Audit Event Syslog Format¶
Use this reference to understand the Syslog message format for audit events that are forwarded from the Industrial Edge Device.
Syslog message format¶
The following example shows a Syslog message with structured data in RFC5424 format.
<110>1 2024-08-13T05:20:18.006201Z 10.1.31.103 authservice - ID5 [device@4329.6.100.6 FWVersion="1.21.0-5" devID="c727e0c09f1f44caa3a731aeed78877b" devName="IED" devProduct="Edge Device" devVendor="Siemens"][function@4329.6.100.6 fct="ie.device.software.user.logout" result="success"][session@4329.6.100.6 src="" userName="iem.user@siemens.com"] user: iem.user@siemens.com log out success
Syslog structure explanation¶
| Section | Syslog field | Parameter | Data type | Description | Example value |
|---|---|---|---|---|---|
| HEADER | PRI | PRI | STRING[3..5] | RFC5424 defines the PRI value based on facility and severity. For Industrial Edge Device audit events, the value is between 104 and 111. | 110 |
| HEADER | TIMESTAMP | TIMESTAMP | STRING[20..32] | Indicates when the event occurred. | 2024-05-11T22:14:15.003Z |
| HEADER | HOSTNAME | HOSTNAME | STRING | Indicates the IP address of the Industrial Edge Device. | 192.168.19.136 |
| HEADER | APP-NAME | APP-NAME | STRING | Indicates where the audit event occurred. | edgesdk |
| HEADER | PROCID | PROCID | STRING(1 128) | Not used. | |
| HEADER | MSGID | MSGID | STRING(1..32) | Indicates the security event type ID that is defined on the Industrial Edge security event website. | ID5 |
| STRUCTURED-DATA | SD-ID | device@<ProductOwnID> | STRING(1..32) | Provides device metadata. 4329.6.100.6 is the organization code in this example. Use your own code. |
device@4329.6.100.6 |
| STRUCTURED-DATA | SD-PARAM | FWVersion | UTF-8 STRING | Indicates the firmware version. | 1.19.0-3 |
| STRUCTURED-DATA | SD-PARAM | devID | UTF-8 STRING | Indicates the Industrial Edge Device ID. | 32803b78dbe6499c8437e962d378a8eb |
| STRUCTURED-DATA | SD-PARAM | devName | UTF-8 STRING | Indicates the Industrial Edge Device name. | IEDevice001 |
| STRUCTURED-DATA | SD-PARAM | devProduct | UTF-8 STRING | Indicates the device type. For Industrial Edge Device, the value is Edge Device. |
Edge Device |
| STRUCTURED-DATA | SD-PARAM | devVendor | UTF-8 STRING | Is always Siemens. |
Siemens |
| STRUCTURED-DATA | SD-ID | function@<ProductOwnID> | STRING(1..32) | Provides metadata about the event process. 4329.6.100.6 is the organization code in this example. Use your own code. |
function@4329.6.100.6 |
| STRUCTURED-DATA | SD-PARAM | fct | UTF-8 STRING | Indicates the function related to the audit event. For example, if you download a security log file, the fct value ends with download and the resource value contains the file name. |
ie.device.software.app.logs.download |
| STRUCTURED-DATA | SD-PARAM | resource | UTF-8 STRING | Identifies the resource that the function handles, for example a file name or protection level. | audit-20240501.log |
| STRUCTURED-DATA | SD-PARAM | result | UTF-8 STRING | Indicates the function result, for example success, failure, loss, or return. |
success |
| STRUCTURED-DATA | SD-ID | session@<ProductOwnID> | STRING(1..32) | Provides metadata about the event session. 4329.6.100.6 is the organization code in this example. Use your own code. |
session@4329.6.100.6 |
| STRUCTURED-DATA | SD-PARAM | src | UTF-8 STRING | Indicates the source client IP address. For example, if a user logs out, the value can contain the browser IP address. | 23.106.129.48 |
| STRUCTURED-DATA | SD-PARAM | userName | UTF-8 STRING | Indicates who performed or caused the event. | username@company.example |
| MSG | MSG | MSG | UTF-8 STRING | Contains a free-form message with additional event information. | user log out |
Related documentation¶
- Audit Event β Overview and settings for the Audit Event page.
- Audit Event List β Available audit event functions and security event types.