Parsers and Generated Fields

Tag Fields Created by Parser netgate-pfsense

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser netgate-pfsense
Source FieldCPS FieldDescriptionMapping
Vendor.timestamp@timestampEvent timestamp extracted from syslog headerParsed from syslog timestamp using parseTimestamp function
client.ip, client.domainclient.addressDHCP client network addressCoalesced from client.ip and client.domain
Vendor.hostnameclient.domainDHCP client domain nameTransformed from Vendor.hostname using lowercase
__temp.for_ip, __temp.on_ip, __temp.from_toclient.ipDHCP client IP addressExtracted from DHCP message fields
__temp.from_toclient.macDHCP client MAC addressExtracted from DHCP message with formatting
destination.ip, destination.domaindestination.addressDestination network addressCoalesced from destination.ip and destination.domain
client.domain, destination.ip, Vendor.hostdestination.domainDestination domain nameCopied from client.domain or transformed from IP/host
Vendor.dst_ip, Vendor.hostdestination.ipDestination IP addressCopied from Vendor.dst_ip or Vendor.host with IP validation
client.macdestination.macDestination MAC addressCopied from client.mac with formatting
Vendor.dst_portdestination.portDestination port numberCopied from Vendor.dst_port
Noneecs.versionECS schema version identifierStatic value: "9.2.0"
Vendor.action, event.actionevent.actionAction taken by the systemCopied from vendor action or transformed based on log type
log.syslog.appnameevent.category[]Event category classification arrayArray populated based on log type: ["network"], ["authentication"], ["network", "configuration"]
log.syslog.appnameevent.datasetDataset identifier for log categorizationStatic value based on log type: "pfsense.filterlog", "pfsense.dhcp", "pfsense.charon", "pfsense.login", "pfsense.filterdns"
Noneevent.kindEvent categorization typeStatic value: "event"
Noneevent.moduleModule name identifierStatic value: "pfsense"
Vendor.actionevent.outcomeEvent outcome statusConditional value based on action: "success", "failure", "unknown"
Vendor.reasonevent.reasonReason for the firewall actionCopied from Vendor.reason
Vendor.sequence_numberevent.sequenceTCP sequence number for connection trackingCopied from Vendor.sequence_number
Vendor.action, log.syslog.appnameevent.type[]Event type classification arrayArray populated based on conditions and log type
log.syslog.hostnamehost.hostnameHost system nameTransformed from log.syslog.hostname using lowercase
Nonelog.syslog.appnameSyslog application nameExtracted from syslog header using regex
Nonelog.syslog.hostnameSyslog hostname fieldExtracted from syslog header using regex
Nonelog.syslog.msgidSyslog message identifierExtracted from RFC 5424 syslog header
Nonelog.syslog.prioritySyslog priority valueExtracted from syslog header using regex
Nonelog.syslog.procidSyslog process identifierExtracted from syslog header using regex
Nonelog.syslog.structured_dataSyslog structured data elementExtracted from RFC 5424 syslog header
Nonelog.syslog.versionSyslog protocol versionExtracted from RFC 5424 syslog header
Vendor.messagemessageOriginal log message contentCopied from Vendor.message
Vendor.lengthnetwork.bytesTotal bytes in the network packetCopied from Vendor.length
Vendor.directionnetwork.directionNetwork traffic directionTransformed from Vendor.direction: "inbound" or "outbound"
Vendor.protocol_idnetwork.iana_numberIANA protocol numberCopied from Vendor.protocol_id
Nonenetwork.protocolApplication layer protocolStatic value: "dhcp" for DHCP logs
Vendor.protocol_textnetwork.transportNetwork transport protocolTransformed from Vendor.protocol_text using lowercase
Vendor.ip_versionnetwork.typeNetwork layer protocol typeStatic value based on IP version: "ipv4" or "ipv6"
Vendor.real_interfaceobserver.egress.interface.nameEgress network interface nameCopied from Vendor.real_interface for outbound traffic
Vendor.vlan_idobserver.egress.vlan.idEgress VLAN identifierCopied from Vendor.vlan_id for egress traffic
Vendor.real_interfaceobserver.ingress.interface.nameIngress network interface nameCopied from Vendor.real_interface for inbound traffic
Vendor.vlan_idobserver.ingress.vlan.idIngress VLAN identifierCopied from Vendor.vlan_id for ingress traffic
log.syslog.hostnameobserver.nameObserver hostnameCopied from log.syslog.hostname
event.moduleobserver.productObserver product identifierStatic value: "pfsense"
Vendorobserver.vendorObserver vendor identifierStatic value: "netgate"
log.syslog.appnameprocess.nameProcess name generating the logCopied from log.syslog.appname
log.syslog.procidprocess.pidProcess identifierCopied from log.syslog.procid
Vendor.rule_numberrule.idFirewall rule identifierCopied from Vendor.rule_number
server.ip, server.domainserver.addressDHCP server network addressCoalesced from server.ip and server.domain
observer.nameserver.domainDHCP server domain nameCopied from observer.name
source.ip, source.domainsource.addressSource network addressCoalesced from source.ip and source.domain
client.domain, source.ipsource.domainSource domain nameCopied from client.domain or transformed from IP
Vendor.src_ipsource.ipSource IP addressCopied from Vendor.src_ip with IP validation
client.macsource.macSource MAC addressCopied from client.mac with formatting
Vendor.src_portsource.portSource port numberCopied from Vendor.src_port
user.nameuser.effective.nameEffective username for login eventsCopied from user.name
Vendor.messageuser.nameUsername from login eventsExtracted from login message using regex