waf.kemp
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with waf.kemp identify events generated by Kemp Technologies products.
Valid tags and data tablesÂ
The full tag must have at least 3 levels. The first two are fixed as waf.kemp. The third level identifies the type of events sent. The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Kemp LoadMaster |
|
|
| ||
|
| |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
Logs generated by Kemp Technologies must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Rule for WAF Kemp Loadmaster Alert events
Source port - Any available port.
Source data -
ModSecurity:Sent without syslog tag - ✓
Target tag -
waf.kemp.loadmaster.alertStop processing - ✓
Rule for WAF Kemp Loadmaster Audit events
Source port - Same port as first rule.
Source data -
^\S+\s\S+\s(wafd|WAF)\sSent without syslog tag - ✓
Target tag -
waf.kemp.loadmaster.auditStop processing - ✓
Rule for Kemp other events
Events sent using this rule should follow RFC-5424 format to be parsed correctly.
Source port - Same port as first rule.
Sent without syslog tag - ✓
Target tag -
box.unix.rfc5424Stop processing - ✓
Table structure
These are the fields displayed in these tables:
waf.kemp.loadmaster
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | Â | Â |
type |
| Â | vsubtype | Â |
syslog_event_time |
| Â | Â | Â |
syslog_hostname |
| Â | Â | Â |
syslog_process_name |
| Â | Â | Â |
syslog_pid |
| Â | Â | Â |
syslog_message_id |
| Â | Â | Â |
syslog_structured_data |
| Â | Â | Â |
alert_client_ipv4 |
| ip4(alert_client_ip) | alert_client_ip | Â |
line |
| Â | Â | Â |
mod_security |
| Â | Â | Â |
file |
| Â | Â | Â |
id |
| Â | Â | Â |
message |
| ifthenelse(isnull(_message), main_message, _message) | main_message _message | Â |
data |
| Â | Â | Â |
severity |
| Â | Â | Â |
version |
| Â | Â | Â |
tags_values |
| join(tags, ", ") | tags | Â |
hostname |
| Â | Â | Â |
uri |
| Â | Â | Â |
unique_id |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
waf.kemp.loadmaster.alert
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | Â | Â |
syslog_event_time |
| Â | Â | Â |
syslog_hostname |
| Â | Â | Â |
syslog_process_name |
| Â | Â | Â |
syslog_pid |
| Â | Â | Â |
syslog_message_id |
| Â | Â | Â |
syslog_structured_data |
| Â | Â | Â |
alert_client_ipv4 |
| alert_client_ip | Â | |
line |
| Â | Â | Â |
mod_security |
| Â | Â | Â |
file |
| Â | Â | Â |
id |
| Â | Â | Â |
message |
| main_message _message | Â | |
data |
| Â | Â | Â |
severity |
| Â | Â | Â |
version |
| Â | Â | Â |
tags_values |
| tags | Â | |
hostname |
| Â | Â | Â |
uri |
| Â | Â | Â |
unique_id |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
waf.kemp.loadmaster.audit
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
| Â | Â |
machine |
| Â | Â |
syslog_event_time |
| Â | Â |
syslog_hostname |
| Â | Â |
syslog_process_name |
| Â | Â |
syslog_pid |
| Â | Â |
syslog_message_id |
| Â | Â |
syslog_structured_data |
| Â | Â |
message |
| main_message | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
|  | ✓ |