network.riverbed
Introduction
The tags beginning with network.riverbed
identify events generated by Riverbed.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as network.riverbed
. The third level identifies the type of events sent. The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Riverbed SteelHead |
|
|
Riverbed SteelCentral |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
Logs generated by Riverbed must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Rule for SteelCentral - Audit
events
Source port - Any available port
Source message -
cascade-audit
Target tag -
network.riverbed.steelcentral.audit
Sent without syslog tag - ✓
Stop processing - ✓
Rule for SteelHead - Events
events
Source port - Any available port
Source message -
^[a-zA-Z]*\[\d+\]\:\s\[
Target tag -
network.riverbed.steelhead.event
Sent without syslog tag - ✓
Stop processing - ✓
Rule for SteelHead - Events (httpd)
events
Source port - Any available port
Source message -
httpd:
Target tag -
network.riverbed.steelhead.event
Sent without syslog tag - ✓
Stop processing - ✓
 No 3rd-party mechanism is used. No collector is needed.
Table structure
These are the fields displayed in these tables:
network.riverbed.steelhead.event
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
machine |
| Â |
event_process_name |
| Â |
event_pid |
| Â |
event_facility |
| Â |
event_severity |
| Â |
event_id |
| Â |
event_time |
| Â |
source_ip |
| Â |
source_ipv4 |
| Â |
source_port |
| Â |
destination_ip |
| Â |
destination_ipv4 |
| Â |
destination_port |
| Â |
source_module_name |
| Â |
error_code |
| Â |
client_ip |
| Â |
client_ipv4 |
| Â |
client_port |
| Â |
message |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
network.riverbed.steelcentral.audit
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
machine |
| Â |
event_process_name |
| Â |
event_pid |
| Â |
origin_ip |
| Â |
origin_ipv4 |
| Â |
enterprise_id |
| Â |
software |
| Â |
sw_version |
| Â |
audit_event_id |
| Â |
id |
| Â |
type |
| Â |
subtype |
| Â |
created |
| Â |
source_ip |
| Â |
source_ipv4 |
| Â |
source_ipv6 |
| Â |
uid |
| Â |
user_login |
| Â |
pid |
| Â |
success |
| Â |
audit_type |
| Â |
command |
| Â |
terminal |
| Â |
message |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |