The standard security log format is key value pairs delimited by pipes.


timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.120113.0|evt_code=14|evt_name=url redirection violated|sev=6|cat=input validation|outcome=failure|dhost=appsec-targ07|src_ip=|suid=_1_1|suser=administrator|session_id=1095|msg=Invalid url in request and exception thrown. May an indicator of attempts to perform arbitrary redirects to malicious websites.|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22|act=exception|request=/webapps/portal/execute/tabs/tabManageModules|requestparam=|requestval=

Log fields

Log fields may be added or removed depending on the security event code. Fields that are not relevant may appear as empty strings.

# Field Sample Value
1 Event time timestamp=MMM dd yyyy HH:mm:ss.SSS zzz
2 Vendor, Company app_vend=blackboard
3 Product Name app_name=learn
4 Product Version app_ver=9.1.120113.0
5 Event Code evt_code=#
6 Event Name evt_name=string
7 Event Severity sev=#
8 Event Category cat=string
9 Event Outcome outcome=success|failure
10 Event Destination Host dhost=appserver_name
11 Event Client IP Address src_ip=string
12 Event Source User ID suid=_#_#
13 Event Source Username suser=string
14 Event Source Session ID session_id=#
15 Event Message msg=string

If an exception is thrown, then the stack trace may be dumped with new line characters represented as "\n" 

rule violated and exception thrown\n<stacktrace with \n for line breaks>

16 Event Client Browser User Agent http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30
17 Action Taken act=string
18 Event Request URL request=/some/random/path
19 Event Request Parameter requestparam=string
20 Event Request Parameter Value requestval=string
21 Filename fname=file.extension