Document toolboxDocument toolbox

waf.kemp

Introduction

The tags beginning with waf.kemp identify events generated by Kemp Technologies products.

Valid tags and data tables 

The full tag must have at least 3 levels. The first two are fixed as waf.kemp. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Kemp LoadMaster

waf.kemp.loadmaster.alert

waf.kemp.loadmaster

waf.kemp.loadmaster.audit

waf.kemp.loadmaster.alert

waf.kemp.loadmaster.alert

waf.kemp.loadmaster.audit

waf.kemp.loadmaster.audit

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by Kemp Technologies must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Rule for WAF Kemp Loadmaster Alert events

  • Source port - Any available port.

  • Source data - ModSecurity:

  • Sent without syslog tag - ✓

  • Target tag - waf.kemp.loadmaster.alert

  • Stop processing - ✓

Rule for WAF Kemp Loadmaster Audit events

  • Source port - Same port as first rule.

  • Source data - ^\S+\s\S+\s(wafd|WAF)\s

  • Sent without syslog tag - ✓

  • Target tag - waf.kemp.loadmaster.audit

  • Stop processing - ✓

Rule for Kemp other events

Events sent using this rule should follow RFC-5424 format to be parsed correctly.

  • Source port - Same port as first rule.

  • Sent without syslog tag - ✓

  • Target tag - box.unix.rfc5424

  • Stop processing - ✓

Table structure

These are the fields displayed in these tables:

waf.kemp.loadmaster

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

 

 

type

str

 

vsubtype

 

syslog_event_time

str

 

 

 

syslog_hostname

str

 

 

 

syslog_process_name

str

 

 

 

syslog_pid

str

 

 

 

syslog_message_id

str

 

 

 

syslog_structured_data

str

 

 

 

alert_client_ipv4

ip4

ip4(alert_client_ip)

alert_client_ip

 

line

str

 

 

 

mod_security

str

 

 

 

file

str

 

 

 

id

str

 

 

 

message

str

ifthenelse(isnull(_message), main_message, _message)

main_message

_message

 

data

str

 

 

 

severity

str

 

 

 

version

str

 

 

 

tags_values

str

join(tags, ", ")

tags

 

hostname

str

 

 

 

uri

str

 

 

 

unique_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

waf.kemp.loadmaster.alert

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

 

 

syslog_event_time

str

 

 

 

syslog_hostname

str

 

 

 

syslog_process_name

str

 

 

 

syslog_pid

str

 

 

 

syslog_message_id

str

 

 

 

syslog_structured_data

str

 

 

 

alert_client_ipv4

ip4

alert_client_ip

 

line

str

 

 

 

mod_security

str

 

 

 

file

str

 

 

 

id

str

 

 

 

message

str

main_message

_message

 

data

str

 

 

 

severity

str

 

 

 

version

str

 

 

 

tags_values

str

tags

 

hostname

str

 

 

 

uri

str

 

 

 

unique_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

waf.kemp.loadmaster.audit

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

 

 

syslog_event_time

str

 

 

syslog_hostname

str

 

 

syslog_process_name

str

 

 

syslog_pid

str

 

 

syslog_message_id

str

 

 

syslog_structured_data

str

 

 

message

str

main_message

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

 

✓