpt |
|
| |
dvc |
|
| |
in |
|
| |
out |
|
| |
rt |
|
| |
src |
|
| |
spt |
|
| |
ad_gcat |
|
| |
ad_susr |
|
| |
agentZoneURI |
|
| |
agt |
|
| |
ahost |
|
| |
aid |
|
| |
amac |
|
| |
art |
|
| |
at |
|
| |
atz |
|
| |
av |
|
| |
destinationZoneURI |
|
| |
deviceSeverity |
|
| |
deviceZoneURI |
|
| |
dtz |
|
| |
eventId |
|
| |
geid |
|
| |
sourceZoneURI |
|
| |
type |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
app |
|
| |
cat |
|
| |
c6a4Label |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs4Label |
|
| |
cs5Label |
|
| |
cs6 |
|
| |
deviceInboundInterface |
|
| |
deviceOutboundInterface |
|
| |
dhost |
|
| |
dmac |
|
| |
dst |
|
| |
dpt |
|
| |
dvc |
|
| |
in |
|
| |
out |
|
| |
reason |
|
| |
requestMethod |
|
| |
request |
|
| |
rt |
|
| |
shost |
|
| |
smac |
|
| |
src |
|
| |
spt |
|
| |
ad_dnpt |
|
| |
ad_dpi |
|
| |
ad_fw__action |
|
| |
ad_gcat |
|
| |
ad_snpt |
|
| |
ad_susr |
|
| |
agentZoneURI |
|
| |
agt |
|
| |
ahost |
|
| |
aid |
|
| |
amac |
|
| |
art |
|
| |
at |
|
| |
atz |
|
| |
av |
|
| |
categoryBehavior |
|
| |
categoryDeviceGroup |
|
| |
categoryObject |
|
| |
categoryOutcome |
|
| |
categorySignificance |
|
| |
customerURI |
|
| |
destinationZoneURI |
|
| |
deviceSeverity |
|
| |
deviceZoneURI |
|
| |
dtz |
|
| |
eventId |
|
| |
geid |
|
| |
sourceZoneURI |
|
| |
type |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |