Document toolboxDocument toolbox

vpn.openvpn

Owned by Sarah Bigault (Deactivated), created
Last updated: Aug 18, 2023 by Borja Moro Moreno
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with vpn.openvpn identify events generated by OpenVPN.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as vpn.openvpn. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

OpenVPN

vpn.openvpn.audit.events

vpn.openvpn.audit.events

vpn.openvpn.auth.failed

vpn.openvpn.auth.failed

vpn.openvpn.auth.success

vpn.openvpn.auth.success

vpn.openvpn.system.events

vpn.openvpn.system.events

vpn.openvpn.web.events

vpn.openvpn.web.events

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

vpn.openvpn.audit.events

Field

Type

Extra Fields

Field

Type

Extra Fields

eventdate

timestamp

 

hostname

str

 

facility

str

 

logLevel

str

 

unknown

str

 

source

str

 

direction

str

 

syslog_date

str

 

log_generation_source

str

 

process_id

str

 

log_message

str

 

log_message_type

str

 

syslog_source_address

str

 

event_message_timestamp

str

 

request_method

str

 

requested_resource

str

 

http_version

str

 

response_code

str

 

response_size_bytes

str

 

referrer

str

 

user_agent

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

vpn.openvpn.auth.failed

Field

Type

Extra Fields

Field

Type

Extra Fields

eventdate

timestamp

 

hostname

str

 

serverdate

str

 

log_info

str

 

message

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

vpn.openvpn.auth.success

Field

Type

Extra Fields

Field

Type

Extra Fields

eventdate

timestamp

 

hostname

str

 

serverdate

str

 

log_info

str

 

status

int4

 

session_id

str

 

reason

str

 

serial_list

str

 

user

str

 

proplist

str

 

proplist_pvtGoogleAuthScrtLocked

str

 

proplist_propAutognt

str

 

proplist_propDeny

str

 

proplist_pvtPsswdDigest

str

 

proplist_propSpruser

str

 

proplist_pvtGoogleAuthScrt

str

 

proplist_connGroup

str

 

proplist_propAutolgin

str

 

proplist_type

str

 

common_name

str

 

serial

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

vpn.openvpn.system.events

Field

Type

Extra Fields

Field

Type

Extra Fields

eventdate

timestamp

 

hostname

str

 

serverdate

str

 

log_info

str

 

message

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

vpn.openvpn.web.events

Field

Type

Extra Fields

Field transformation

Source field name

Field

Type

Extra Fields

Field transformation

Source field name

eventdate

timestamp

 

 

 

hostname

str

 

 

 

cluster

str

 

 

 

instance

str

 

 

 

unknown

str

 

 

 

source

str

 

 

 

direction

str

 

 

 

syslog_timestamp

str

 

syslog_date + syslog_time

 

syslog_date

syslog_time

log_generation_source

str

 

 

 

process_id

str

 

 

 

log_message

str

 

 

 

log_message_type

str

 

 

 

syslog_source_address

str

 

 

 

event_message_timestamp

str

 

 

 

request_method

str

 

 

 

requested_resource

str

 

 

 

http_version

str

 

 

 

response_code

str

 

 

 

response_size_bytes

str

 

 

 

referrer

str

 

 

 

user_agent

str

 

 

 

hostchain

str

✓

 

 

tag

str

✓

 

 

rawMessage

str

✓

 

Â