The standard security log format is key value pairs delimited by pipes.
Example
timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.120113.0|evt_code=14|evt_name=url redirection violated|sev=6|cat=input validation|outcome=failure|dhost=appsec-targ07|src_ip=10.100.100.100|suid=_1_1|suser=administrator|session_id=1095|msg=Invalid url in request and exception thrown. May an indicator of attempts to perform arbitrary redirects to malicious websites.|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22|act=exception|request=/webapps/portal/execute/tabs/tabManageModules|requestparam=|requestval=http://www.blackboard.com
Log fields
Log fields may be added or removed depending on the security event code. Fields that are not relevant may appear as empty strings.
# | Field | Sample Value |
---|---|---|
1 | Event time | timestamp=MMM dd yyyy HH:mm:ss.SSS zzz |
2 | Vendor, Company | app_vend=blackboard |
3 | Product Name | app_name=learn |
4 | Product Version | app_ver=9.1.120113.0 |
5 | Event Code | evt_code=# |
6 | Event Name | evt_name=string |
7 | Event Severity | sev=# |
8 | Event Category | cat=string |
9 | Event Outcome | outcome=success|failure |
10 | Event Destination Host | dhost=appserver_name |
11 | Event Client IP Address | src_ip=string |
12 | Event Source User ID | suid=_#_# |
13 | Event Source Username | suser=string |
14 | Event Source Session ID | session_id=# |
15 | Event Message | msg=string
If an exception is thrown, then the stack trace may be dumped with new line characters represented as "\n" rule violated and exception thrown\n<stacktrace with \n for line breaks> |
16 | Event Client Browser User Agent | http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |
17 | Action Taken | act=string |
18 | Event Request URL | request=/some/random/path |
19 | Event Request Parameter | requestparam=string |
20 | Event Request Parameter Value | requestval=string |
21 | Filename | fname=file.extension |