Document toolboxDocument toolbox

ras.securelink

Owned by Former user (Deleted)
Mar 14, 2022
2 min read

Introduction

The tags beginning with ras.securelink identify events generated by SecureLink. 

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as ras.securelink. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

Technology

Brand

Type

Technology

Brand

Type

ras

securelink

  • admin

  • audit

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

ras.securelink.admin

ras.securelink.admin

ras.securelink.audit

ras.securelink.audit

Log samples

The following are sample logs sent to each of the ras.securelink data tables. Also, find how the information will be parsed in your data table under each sample log.

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

 

 

ras.securelink.admin 

2022-02-25 14:59:21.447 localhost=127.0.0.1 ras.securelink.admin: ADMIN: User: User.Name, Method: DETACH, Type: User, Key: somekey@KeyHelp.com, Text: Session: 1234432112, Site: 11, Customer: Peno Dozi Kublished Kesktop 2022-02-25 14:59:21.447 localhost=127.0.0.1 ras.securelink.admin: ADMIN: User: User.Name, Method: CREATE, Type: Port, Key: 80, Text: Name: \'HTTP\', host: \'US1-VPAC1V01.moelisib.com\', port: \'80\', local port: \'80\', port type: \'portHTTP\', description: \'Access to a Web Server\', credential: \'\', path: \'null\', app name: \'null\', auditDisabled: false 2022-02-25 14:59:21.447 localhost=127.0.0.1 ras.securelink.admin: ADMIN: User: User.Name, Method: SET, Type: Syslog Server, Key: 192.5.1.8:514, Text: "SecureLink syslog integration enabled"

And this is how the log would be parsed:

Field

Value

Type

Source field name

Extra fields

 

eventdate

2022-02-25 14:59:21.447

timestamp

 

 

user

User.Name

str

 

 

method

DETACH

str

 

 

type

User

str

 

 

key

somekey@KeyHelp.com

str

 

 

text

Session: 1234432112, Site: 11, Customer: Peno Dozi Kublished Kesktop

str

 

 

hostchain

localhost=127.0.0.1

str

 

✓

tag

ras.securelink.admin

str

 

✓

rawMessage

ADMIN: User: User.Name, Method: DETACH, Type: User, Key: somekey@KeyHelp.com, Text: Session: 1234432112, Site: 11, Customer: Peno Dozi Kublished Kesktop

str

rawSource

✓

 

 

ras.securelink.audit

2022-02-25 15:00:01.102 localhost=127.0.0.1 ras.securelink.audit: AUDIT: Vendor Rep Baba Dokia(baba.dokia@arad.com) accessed service: Windows Remote Desktop Protocol, Application: RRD Desktops, port 3389@NYC-MJ09P56-D), duration: 0h0m19s. 2022-02-25 15:00:01.104 localhost=127.0.0.1 ras.securelink.audit: AUDIT: Vendor Rep Agri Pina (agripina@logclub.com) connected to Application LogClub. 2022-02-25 15:00:01.109 localhost=127.0.0.1 ras.securelink.audit: AUDIT: Vendor Rep Ionut Zapada (ionut.zapada@arad.com) disconnected from Application RRD Desktops (Forced), duration 3h0m2s.

And this is how the log would be parsed:

Field

Value

Type

Source field name

Extra fields

 

eventdate

2022-02-25 15:00:01.102

timestamp

 

 

vendor

Rep Baba Dokia

str

 

 

email

baba.dokia@arad.com

str

 

 

action

accesed service

str

 

 

application

RRD Desktops

str

 

 

server

NYC-MJ09P56-D

str

 

 

port

3389

int4

 

 

details

null

str

 

 

duration

0h0m19s

str

 

 

hostchain

localhost=127.0.0.1

str

 

✓

tag

ras.securelink.audit

str

 

✓

rawMessage

AUDIT: Vendor Rep Baba Dokia(baba.dokia@arad.com) accessed service: Windows Remote Desktop Protocol, Application: RRD Desktops, port 3389@NYC-MJ09P56-D), duration: 0h0m19s.

str

rawSource

✓

 

 

Â