Document toolboxDocument toolbox

vpn.soft_ether

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Aug 14, 2024
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with vpn.soft_ether identify events generated by SoftEther VPN.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as vpn.soft_ether. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

SoftEther VPN

vpn.soft_ether.packet_log.event

vpn.soft_ether.packet_log.event

vpn.soft_ether.security_log.event

vpn.soft_ether.security_log.event

vpn.soft_ether.server_log.event

vpn.soft_ether.server_log.event

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by SoftEther VPN must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Rule for events of SoftEther VPN Packet log

  • Source port - Any available port.

  • Target tag - vpn.soft_ether.packet_log.event

  • Sent without syslog tag - ✓

  • Stop processing - ✓

Rule for events of SoftEther VPN Security log

  • Source port - Any available port.

  • Target tag - vpn.soft_ether.security_log.event

  • Sent without syslog tag - ✓

  • Stop processing - ✓

Rule for events of SoftEther VPN Server log

  • Source port - Any available port.

  • Target tag - vpn.soft_ether.server_log.event

  • Sent without syslog tag - ✓

  • Stop processing - ✓

Table structure

These are the fields displayed in these tables:

vpn.soft_ether.packet_log.event

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

 

 

sever_timestamp

timestamp

parsedate(server_date, +" " + server_time, dateformat("YYYY-MM-DD HH:mm:ss.SSS"))

server_time

server_date

 

source_session_id

str

 

 

 

destination_session_id

str

 

 

 

source_mac

str

 

 

 

destination_mac

str

 

 

 

protocol

str

 

 

 

packet_size

int4

 

 

 

packet_type

str

 

 

 

packet_flags

str

 

 

 

source_ip

str

 

 

 

source_ipv4

ip4

 

 

 

source_port

str

 

 

 

destination_ip

str

 

 

 

destination_ipv4

ip4

 

 

 

destination_port

str

 

 

 

sequence_number

int8

 

 

 

ack_number

int8

 

 

 

protocol_information

str

 

 

 

packet_data

str

 

 

 

physical_source_ip

str

 

 

 

physical_source_ipv4

ip4

 

 

 

physical_destination

str

 

 

 

physical_destination_ipv4

ip4

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

vpn.soft_ether.security_log.event

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

protocol

str

 

session_id

str

 

action

str

 

source_ip

str

 

source_ipv4

ip4

 

source_port

str

 

destination_ip

str

 

destination_ipv4

ip4

 

destination_port

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

vpn.soft_ether.server_log.event

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

connection_id

str

 

protocol

str

 

encryption_algorithm_name

str

 

action

str

 

hostname

str

 

client_ip

str

 

client_ipv4

ip4

 

client_port

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓