Document toolbox

box.unix_cloudwatch

Owned by Juan Tomás Alonso Nieto (Deactivated)

Jul 12, 2023

1 min read

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ]

Introduction

The tag box.unix_cloudwatch identifies events generated by CloudWatch on UNIX.

Valid tags and data tables

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
CloudWatch logs on UNIX	`box.unix_cloudwatch`	`box.unix_cloudwatch`

Table structure

These are the fields displayed in this table:

box.unix_cloudwatch

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`
machineIp	`ip4`
srceventdate	`timestamp`
facility	`str`
level	`str`		vlevel
id	`str`
timestamp	`timestamp`
unix_message	`str`
application	`str`	`split(tag, ".", 2)`	tag
aws_region	`str`	`split(tag, ".", 3)`	tag
appName	`str`
processId	`str`
owner	`str`
logGroup	`str`
logStream	`str`
message	`str`
auditType	`str`
type	`str`
action	`str`
user	`str`
srcUser	`str`
srcIp	`ip4`
srcPort	`int4`
logname	`str`
logLevel	`str`
eventType	`str`
product	`str`
category	`str`
productVersion	`str`
eventId	`str`
eventName	`str`
severity	`str`
utc	`timestamp`
centrifyEventID	`str`
status	`str`
server	`str`
msg	`str`
obj	`str`
pid	`str`
uid	`int4`
euid	`str`
auid	`str`
audit_pid	`str`
ses	`str`
tty	`str`
ruser	`str`
rhost	`ip4`
pwd	`str`
cmd	`str`
attempt	`int4`
device	`str`
arch	`str`
syscall	`str`
success	`str`
exit	`str`
op	`str`
comm	`str`
msg2	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`		rawSource	✓