nac.forescout

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ] [ 4 Relay Rules to dynamically generate tables ]

Introduction

Tags beginning withnac.forescout identify events generated by Forescout.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as nac.forescout. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product/Service	Tags	Data table

Product/Service	Tags	Data table
Forescout counterACT	`nac.forescout.counteract.actions`	`nac.forescout.counteract.actions`
	`nac.forescout.counteract.common`	`nac.forescout.counteract.common`
	`nac.forescout.counteract.log`	`nac.forescout.counteract.log`
	`nac.forescout.counteract.policy`	`nac.forescout.counteract.policy`
	`nac.forescout.counteract.system`	`nac.forescout.counteract.system`

Table structure

This is the set displayed by these tables:

nac.forescout.counteract.actions
nac.forescout.counteract.common
nac.forescout.counteract.log

nac.forescout.counteract.actions

Field	Type	Source field name	Extra Label

Field	Type	Source field name	Extra Label
eventdate	`timestamp`
machine	`str`	vmachine
eventType	`str`
ipAddr	`ip4`
macAddr	`str`
hostName	`str`
dnsName	`str`
user	`str`
rawMessage	`str`
unknown	`str`
hostchain	`str`		✓
tag	`str`		✓

nac.forescout.counteract.common

Field	Type	Source field name	Extra Label

Field	Type	Source field name	Extra Label
eventdate	`timestamp`
machine	`str`	vmachine
eventtype	`str`
sourceIp	`ip4`
destinationIp	`ip4`
destinationPort	`str`
rawMessage	`str`
unknown	`str`
hostchain	`str`		✓
tag	`str`		✓

nac.forescout.counteract.log

Field	Type	Source field name	Extra Label

Field	Type	Source field name	Extra Label
eventdate	`timestamp`
machine	`str`	vmachine
log	`str`
details	`ip4`
severity	`ip4`
rawMessage	`str`
unknown	`str`
hostchain	`str`		✓
tag	`str`		✓

nac.forescout.counteract.policy

Field	Type	Extra Label

Field	Type	Extra Label
eventdate	`timestamp`
machine	`str`
serverdate	`str`
hostname	`str`
procName	`str`
procId	`str`
sourceIp	`ip4`
rule	`str`
details	`str`
match	`str`
category	`str`
rawMessage	`str`
hostchain	`str`	✓
tag	`str`	✓

nac.forescout.counteract.system

Field	Type	Extra Label

Field	Type	Extra Label
eventdate	`timestamp`
message	`str`
hostchain	`str`	✓
tag	`str`	✓

Relay Rules to dynamically generate tables

Relay rules can be used to dynamically generate nac.forescout.* tables. The following examples specifie the required ones depending on the Forescout type of log.

Forescout policy logs

Rule name	Forescout-Policy
Port	`13004`
Source data	`.+:\s(NAC Policy Log:.+)`
Send without syslog tag	[*]
Target tag	`nac.forescout.counteract.policy`
Target message	`\\d1`
Stop processing	[*]

Forescout log logs

Rule name	Forescout-Log
Port	`13004`
Source data	`.+?:\s(Log:.+)`
Send without syslog tag	[*]
Target tag	`nac.forescout.counteract.log`
Target message	`\\d1`
Stop processing	[*]

Forescout system logs

Rule name	Forescout-System
Port	`13004`
Source data	`forescout\[\d+\]: (.+)`
Send without syslog tag	[*]
Target tag	`nac.forescout.counteract.system`
Target message	`\\d1`
Stop processing	[*]

Devo latest