SysFlow Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Note:
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
SysFlow Sample Message When You Use the Syslog Protocol
The following sample event message shows that a network connection is established from sip:sport port to the dip:dport port.
{"version":"2","type":"NF","opflags":
["CONNECT","CLOSE"],"ret":0,"ts":1606893550815035002,"endts":1606893550820977528,"schema":2,"pro
c":{"acmdline":["/bin/nc -N 10.11.9.73 8080","/home/test /events.sh ./events.sh","/bin/bash
","/usr/sbin/sshd ","/usr/sbin/sshd ","/usr/sbin/sshd -D"],"aexe":["/bin/nc","/home/test/
events.sh","/bin/bash","/usr/sbin/sshd","/usr/sbin/sshd","/usr/sbin/sshd"],"aname":
["nc","events.sh","bash","sshd","sshd","sshd"],"apid":
["30994","30973","28002","28001","27997","945"],"args":"-N 10.11.9.73 8080","cmdline":"/bin/nc
-N 10.11.9.73 8080","createts":1606893550811545514,"entry":false,"exe":"/bin/
nc","gid":1001,"group":"","name":"nc","oid":"dbe8ba0d16effeb6","pid":30994,"tid":30994,"tty":1,"
uid":1001,"user":""},"pproc":{"args":"./events.sh","cmdline":"/home/test/events.sh ./
events.sh","createts":1606893550765789258,"entry":false,"exe":"/home/test/
events.sh","gid":1001,"group":"","name":"events.sh","oid":"c208bed1b606ad31","pid":30973,"tty":t
rue,"uid":1001,"user":""},"net":{"dip":"10.11.9.73","dport":8080,"ip":
["10.11.22.176","10.11.9.73"],"port":
["42944","8080"],"proto":6,"sip":"10.11.22.176","sport":42944},"flow":
{"rbytes":0,"rops":0,"wbytes":0,"wops":0},"node":{"id":"local","ip":"127.0.0.1"},"policies":
[{"id":"Process Created a Network Connection","desc":"Process Created a Network
Connection","priority":0,"tags":[]}]}JSA field name |
Highlighted field name |
|---|---|
Event Category |
type |
Command |
CONNECT+ 0 |
Device Time |
ts |
Username |
proc+user (if not empty) |
Source IP |
net+sip |
Source Port |
net+sport |
Destination IP |
net+dip |
Destination Port |
net+dport |
Protocol |
net+proto |