auth.thycotic
Introduction
The tags beginning with auth.thycotic
identify events generated by Delinea (formerly Thycotic).
Valid tags and data tablesÂ
The full tag must have 3 levels. The first two are fixed as auth.thycotic
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Thycotic Secret Server |
|
|
For more information, read more About Devo tags.
How is the data sent to devo?
Set up the Thycotic product
The user may follow the official vendor documentation to configure log forwarding to a Devo Relay. Then, the Distributed Engine that would be installed on-premises will forward logs in CEF format to the Devo Relay.
Set up the Devo relay rules
You will need to set up 1 rule on the relay to correctly process and forward the events received from Thycotic. In the examples below, you should use any port that you can dedicate to these events.
Rules |
---|
Thycotic SecretServer
|
Table structure
auth.thycotic.secretserver
These are the fields displayed in this table:
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
cefVersion |
| Â |
embDeviceVendor |
| Â |
embDeviceProduct |
| Â |
deviceVersion |
| Â |
signatureID |
| Â |
name |
| Â |
severity |
| Â |
_cefVer |
| Â |
duid |
| Â |
duser |
| Â |
fileId |
| Â |
fileType |
| Â |
fname |
| Â |
msg |
| Â |
rt |
| Â |
src |
| Â |
suid |
| Â |
suser |
| Â |
suserDisplayName |
| Â |
folder |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |