Document toolboxDocument toolbox

box.unix

Introduction

The system logs from a Unix machine are assigned the box.unix tag.

The tag may be simply box.unix or may contain additional tag levels.  Devo does not analyze these additional elements, so there is complete freedom in content. For example, you might choose to append the syslog tag to the box.unix tag.

Events that arrive to Devo with the box.unix tag will be parsed according to the syslog format specified by RFC 3164. 

The MSG part of the packet is not parsed for display, but you can search within this field using the column filter in the query window.

How is the data sent to Devo?

You can use rsyslog to send the system logs securely to the Devo Cloud. There's an example in the article about Secure sending using rsyslog.

Table structure

These are the fields displayed in this table:

box.unix

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

 

 

srceventdate

timestamp

 

 

facility

str

 

 

level

str

vlevel

 

application

str

 

 

appName

str

 

 

processId

str

 

 

message

str

 

 

auditType

str

 

 

type

str

 

 

action

str

 

 

user

str

 

 

srcUser

str

 

 

srcIp

ip4

 

 

srcPort

int4

 

 

msg

str

 

 

obj

str

 

 

pid

str

 

 

uid

int4

 

 

auid

str

 

 

ses

str

 

 

tty

str

 

 

pwd

str

 

 

cmd

str

 

 

attempt

int4

 

 

device

str

 

 

arch

str

 

 

syscall

str

 

 

success

str

 

 

exit

str

 

 

op

str

 

 

comm

str

 

 

msg2

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

rawSource

✓