Parsers and Generated Fields
Tag Fields Created by Parser infoblox-nios
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser infoblox-nios
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| log.syslog.timestamp | @timestamp | Event timestamp | Parsed from log.syslog.timestamp using parseTimestamp() |
| message, client.address | client.domain | Client domain name | Extracted from message using regex patterns, normalized with lower() |
| message, client.address | client.ip | Client IP address | Extracted from message using regex patterns or copied from client.address |
| message | client.mac | Client MAC address | Extracted from message using regex patterns, formatted with replace() and upper() |
| message | client.port | Client port number | Extracted from message using regex patterns |
| message | dns.answers[0].type | DNS RPZ answer type | Extracted from CEF format DNS messages using regex |
| __repeatMessage | dns.answers[].class | DNS answer class | Parsed from DNS response messages using JSON parsing |
| __repeatMessage | dns.answers[].data | DNS answer data | Parsed from DNS response messages using JSON parsing |
| __repeatMessage | dns.answers[].name | DNS answer name | Parsed from DNS response messages using JSON parsing |
| __repeatMessage | dns.answers[].ttl | DNS answer TTL | Parsed from DNS response messages using JSON parsing |
| __repeatMessage | dns.answers[].type | DNS answer type | Parsed from DNS response messages using JSON parsing |
| message | dns.question.class | DNS question class | Extracted from DNS query messages using regex patterns |
| message | dns.question.name | DNS question name | Extracted from DNS query messages using regex patterns |
| message | dns.question.response_code | DNS response code | Extracted from DNS response messages using regex patterns |
| message | dns.question.type | DNS question type | Extracted from DNS query messages using regex patterns |
| __repeatMessage | dns.resolved_ip[] | Array of resolved IP addresses | Array populated from DNS response messages, filtered by CIDR |
| None | ecs.version | ECS version | Static value: 9.2.0 |
| message | event.action | Event action | Extracted from message using regex patterns, normalized with lower() |
| Vendor.service_name, event.action | event.category[] | Event categories | Array populated based on service type and action |
| Vendor.service_name | event.dataset | Event dataset | Static value based on service type |
| None | event.kind | Event kind | Static value: event |
| None | event.module | Event module | Static value: nios |
| event.action | event.outcome | Event outcome | Static value based on event type |
| Vendor.service_name, event.action | event.type[] | Event types | Array populated based on service type and action |
| @rawstring | host.domain | Host domain name | Extracted from syslog header, normalized with lower() |
| host.domain | host.ip[] | Host IP addresses | Array populated when host.domain is IP address using CIDR check |
| message | interface.name | Network interface name | Extracted from DHCP messages using regex patterns |
| @rawstring | log.syslog.priority | Syslog priority | Extracted from syslog priority field using regex |
| @rawstring | log.syslog.timestamp | Syslog timestamp | Extracted from syslog timestamp field using regex |
| @rawstring | message | Log message | Extracted from syslog message field using regex |
| message | network.name | Network name | Extracted from DHCP BOOTREQUEST messages using regex |
| message | network.transport | Network transport protocol | Extracted from DNS messages using regex patterns, normalized with lower() |
| client.address, server.address | network.type | Network type (ipv4/ipv6) | Set based on IP address type using CIDR check |
| @rawstring | process.id | Process ID | Extracted from syslog process field using regex |
| message | server.address | Server address | Extracted from DNS and DHCP messages using regex patterns |
| server.address | server.domain | Server domain name | Copied from server.address when not an IP |
| server.address | server.ip | Server IP address | Copied from server.address when it's an IP |
| message | server.mac | Server MAC address | Extracted from DHCP BOOTREPLY messages using regex patterns |
| message | server.port | Server port number | Extracted from DNS timeout messages using regex patterns |
| Vendor.dhcp.trans_id | transaction.id | Transaction ID | Copied from Vendor.dhcp.trans_id when numeric |
| __userName | user.name | Username from audit logs | Extracted from audit messages with replace() for space handling |