The fields available in Basic and Enhanced Standard Syslog formats are the same, except for three optional fields – App-Name, ProcID, and MsgID.
App Control Event Mapping to Basic and Enhanced Syslog Format shows the Basic and Enhanced Syslog format fields supported by App Control. Examples of messages in these formats are shown below the table.
| Syslog field | Data Type | Note | |
|---|---|---|---|
| Facility[1] | INTEGER | Syslog facility, always “user-level” Note: Facility and Severity are coded into one number per Syslog specification. |
|
| Severity[1] | INTEGER | Severity mapped from event severity (see App Control Event Types) Note: Facility and Severity are coded into one number per Syslog specification. |
|
| Version | INTEGER | (Enhanced Syslog only) Syslog version, by default “1” | |
| Timestamp | DATETIME | Timestamp when the Syslog event was sent (with the year and UTC time zone according to RFC 5424) | |
| Hostname | NVARCHAR(256) | App Control Server hostname, appended by domain as per RFC 5424 | |
| App-Name | NVARCHAR(256) | (Enhanced Syslog only) Configurable value in ParityReporter.log.xml, by default “-“ | |
| ProcID | NVARCHAR(256) | (Enhanced Syslog only) Configurable value in ParityReporter.log.xml, by default “-“ | |
| MsgID | NVARCHAR(256) | (Enhanced Syslog only) Configurable value in ParityReporter.log.xml, by default “-“. | |
| Message | Message field | Message is a long text string beginning with event:” and including all the “All messages” fields below inline; the message also can include some combination of the conditional fields. Carbon Black App Control Server event:text=”…” type=”...” … |
|
| Text | NVARCHAR(2048) | Event message (All messages) | |
| Type | NVARCHAR(256) | Event type name (All messages) | |
| subtype | NVARCHAR(256) | Event subtype name (All messages) | |
| hostname | NVARCHAR(256) | Event source – computer name or 'System' for App Control Server (All messages) | |
| username | NVARCHAR(256) | Name of user associated with the event (All messages) | |
| date | DATETIME | Event timestamp in UTC (All messages) | |
| ip_address | VARCHAR | IP address (IPv4 or IPv6) of the agent reporting the event (Conditional) | |
| process | NVARCHAR(512) | Process associated with the event (Conditional) | |
| file_path | NVARCHAR(450) | File path of the file associated with the event (Conditional) | |
| file_name | NVARCHAR(450) | Name of the file associated with the event (Conditional) | |
| file_hash | CHAR(64) | Hash of the file associated with the event (Conditional) | |
| installer_name | NVARCHAR(450) | Name of the Installer associated with the event (e.g., the installer that installed a newly discovered file) (Conditional) | |
| policy | NVARCHAR(128) | Name of the App Control policy for the agent associated with the event (Conditional) | |
| ban_name | NVARCHAR(128) | For files blocked due to bans, name of the ban (Conditional) | |
| Rapid_config_name | NVARCHAR(256) | Name of the Rapid Config associated with the event (Conditional) | |
| rule_name | NVARCHAR(256) | Name of the rule associated with the event (Conditional) | |
| updater_name | NVARCHAR(256) | Name of the Updater associated with the event (Conditional) | |
| indicator_name | NVARCHAR(256) | Name of the threat indicator associated with the event; if present, same as rule_name (Conditional) | |
| server_version | NVARCHAR(MAX) | Version of the App Control Server associated with the event (All messages)
|
|
| file_trust | -2 pending -1 unknown 0-10 Trust value |
File trust from the Carbon Black File Reputation of the file associated with the event. Pending implies that FILE lookup was not yet performed but will be. (Conditional) | |
| file_threat | -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
File threat from Carbon Black File Reputation of the file associated with the event. Pending implies that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) | |
| Message fields (continued) | |||
| process_key | UID | ||
| process_trust | -2 pending -1 unknown 0-10 Trust value |
Unique proprietary key identifying the instance of the process on a specific computer | |
| process_threat | -2 pending -1 unknown 0 No threat 1 Potential risk 2 Malicious |
Parent process trust from Carbon Black File Reputation of the file associated with the event. Pending implies that Carbon Black File Reputation lookup was not yet performed but will be. (Conditional) | |
| unified_source | NVARCHAR(256) | Unified server that is the source of and event, if unified management is enabled and the source of an event. (Conditional) | |
| prevalence | INTEGER | Prevalence of file related to the event | |
| global_state | NVARCHAR(128) | Global state of the file associated with the event (Approved/Unapproved/Banned) | |
