box.unix_cloudwatch
Introduction
The tag box.unix_cloudwatch
identifies events generated by CloudWatch on UNIX.
Valid tags and data tables
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
CloudWatch logs on UNIX |
|
|
Table structure
These are the fields displayed in this table:
box.unix_cloudwatch
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | Â | Â |
machineIp |
| Â | Â | Â |
srceventdate |
| Â | Â | Â |
facility |
| Â | Â | Â |
level |
| Â | vlevel | Â |
id |
| Â | Â | Â |
timestamp |
| Â | Â | Â |
unix_message |
| Â | Â | Â |
application |
| split(tag, ".", 2) | tag | Â |
aws_region |
| split(tag, ".", 3) | tag | Â |
appName |
| Â | Â | Â |
processId |
| Â | Â | Â |
owner |
| Â | Â | Â |
logGroup |
| Â | Â | Â |
logStream |
| Â | Â | Â |
message |
| Â | Â | Â |
auditType |
| Â | Â | Â |
type |
| Â | Â | Â |
action |
| Â | Â | Â |
user |
| Â | Â | Â |
srcUser |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
logname |
| Â | Â | Â |
logLevel |
| Â | Â | Â |
eventType |
| Â | Â | Â |
product |
| Â | Â | Â |
category |
| Â | Â | Â |
productVersion |
| Â | Â | Â |
eventId |
| Â | Â | Â |
eventName |
| Â | Â | Â |
severity |
| Â | Â | Â |
utc |
| Â | Â | Â |
centrifyEventID |
| Â | Â | Â |
status |
| Â | Â | Â |
server |
| Â | Â | Â |
msg |
| Â | Â | Â |
obj |
| Â | Â | Â |
pid |
| Â | Â | Â |
uid |
| Â | Â | Â |
euid |
| Â | Â | Â |
auid |
| Â | Â | Â |
audit_pid |
| Â | Â | Â |
ses |
| Â | Â | Â |
tty |
| Â | Â | Â |
ruser |
| Â | Â | Â |
rhost |
| Â | Â | Â |
pwd |
| Â | Â | Â |
cmd |
| Â | Â | Â |
attempt |
| Â | Â | Â |
device |
| Â | Â | Â |
arch |
| Â | Â | Â |
syscall |
| Â | Â | Â |
success |
| Â | Â | Â |
exit |
| Â | Â | Â |
op |
| Â | Â | Â |
comm |
| Â | Â | Â |
msg2 |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
Â