Security Logging
Waratek Agents use the CEF format when logging security events, wrapped in a Syslog header envelope. The joint format (Syslog + CEF) is always transmitted regardless of the destination (security log file, Syslog server, Elasticsearch), separated by a whitespace (SP).
[SYSLOG PREFIX] SP [CEF MESSAGE]
CEF Message Format
CEF stands for Common Event Format. CEF messages follow the CEF specification from ArcSight.
CEF:0 | Device Vendor | Device Product | Device Version | Device Event | Event Name | Event Severity | Extensions
Logging Devices
There are two types of devices logging security messages:
1. ARMR Mod
For specific ARMR mods that log security events and ARMR rules.
Example: Load Rule event for an ARMR patch rule
CEF:0|ARMR:ARMR|ARMR|2.2|RegistryImpl_Skel|Load Rule|Low|rt=May 05 2020 15:02:23.053 +0100 dvchost=I-dev05 procid=46210 outcome=success
2. Waratek Agent
The Waratek Agent acts as a logging device for all other security events not sent by an ARMR mod.
Example: New security policies applied
CEF:0|ARMR:ARMR|Secure Agent|23.0.0|Engine|Reload Rules|Low|rt=Jul 03 2020 01:44:30.199 +0100 dvchost=I-dev05 procid=1130132 outcome=success msg=New ARMR policy has been applied
Example: No security policies applied
CEF:0|ARMR:ARMR|Secure Agent|23.0.0|Engine|Reload Rules|Low|rt=Jul 03 2020 01:44:30.172 +0100 dvchost=I-dev05 procid=1130132 msg=Rules file '/tmp/armr.rules' does not exist or is inaccessible. No security rules were loaded!
Syslog Format
Syslog format wraps the actual log message and is widely used in enterprise IT.
PRI SP VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID SP STRUCTURED-DATA SP MSG
Syslog Header Fields
| Field | Description |
|---|---|
| PRI | Priority (computed from Facility + Severity). |
| VERSION | Always 1 (as per RFC 5424). |
| TIMESTAMP | YYYY-MM-DDTHH:MM:SS.SSSZ format. |
| HOSTNAME | Identifies the machine that sent the Syslog message. |
| APP-NAME | Always java. |
| PROCID | Process ID (or a generated one if not available). |
| MSGID | Always -. |
| STRUCTURED-DATA | Always -. |
| MSG | The actual CEF message. |
Example Syslog Messages
<13>1 2020-05-11T19:02:53.188+01:00 I-dev05 java 394700 - - CEF:0|ARMR:ARMR|Secure Agent|23.0.0|Engine|Reload Rules|Low|rt=May 11 2020 19:02:53.188 +0100 dvchost=I-dev05 procid=394700 outcome=success msg=No ARMR policy is in effect
<9>1 2020-05-11T14:39:23.965+01:00 I-dev05 java 433109 - - CEF:0|ARMR:ARMR|ARMR|2.2|RegistryImpl_Skel|Execute Rule|Very-High|msg=java.lang.Exception outcome=failure procid=433109 dvchost=I-dev05 rt=May 11 2020 14:39:23.965 +0100
<14>1 2020-07-07T16:39:52.540+01:00 I-dev05 java 1398713 - - CEF:0|ARMR:ARMR|ARMR|2.2|block file.txt|Load Rule|Low|rt=Jul 07 2020 16:39:52.538 +0100 dvchost=I-dev05 procid=1398713 nodeid=1 outcome=success