Interpreting OT Security Log Entries

The following sample shows the breakdown of the elements included in a syslog log entry that OT Security receives:

Timestamp

Jan 12 02:50:45

Source IP

xx.xx.xx.xx

Header

<12>Jan 12 02:50:45 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.17.40|115|Network Baseline Deviation|7|

Extension

dvchost=Tenable OT Security rt=Jan 12 2024 02:50:45 duser=lab-files-001.lab.security.com suser=col-lab-esx-001.corp.security.com proto=TCP dst=xx.xx.xx.xx src=xx.xx.xx.xx dpt=2049 cfp1Label=cluster_log_id cfp1=1011157 externalId=1011162 cs6Label=policy_name cs6=PLC Baseline Deviation Detection cat=NetworkEvents

Each log entry consists of the following:

  • Syslog Prefix — Generated by the syslog server.

  • Message body — Generated using the CEF (Cisco Express Forwarding) protocol.

The Syslog Prefix consists of the following elements:

  • Timestamp — The date and time when the log entry was generated in the following format: MMM-D-YYYY HH:mm:ss.

  • Source IP — The IP address of the OT Security appliance that generated the log entry.

The Message body consists of the following elements:

  • Header — A fixed set of fields that indicate the source of the log and the nature of the event that generated the log. For information returned for each of these parameters, see Header Parameters.

  • Extension— This field provides additional details about the precise nature of the event. This field consists of a series of key-value pairs, which vary according to the type of alert. For information about the list of fields included in the extension for each event type, see Event Class IDs.

A pipe (|) character separates each data element. For OT Security syslog message examples, see Appendix — Syslog Sample.