Document toolboxDocument toolbox

cef0.ibm.guardium

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
5 min read

Introduction

The table cef0.ibm.guardium identifies events in CEF format generated by IBM Guardium.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

  • cef0.ibm.guardium

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef0.ibm.guardium. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.ibm.guardium

2020-12-09 21:50:43.723 localhost=127.0.0.1 22 CEF: 0|IBM|Guardium|9.0|20001|--privilegedUserActivity|0|dhost=PQ78 dst=69.19.8.2 duser=ENTZXV9 fname=DSN-null proto=DRDA:SERVER request=insert into ECIF_MIF_AUD_TRL (INTERNET_ADDR, ADDR_1_1, ADDR_1_2, ADDR_2_1, ADDR_2_2, ADDR_3_1, ADDR_3_2, ADDRESS_IND_1, ADDRESS_IND_2, AML_CLIENT_TYPE, AML_GEN_COMMENT, BENFICL_OWNR_IND, BN_BIN_NUM, BSC_CODE, BUS_START_DATE, CBDW_EXTRACT_IND, CITY_1, CITY_2, CLASS_TYPE, CO_STK_SYMBL, COMMENTS, COMPANY_TYPE, COMRL_CUSTSEG_IND, CON_DIR_OFC_DOM_1, CON_DIR_OFC_DOM_2, CON_GIV_NAME_1, CON_GIV_NAME_2, CON_INITIAL_1, CON_INITIAL_2, CON_PHONE_1, CON_PHONE_2, CON_SURNAME_1, CON_SURNAME_2, CON_TITLE_1, CON_TITLE_2, CORP_CERT_ST_IND, CORR_LANG, COUNTRY_1, COUNTRY_2, CUST_LEGAL_NAME, CUST_NAME, CUST_SEGMENT_IND, CUST_STATUS, DIRECT_MAIL_IND, DIRECT_MAIL_WHO, EX_CUST_DESIR_IND, FAX_NUMBER_1, FAX_NUMBER_2, FRANCH_ACCT_COM, FRANCH_ACCT_IND, ID_ACCT_SIGN_IND, IND_CODE, IND_DESC, KNOW_YOUR_CLIENT, M_TRANSIT, N_CORP_NUMBER, NATRE_OF_BUSINESS, NFP_ORG, NFP_REG_CRA, NFP_REG_NUM, NFP_SOLICIT, NUM_OF_FT_EMP, NUM_OF_PT_EMP, OPERATOR_TRANSIT, POST_CODE_1, POST_CODE_2, PRIMARY_CUST_NUM, PROV_STATE_1, PROV_STATE_2, RELN_START_DATE, RM_TRANSIT, RM_USERID, ROUTING_USER_ID, SBU_CODE, SIG_BIRTHDATE_1, SIG_BIRTHDATE_2, SIG_BIRTHDATE_3, SIG_GIV_NAME_CS_1, SIG_GIV_NAME_CS_2, SIG_GIV_NAME_CS_3, SIG_ID_TYPE_1_1, SIG_ID_TYPE_1_2, SIG_ID_TYPE_1_3, SIG_ID_TYPE_2_1, SIG_ID_TYPE_2_2, SIG_ID_TYPE_2_3, SIG_ISS_CTY_CD_1_1, SIG_ISS_CTY_CD_1_2, SIG_ISS_CTY_CD_1_3, SIG_ISS_CTY_CD_2_1, SIG_ISS_CTY_CD_2_2, SIG_ISS_CTY_CD_2_3, SIG_ISS_PS_CD_1_1, SIG_ISS_PS_CD_1_2, SIG_ISS_PS_CD_1_3, SIG_ISS_PS_CD_2_1, SIG_ISS_PS_CD_2_2, SIG_ISS_PS_CD_2_3, SIG_OCCUPATION_1, SIG_OCCUPATION_2, SIG_OCCUPATION_3, SIG_OTID_DESC_1_1, SIG_OTID_DESC_1_2, SIG_OTID_DESC_1_3, SIG_OTID_DESC_2_1, SIG_OTID_DESC_2_2, SIG_OTID_DESC_2_3, SIG_REGN_NUM_1_1, SIG_REGN_NUM_1_2, SIG_REGN_NUM_1_3, SIG_REGN_NUM_2_1, SIG_REGN_NUM_2_2, SIG_REGN_NUM_2_3, SIG_SURNAME_CS_1, SIG_SURNAME_CS_2, SIG_SURNAME_CS_3, SIG_TITLE_1, SIG_TITLE_2, SIG_TITLE_3, STREET_1, STREET_2, SUBSID_INFO_IND, SUBSID_INFO_WHO, SUITE_1, SUITE_2, SWITCHBOARD_TEL_1, SWITCHBOARD_TEL_2, TRADE_CRED_INQ, TRADE_NAME, TRANS_DATE, TRANS_TIMESTAMP, RECORD_TYPE, OPERATOR_ID, CUST_NUM) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) rt=Oct 22 2020 23:43:28 src=254.197.224.46

And this is how the log would be parsed:

Field

Value

Type

Extra field

Field transformation

Source field name

eventdate

date('2020-12-09 21:50:43.723')

eventdate




hostchain

localhost=127.0.0.1

str

✓



hostname

locahost

str




priorityCode

22

str




cefTag

CEF

str




cefVersion

0

str




embDeviceVendor

IBM

str




embDeviceProduct

Guardium

str





deviceVersion

9.0

str




signatureID

20001

str




name

--privilegedUserActivity

str




severity

0

str




extension

dhost=PQ78 dst=69.19.8.2 duser=ENTZXV9 fname=DSN-null proto=DRDA:SERVER request=insert into ECIF_MIF_AUD_TRL (INTERNET_ADDR, ADDR_1_1, ADDR_1_2, ADDR_2_1, ADDR_2_2, ADDR_3_1, ADDR_3_2, ADDRESS_IND_1, ADDRESS_IND_2, AML_CLIENT_TYPE, AML_GEN_COMMENT, BENFICL_OWNR_IND, BN_BIN_NUM, BSC_CODE, BUS_START_DATE, CBDW_EXTRACT_IND, CITY_1, CITY_2, CLASS_TYPE, CO_STK_SYMBL, COMMENTS, COMPANY_TYPE, COMRL_CUSTSEG_IND, CON_DIR_OFC_DOM_1, CON_DIR_OFC_DOM_2, CON_GIV_NAME_1, CON_GIV_NAME_2, CON_INITIAL_1, CON_INITIAL_2, CON_PHONE_1, CON_PHONE_2, CON_SURNAME_1, CON_SURNAME_2, CON_TITLE_1, CON_TITLE_2, CORP_CERT_ST_IND, CORR_LANG, COUNTRY_1, COUNTRY_2, CUST_LEGAL_NAME, CUST_NAME, CUST_SEGMENT_IND, CUST_STATUS, DIRECT_MAIL_IND, DIRECT_MAIL_WHO, EX_CUST_DESIR_IND, FAX_NUMBER_1, FAX_NUMBER_2, FRANCH_ACCT_COM, FRANCH_ACCT_IND, ID_ACCT_SIGN_IND, IND_CODE, IND_DESC, KNOW_YOUR_CLIENT, M_TRANSIT, N_CORP_NUMBER, NATRE_OF_BUSINESS, NFP_ORG, NFP_REG_CRA, NFP_REG_NUM, NFP_SOLICIT, NUM_OF_FT_EMP, NUM_OF_PT_EMP, OPERATOR_TRANSIT, POST_CODE_1, POST_CODE_2, PRIMARY_CUST_NUM, PROV_STATE_1, PROV_STATE_2, RELN_START_DATE, RM_TRANSIT, RM_USERID, ROUTING_USER_ID, SBU_CODE, SIG_BIRTHDATE_1, SIG_BIRTHDATE_2, SIG_BIRTHDATE_3, SIG_GIV_NAME_CS_1, SIG_GIV_NAME_CS_2, SIG_GIV_NAME_CS_3, SIG_ID_TYPE_1_1, SIG_ID_TYPE_1_2, SIG_ID_TYPE_1_3, SIG_ID_TYPE_2_1, SIG_ID_TYPE_2_2, SIG_ID_TYPE_2_3, SIG_ISS_CTY_CD_1_1, SIG_ISS_CTY_CD_1_2, SIG_ISS_CTY_CD_1_3, SIG_ISS_CTY_CD_2_1, SIG_ISS_CTY_CD_2_2, SIG_ISS_CTY_CD_2_3, SIG_ISS_PS_CD_1_1, SIG_ISS_PS_CD_1_2, SIG_ISS_PS_CD_1_3, SIG_ISS_PS_CD_2_1, SIG_ISS_PS_CD_2_2, SIG_ISS_PS_CD_2_3, SIG_OCCUPATION_1, SIG_OCCUPATION_2, SIG_OCCUPATION_3, SIG_OTID_DESC_1_1, SIG_OTID_DESC_1_2, SIG_OTID_DESC_1_3, SIG_OTID_DESC_2_1, SIG_OTID_DESC_2_2, SIG_OTID_DESC_2_3, SIG_REGN_NUM_1_1, SIG_REGN_NUM_1_2, SIG_REGN_NUM_1_3, SIG_REGN_NUM_2_1, SIG_REGN_NUM_2_2, SIG_REGN_NUM_2_3, SIG_SURNAME_CS_1, SIG_SURNAME_CS_2, SIG_SURNAME_CS_3, SIG_TITLE_1, SIG_TITLE_2, SIG_TITLE_3, STREET_1, STREET_2, SUBSID_INFO_IND, SUBSID_INFO_WHO, SUITE_1, SUITE_2, SWITCHBOARD_TEL_1, SWITCHBOARD_TEL_2, TRADE_CRED_INQ, TRADE_NAME, TRANS_DATE, TRANS_TIMESTAMP, RECORD_TYPE, OPERATOR_ID, CUST_NUM) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) rt=Oct 22 2020 23:43:28 src=254.197.224.46

str

✓



dhost

PQ78

str


cefKeys/cefValues

extension

dst

ip4('69.19.8.2')

ip4


cefKeys/cefValues

extension

duser

ENTZXV9

str


cefKeys/cefValues

extension

fname

DSN-null

str


cefKeys/cefValues

extension

proto

DRDA:SERVER

str


cefKeys/cefValues

extension

request

insert into ECIF_MIF_AUD_TRL (INTERNET_ADDR, ADDR_1_1, ADDR_1_2, ADDR_2_1, ADDR_2_2, ADDR_3_1, ADDR_3_2, ADDRESS_IND_1, ADDRESS_IND_2, AML_CLIENT_TYPE, AML_GEN_COMMENT, BENFICL_OWNR_IND, BN_BIN_NUM, BSC_CODE, BUS_START_DATE, CBDW_EXTRACT_IND, CITY_1, CITY_2, CLASS_TYPE, CO_STK_SYMBL, COMMENTS, COMPANY_TYPE, COMRL_CUSTSEG_IND, CON_DIR_OFC_DOM_1, CON_DIR_OFC_DOM_2, CON_GIV_NAME_1, CON_GIV_NAME_2, CON_INITIAL_1, CON_INITIAL_2, CON_PHONE_1, CON_PHONE_2, CON_SURNAME_1, CON_SURNAME_2, CON_TITLE_1, CON_TITLE_2, CORP_CERT_ST_IND, CORR_LANG, COUNTRY_1, COUNTRY_2, CUST_LEGAL_NAME, CUST_NAME, CUST_SEGMENT_IND, CUST_STATUS, DIRECT_MAIL_IND, DIRECT_MAIL_WHO, EX_CUST_DESIR_IND, FAX_NUMBER_1, FAX_NUMBER_2, FRANCH_ACCT_COM, FRANCH_ACCT_IND, ID_ACCT_SIGN_IND, IND_CODE, IND_DESC, KNOW_YOUR_CLIENT, M_TRANSIT, N_CORP_NUMBER, NATRE_OF_BUSINESS, NFP_ORG, NFP_REG_CRA, NFP_REG_NUM, NFP_SOLICIT, NUM_OF_FT_EMP, NUM_OF_PT_EMP, OPERATOR_TRANSIT, POST_CODE_1, POST_CODE_2, PRIMARY_CUST_NUM, PROV_STATE_1, PROV_STATE_2, RELN_START_DATE, RM_TRANSIT, RM_USERID, ROUTING_USER_ID, SBU_CODE, SIG_BIRTHDATE_1, SIG_BIRTHDATE_2, SIG_BIRTHDATE_3, SIG_GIV_NAME_CS_1, SIG_GIV_NAME_CS_2, SIG_GIV_NAME_CS_3, SIG_ID_TYPE_1_1, SIG_ID_TYPE_1_2, SIG_ID_TYPE_1_3, SIG_ID_TYPE_2_1, SIG_ID_TYPE_2_2, SIG_ID_TYPE_2_3, SIG_ISS_CTY_CD_1_1, SIG_ISS_CTY_CD_1_2, SIG_ISS_CTY_CD_1_3, SIG_ISS_CTY_CD_2_1, SIG_ISS_CTY_CD_2_2, SIG_ISS_CTY_CD_2_3, SIG_ISS_PS_CD_1_1, SIG_ISS_PS_CD_1_2, SIG_ISS_PS_CD_1_3, SIG_ISS_PS_CD_2_1, SIG_ISS_PS_CD_2_2, SIG_ISS_PS_CD_2_3, SIG_OCCUPATION_1, SIG_OCCUPATION_2, SIG_OCCUPATION_3, SIG_OTID_DESC_1_1, SIG_OTID_DESC_1_2, SIG_OTID_DESC_1_3, SIG_OTID_DESC_2_1, SIG_OTID_DESC_2_2, SIG_OTID_DESC_2_3, SIG_REGN_NUM_1_1, SIG_REGN_NUM_1_2, SIG_REGN_NUM_1_3, SIG_REGN_NUM_2_1, SIG_REGN_NUM_2_2, SIG_REGN_NUM_2_3, SIG_SURNAME_CS_1, SIG_SURNAME_CS_2, SIG_SURNAME_CS_3, SIG_TITLE_1, SIG_TITLE_2, SIG_TITLE_3, STREET_1, STREET_2, SUBSID_INFO_IND, SUBSID_INFO_WHO, SUITE_1, SUITE_2, SWITCHBOARD_TEL_1, SWITCHBOARD_TEL_2, TRADE_CRED_INQ, TRADE_NAME, TRANS_DATE, TRANS_TIMESTAMP, RECORD_TYPE, OPERATOR_ID, CUST_NUM) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)

str


cefKeys/cefValues

extension

rt

date('2020-10-22 23:43:28.000')

timestamp


cefKeys/cefValues

extension

src

ip4('254.197.224.46')

ip4


cefKeys/cefValues

extension

tag

CEF

str

✓



rawMessage

CEF: 0|IBM|Guardium|9.0|20001|--privilegedUserActivity|0|dhost=PQ78 dst=69.19.8.2 duser=ENTZXV9 fname=DSN-null proto=DRDA:SERVER request=insert into ECIF_MIF_AUD_TRL (INTERNET_ADDR, ADDR_1_1, ADDR_1_2, ADDR_2_1, ADDR_2_2, ADDR_3_1, ADDR_3_2, ADDRESS_IND_1, ADDRESS_IND_2, AML_CLIENT_TYPE, AML_GEN_COMMENT, BENFICL_OWNR_IND, BN_BIN_NUM, BSC_CODE, BUS_START_DATE, CBDW_EXTRACT_IND, CITY_1, CITY_2, CLASS_TYPE, CO_STK_SYMBL, COMMENTS, COMPANY_TYPE, COMRL_CUSTSEG_IND, CON_DIR_OFC_DOM_1, CON_DIR_OFC_DOM_2, CON_GIV_NAME_1, CON_GIV_NAME_2, CON_INITIAL_1, CON_INITIAL_2, CON_PHONE_1, CON_PHONE_2, CON_SURNAME_1, CON_SURNAME_2, CON_TITLE_1, CON_TITLE_2, CORP_CERT_ST_IND, CORR_LANG, COUNTRY_1, COUNTRY_2, CUST_LEGAL_NAME, CUST_NAME, CUST_SEGMENT_IND, CUST_STATUS, DIRECT_MAIL_IND, DIRECT_MAIL_WHO, EX_CUST_DESIR_IND, FAX_NUMBER_1, FAX_NUMBER_2, FRANCH_ACCT_COM, FRANCH_ACCT_IND, ID_ACCT_SIGN_IND, IND_CODE, IND_DESC, KNOW_YOUR_CLIENT, M_TRANSIT, N_CORP_NUMBER, NATRE_OF_BUSINESS, NFP_ORG, NFP_REG_CRA, NFP_REG_NUM, NFP_SOLICIT, NUM_OF_FT_EMP, NUM_OF_PT_EMP, OPERATOR_TRANSIT, POST_CODE_1, POST_CODE_2, PRIMARY_CUST_NUM, PROV_STATE_1, PROV_STATE_2, RELN_START_DATE, RM_TRANSIT, RM_USERID, ROUTING_USER_ID, SBU_CODE, SIG_BIRTHDATE_1, SIG_BIRTHDATE_2, SIG_BIRTHDATE_3, SIG_GIV_NAME_CS_1, SIG_GIV_NAME_CS_2, SIG_GIV_NAME_CS_3, SIG_ID_TYPE_1_1, SIG_ID_TYPE_1_2, SIG_ID_TYPE_1_3, SIG_ID_TYPE_2_1, SIG_ID_TYPE_2_2, SIG_ID_TYPE_2_3, SIG_ISS_CTY_CD_1_1, SIG_ISS_CTY_CD_1_2, SIG_ISS_CTY_CD_1_3, SIG_ISS_CTY_CD_2_1, SIG_ISS_CTY_CD_2_2, SIG_ISS_CTY_CD_2_3, SIG_ISS_PS_CD_1_1, SIG_ISS_PS_CD_1_2, SIG_ISS_PS_CD_1_3, SIG_ISS_PS_CD_2_1, SIG_ISS_PS_CD_2_2, SIG_ISS_PS_CD_2_3, SIG_OCCUPATION_1, SIG_OCCUPATION_2, SIG_OCCUPATION_3, SIG_OTID_DESC_1_1, SIG_OTID_DESC_1_2, SIG_OTID_DESC_1_3, SIG_OTID_DESC_2_1, SIG_OTID_DESC_2_2, SIG_OTID_DESC_2_3, SIG_REGN_NUM_1_1, SIG_REGN_NUM_1_2, SIG_REGN_NUM_1_3, SIG_REGN_NUM_2_1, SIG_REGN_NUM_2_2, SIG_REGN_NUM_2_3, SIG_SURNAME_CS_1, SIG_SURNAME_CS_2, SIG_SURNAME_CS_3, SIG_TITLE_1, SIG_TITLE_2, SIG_TITLE_3, STREET_1, STREET_2, SUBSID_INFO_IND, SUBSID_INFO_WHO, SUITE_1, SUITE_2, SWITCHBOARD_TEL_1, SWITCHBOARD_TEL_2, TRADE_CRED_INQ, TRADE_NAME, TRANS_DATE, TRANS_TIMESTAMP, RECORD_TYPE, OPERATOR_ID, CUST_NUM) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) rt=Oct 22 2020 23:43:28 src=254.197.224.46

str