box.unix
Introduction
The system logs from a Unix machine are assigned the box.unix
 tag.
The tag may be simply box.unix
or may contain additional tag levels. Devo does not analyze these additional elements, so there is complete freedom in content. For example, you might choose to append the syslog tag to the box.unix tag.
Events that arrive to Devo with the box.unix
tag will be parsed according to the syslog format specified by RFC 3164.Â
The MSG part of the packet is not parsed for display, but you can search within this field using the column filter in the query window.
How is the data sent to Devo?
You can use rsyslog to send the system logs securely to the Devo Cloud. There's an example in the article about Secure sending using rsyslog.
Table structure
These are the fields displayed in this table:
box.unix
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| Â | Â |
srceventdate |
| Â | Â |
facility |
| Â | Â |
level |
| vlevel | Â |
application |
| Â | Â |
appName |
| Â | Â |
processId |
| Â | Â |
message |
| Â | Â |
auditType |
| Â | Â |
type |
| Â | Â |
action |
| Â | Â |
user |
| Â | Â |
srcUser |
| Â | Â |
srcIp |
| Â | Â |
srcPort |
| Â | Â |
msg |
| Â | Â |
obj |
| Â | Â |
pid |
| Â | Â |
uid |
| Â | Â |
auid |
| Â | Â |
ses |
| Â | Â |
tty |
| Â | Â |
pwd |
| Â | Â |
cmd |
| Â | Â |
attempt |
| Â | Â |
device |
| Â | Â |
arch |
| Â | Â |
syscall |
| Â | Â |
success |
| Â | Â |
exit |
| Â | Â |
op |
| Â | Â |
comm |
| Â | Â |
msg2 |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| rawSource | ✓ |