CirrusExplanation of codes within Syslog messages
From below:-
<133>Jul 29 10:17:21 nodename httpd[5382]: 01070417:5: AUDIT - userhere user - RAW: httpd(mod_auth_pam): user=userhere(userhere) partition=[All] level=Administrator tty=/bin/bash host=x.x.x.x attempts=1 start="Tue Jul 29 10:17:21 2014".
<85>Jul 29 10:17:21 nodename httpd[5382]: 01070417:5: AUDIT - user userhere - RAW: httpd(mod_auth_pam): user=userhere(userhere) partition=[All] level=Administrator tty=/bin/bash host=x.x.x.x attempts=1 start="Tue Jul 29 10:17:21 2014".
<133>Jul 29 10:17:05 nodename httpd[4782]: 01070417:5: AUDIT - user userhere - RAW: httpd(mod_auth_pam): user=userhere(userhere) partition=[All] level=Administrator tty=/bin/bash host=x.x.x.x attempts=1 start="Tue Jul 29 10:04:48 2014" end="Tue Jul 29 10:17:05 2014".
<85>Jul 29 10:17:05 nodename httpd[4782]: 01070417:5: AUDIT - user userhere - RAW: httpd(mod_auth_pam): user=userhere(userhere) partition=[All] level=Administrator tty=/bin/bash host=x.x.x.x attempts=1 start="Tue Jul 29 10:04:48 2014" end="Tue Jul 29 10:17:05 2014".
<133>Jul 29 10:41:35 nodename mcpd[6180]: 01070417:5: AUDIT - user userhere - transaction 50874725-2 - object 0 - modify { ltcfg_instance { ltcfg_instance_container "" ltcfg_instance_name "/Common/syslog" ltcfg_instance_class_name "syslog" ltcfg_instance_instance_folder_name "/Common" ltcfg_instance_instance_leaf_name "syslog" ltcfg_instance_config_source 0 } } [Status=Command OK]
<133>Jul 29 10:41:35 nodename mcpd[6180]: 01070417:5: AUDIT - user userhere - transaction 50874725-3 - object 0 - create_if { ltcfg_instance_field { ltcfg_instance_field_instance_name "/Common/syslog" ltcfg_instance_field_field_name "include" ltcfg_instance_field_class_name "syslog" ltcfg_instance_field_container "" ltcfg_instance_field_value "destination remote_server {tcp(\"siem1pre.service.test.group\" port (514));};filter f_alllogs {level (notice..emerg);};log {source(local);filter(f_alllogs);destination(remote_server);};destination remote_server2 {tcp(\"10.127.222.10\" port (514));};log {source(local);filter(f_alllogs);destination(remote_server2);};" ltcfg_instance_field_userspec 1 ltcfg_instance_field_config_source 0 } } [Status=Command OK]
<133>Jul 29 10:41:35 nodename mcpd[6180]: 01070417:5: AUDIT - user userhere - transaction 50874725-3 - object 0 - create_if { ltcfg_instance_field { ltcfg_instance_field_instance_name "/Common/syslog" ltcfg_instance_field_field_name "include" ltcfg_instance_field_class_name "syslog" ltcfg_instance_field_container "" ltcfg_instance_field_value "destination remote_server {tcp(\"siem1pre.service.test.group\" port (514));};filter f_alllogs {level (notice..emerg);};log {source(local);filter(f_alllogs);destination(remote_server);};destination remote_server2 {tcp(\"10.127.222.10\" port (514));};log {source(local);filter(f_alllogs);destination(remote_server2);};" ltcfg_instance_field_userspec 1 ltcfg_instance_field_config_source 0 } } [Status=Command OK]
At the start of each msg is a number, either 133 or 85 - Does anybody know what the significance / meaning of these numbers is and if there is a list defined anywhere
In addition I have bolded numbers in brackets - Is there an explanation of these numbers anywhere?
If we can get an explanation for these numbers it will help our Qradar team to script filters for creating incidents based on logon/logoff/config events etc.
Regards.
