Document toolboxDocument toolbox

network.riverbed

Introduction

The tags beginning with network.riverbed identify events generated by Riverbed.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as network.riverbed. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Riverbed SteelHead

network.riverbed.steelhead.event

network.riverbed.steelhead.event

Riverbed SteelCentral

network.riverbed.steelcentral.audit

network.riverbed.steelcentral.audit

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by Riverbed must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Rule for SteelCentral - Audit events

  • Source port - Any available port

  • Source message - cascade-audit

  • Target tag - network.riverbed.steelcentral.audit

  • Sent without syslog tag - ✓

  • Stop processing - ✓

Rule for SteelHead - Events events

  • Source port - Any available port

  • Source message - ^[a-zA-Z]*\[\d+\]\:\s\[

  • Target tag - network.riverbed.steelhead.event

  • Sent without syslog tag - ✓

  • Stop processing - ✓

Rule for SteelHead - Events (httpd) events

  • Source port - Any available port

  • Source message - httpd:

  • Target tag - network.riverbed.steelhead.event

  • Sent without syslog tag - ✓

  • Stop processing - ✓

 No 3rd-party mechanism is used. No collector is needed.

Table structure

These are the fields displayed in these tables:

network.riverbed.steelhead.event

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

event_process_name

str

 

event_pid

str

 

event_facility

str

 

event_severity

str

 

event_id

str

 

event_time

str

 

source_ip

str

 

source_ipv4

ip4

 

source_port

str

 

destination_ip

str

 

destination_ipv4

ip4

 

destination_port

str

 

source_module_name

str

 

error_code

str

 

client_ip

str

 

client_ipv4

ip4

 

client_port

str

 

message

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

network.riverbed.steelcentral.audit

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

event_process_name

str

 

event_pid

str

 

origin_ip

str

 

origin_ipv4

ip4

 

enterprise_id

str

 

software

str

 

sw_version

str

 

audit_event_id

str

 

id

str

 

type

str

 

subtype

str

 

created

str

 

source_ip

str

 

source_ipv4

ip4

 

source_ipv6

ip6

 

uid

str

 

user_login

str

 

pid

str

 

success

str

 

audit_type

str

 

command

str

 

terminal

str

 

message

str

 

hostchain

str

✓ 

tag

str

✓

rawMessage

str

✓