Version: 25.2.0

Security Logging

Waratek Agents use the CEF format when logging security events, wrapped in a Syslog header envelope. The joint format (Syslog + CEF) is always transmitted regardless of the destination (security log file, Syslog server, Elasticsearch), separated by a whitespace (SP).

[SYSLOG PREFIX] SP [CEF MESSAGE]

CEF Message Format

CEF stands for Common Event Format. CEF messages follow the CEF specification from ArcSight.

CEF:0 | Device Vendor | Device Product | Device Version | Device Event | Event Name | Event Severity | Extensions

Logging Devices

There are two types of devices logging security messages:

1. ARMR Mod

For specific ARMR mods that log security events and ARMR rules.

Example: Load Rule event for an ARMR `patch` rule

CEF:0|ARMR:ARMR|ARMR|2.2|RegistryImpl_Skel|Load Rule|Low|rt=May 05 2020 15:02:23.053 +0100 dvchost=I-dev05 procid=46210 outcome=success

2. Waratek Agent

The Waratek Agent acts as a logging device for all other security events not sent by an ARMR mod.

Example: New security policies applied

CEF:0|ARMR:ARMR|Secure Agent|23.0.0|Engine|Reload Rules|Low|rt=Jul 03 2020 01:44:30.199 +0100 dvchost=I-dev05 procid=1130132 outcome=success msg=New ARMR policy has been applied

Example: No security policies applied

CEF:0|ARMR:ARMR|Secure Agent|23.0.0|Engine|Reload Rules|Low|rt=Jul 03 2020 01:44:30.172 +0100 dvchost=I-dev05 procid=1130132 msg=Waratek rules file '/tmp/armr.rules' does not exist or is inaccessible. No security rules were loaded!

Syslog Format

Syslog format wraps the actual log message and is widely used in enterprise IT.

PRI SP VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID SP STRUCTURED-DATA SP MSG

Syslog Header Fields

Field	Description
PRI	Priority (computed from `Facility` + `Severity`).
VERSION	Always `1` (as per RFC 5424).
TIMESTAMP	`YYYY-MM-DDTHH:MM:SS.SSSZ` format.
HOSTNAME	Identifies the machine that sent the Syslog message.
APP-NAME	Always `java`.
PROCID	Process ID (or a generated one if not available).
MSGID	Always `-`.
STRUCTURED-DATA	Always `-`.
MSG	The actual CEF message.

Example Syslog Messages

<13>1 2020-05-11T19:02:53.188+01:00 I-dev05 java 394700 - - CEF:0|ARMR:ARMR|Secure Agent|23.0.0|Engine|Reload Rules|Low|rt=May 11 2020 19:02:53.188 +0100 dvchost=I-dev05 procid=394700 outcome=success msg=No ARMR policy is in effect

<9>1 2020-05-11T14:39:23.965+01:00 I-dev05 java 433109 - - CEF:0|ARMR:ARMR|ARMR|2.2|RegistryImpl_Skel|Execute Rule|Very-High|msg=java.lang.Exception outcome=failure procid=433109 dvchost=I-dev05 rt=May 11 2020 14:39:23.965 +0100

<14>1 2020-07-07T16:39:52.540+01:00 I-dev05 java 1398713 - - CEF:0|ARMR:ARMR|ARMR|2.2|block file.txt|Load Rule|Low|rt=Jul 07 2020 16:39:52.538 +0100 dvchost=I-dev05 procid=1398713 nodeid=1 outcome=success

CEF Message Format​

Logging Devices​

1. ARMR Mod​

Example: Load Rule event for an ARMR patch rule​

2. Waratek Agent​

Example: New security policies applied​

Example: No security policies applied​

Syslog Format​

Syslog Header Fields​

Example Syslog Messages​