waf.kemp
Introduction
The tags beginning with waf.kemp
identify events generated by Kemp Technologies products.
Valid tags and data tablesÂ
The full tag must have at least 3 levels. The first two are fixed as waf.kemp
. The third level identifies the type of events sent. The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Kemp LoadMaster |
|
|
| ||
|
| |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
Logs generated by Kemp Technologies must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Rule for WAF Kemp Loadmaster Alert
events
Source port - Any available port.
Source data -
ModSecurity:
Sent without syslog tag - ✓
Target tag -
waf.kemp.loadmaster.alert
Stop processing - ✓
Rule for WAF Kemp Loadmaster Audit
events
Source port - Same port as first rule.
Source data -
^\S+\s\S+\s(wafd|WAF)\s
Sent without syslog tag - ✓
Target tag -
waf.kemp.loadmaster.audit
Stop processing - ✓
Rule for Kemp other events
Events sent using this rule should follow RFC-5424 format to be parsed correctly.
Source port - Same port as first rule.
Sent without syslog tag - ✓
Target tag -
box.unix.rfc5424
Stop processing - ✓
Table structure
These are the fields displayed in these tables:
waf.kemp.loadmaster
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | Â | Â |
type |
| Â | vsubtype | Â |
syslog_event_time |
| Â | Â | Â |
syslog_hostname |
| Â | Â | Â |
syslog_process_name |
| Â | Â | Â |
syslog_pid |
| Â | Â | Â |
syslog_message_id |
| Â | Â | Â |
syslog_structured_data |
| Â | Â | Â |
alert_client_ipv4 |
| ip4(alert_client_ip) | alert_client_ip | Â |
line |
| Â | Â | Â |
mod_security |
| Â | Â | Â |
file |
| Â | Â | Â |
id |
| Â | Â | Â |
message |
| ifthenelse(isnull(_message), main_message, _message) | main_message _message | Â |
data |
| Â | Â | Â |
severity |
| Â | Â | Â |
version |
| Â | Â | Â |
tags_values |
| join(tags, ", ") | tags | Â |
hostname |
| Â | Â | Â |
uri |
| Â | Â | Â |
unique_id |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
waf.kemp.loadmaster.alert
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | Â | Â |
syslog_event_time |
| Â | Â | Â |
syslog_hostname |
| Â | Â | Â |
syslog_process_name |
| Â | Â | Â |
syslog_pid |
| Â | Â | Â |
syslog_message_id |
| Â | Â | Â |
syslog_structured_data |
| Â | Â | Â |
alert_client_ipv4 |
| alert_client_ip | Â | |
line |
| Â | Â | Â |
mod_security |
| Â | Â | Â |
file |
| Â | Â | Â |
id |
| Â | Â | Â |
message |
| main_message _message | Â | |
data |
| Â | Â | Â |
severity |
| Â | Â | Â |
version |
| Â | Â | Â |
tags_values |
| tags | Â | |
hostname |
| Â | Â | Â |
uri |
| Â | Â | Â |
unique_id |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
waf.kemp.loadmaster.audit
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| Â | Â |
syslog_event_time |
| Â | Â |
syslog_hostname |
| Â | Â |
syslog_process_name |
| Â | Â |
syslog_pid |
| Â | Â |
syslog_message_id |
| Â | Â |
syslog_structured_data |
| Â | Â |
message |
| main_message | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
|  | ✓ |