Supported Log Types

Back To README | READMEに戻る

	vpcflowlogs	cloudtrail	networkfirewall	guardduty	securityhub	nlb	alb	clb	s3accesslog	cloudfront-realtime	cloudfront-standard	waf	route53resolver	rds-postgresql	rds-mysql-audit	rds-mysql-general	rds-mysql-error	rds-mysql-slowquery	msk	workspaces-event	workspaces-inventory	directory-service	fsx-win	windows-event	linux-secure	linux-os-syslog
index_name	”log-aws-vpcflowlogs”	”log-aws-cloudtrail”	”log-aws-networkfirewall”	”log-aws-guardduty”	”log-aws-securityhub”	”log-aws-elb”	”log-aws-elb”	”log-aws-elb”	”log-aws-s3accesslog”	”log-aws-cloudfront”	”log-aws-cloudfront”	”log-aws-waf”	”log-aws-r53resolver”	”log-aws-rds-postgresql”	”log-aws-rds-mysql”	”log-aws-rds-mysql”	”log-aws-rds-mysql”	”log-aws-rds-mysql”	”log-aws-msk”	”log-aws-workspaces”	”log-aws-workspaces”	”log-aws-directory-service”	”log-aws-fsx-win”	”log-win-event”	”log-linux-secure”	”log-linux-os”
@log_type	”vpcflowlogs”	”cloudtrail”	”networkfirewall”	”guardduty”	”securityhub”	”nlb”	”alb”	”clb”	”s3accesslog”	”cloudfront-realtime”	”cloudfront-standard”	”waf”	”route53resolver”	”rds-postgresql”	”rds-mysql-audit”	”rds-mysql-general”	”rds-mysql-error”	”rds-mysql-slowquery”	”msk”	”workspaces-event”	”workspaces-inventory”	”directory-service”	”fsx-win”	”windows-event”	”linux-secure”	”linux-os-syslog”
event.module	”vpcflowlogs”	”eventSource”	”event.event_type”	”guardduty”	SCRIPT()	”nlb”	”alb”	”clb”	”s3accesslog”	”cloudfront-realtime”	”cloudfront-standard”	”waf”	”route53resolver”	”rds-postgresql”	”audit”	”general”	”error”	”slowquery”	”msk”	”workspaces-event”	”workspaces-inventory”	”Event.System.Channel”	”Event.System.Channel”	”Event.System.Channel”	”linux-secure”	”linux-os-syslog”
event.kind	”event”	”event”	SCRIPT()	”alert”	”alert”	”event”	”event”	”event”	”event”	”event”	”event”	”alert”	”event”							”event”	”state”	”event”	”event”	”event”	”event”	”event”
event.category	”network”	”iam”	”network”	SCRIPT()	SCRIPT()	”network”	”web”	”web”	”web”	”web”	”web”	”web”	”network”	SCRIPT()	”database”	”database”	”database”	”database”		”[authentication, host]”	”[host]”				SCRIPT()	SCRIPT()
event.type																				”[info]”	”[info]”
True																				SCRIPT()
cloud.account.id	${account_id}	${recipientAccountId}	[FromS3Key]	[FromS3Key]	${AwsAccountId}	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	SCRIPT()	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]
cloud.availability_zone			${availability_zone}
cloud.instance.id	${instance_id}	${requestParameters.instanceId responseElements.instancesSet.items.0.instanceId requestParameters.DescribeInstanceCreditSpecificationsRequest.InstanceId.content}		${resource.instanceDetails.instanceId}	SCRIPT()								${instance}											SCRIPT()	SCRIPT()	SCRIPT()
cloud.region	${region}	${awsRegion}	[FromS3Key]	[FromS3Key]	${Resources.0.Region}	[FromS3Key]	[FromS3Key]	[FromS3Key]	SCRIPT()	”global”	”global”	SCRIPT()	${region}	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]	[FromS3Key]
destination	GEOIP()		GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()														GEOIP()	GEOIP()	GEOIP()
destination.address	${dstaddr}	SCRIPT()		SCRIPT()	${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4}	${destination_ip}	${target_ip}	${backend_ip}	${EndPoint}
destination.domain									${EndPoint}
destination.ip	${dstaddr}	SCRIPT()	${event.dest_ip}	SCRIPT()	${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4}	${destination_ip}	${target_ip}	${backend_ip}														${Event.EventData.Data.DestAddress}	${Event.EventData.Data.DestAddress}	${Event.EventData.Data.DestAddress}
destination.nat.ip		SCRIPT()		SCRIPT()	${ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/publicIp}
destination.port	${dstport}		${event.dest_port}	SCRIPT()	${ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails/localPortDetails.0_/port ProductFields.aws/guardduty/service/action/networkConnectionAction/localPortDetails/port}	${destination_port}	${target_port}	${backend_port}														${Event.EventData.Data.DestPort}	${Event.EventData.Data.DestPort}	${Event.EventData.Data.DestPort}
dns.answers.class													${answers.0.Class}
dns.answers.data													SCRIPT()
dns.answers.type													${answers.0.Type}
dns.question.class													${query_class}
dns.question.name				${service.action.dnsRequestAction.domain}	${ProductFields.aws/guardduty/service/action/dnsRequestAction/domain}								SCRIPT()
dns.question.type													${query_type}
dns.response_code													${rcode}
error.code		${errorCode}																				${Event.System.Status}	${Event.System.Status}	${Event.System.Status}
error.message		${errorMessage}
event.action	SCRIPT()	${eventName}	${event.alert.action}									${action}		SCRIPT()								SCRIPT()	SCRIPT()	SCRIPT()	SCRIPT()	SCRIPT()
event.code																						${Event.System.EventID}	${Event.System.EventID}	${Event.System.EventID}
event.outcome	SCRIPT()	SCRIPT()												SCRIPT()						”success”		SCRIPT()	SCRIPT()	SCRIPT()	SCRIPT()	SCRIPT()
event.risk_score_norm					${Severity.Normalized}
event.severity			${event.alert.severity}	${severity}	${Severity.Product}
host.hostname																					${ComputerName}				${hostname}	${hostname}
host.id																				${workspaceId}	${WorkspaceId}
host.ip																					${IpAddress}
host.name																					${ComputerName}	${Event.System.Computer}	${Event.System.Computer}	${Event.System.Computer}
http.request.bytes						${received_bytes}	${received_bytes}	${received_bytes}		${cs_bytes}	${cs_bytes}
http.request.method			${event.http.http_method}				${http_method}	${http_method}	${RequestURI_operation}	${cs_method}	${cs_method}	${httpRequest.httpMethod}
http.request.referrer									${Referrer}	${cs_referer}	${cs_referer}	SCRIPT()
http.response.bytes						${sent_bytes}	${sent_bytes}	${sent_bytes}	${BytesSent}	${sc_bytes}	${sc_bytes}
http.response.status_code							${elb_status_code}	${elb_status_code}	${HTTPstatus}	${sc_status}	${sc_status}
http.version							${http_version}	${http_version}		SCRIPT()	SCRIPT()	SCRIPT()
log.level														${postgresql_log_level}			${mysql_log_level}		${msk_log_level}
msk																			SCRIPT()
network.bytes	${bytes}		${event.netflow.bytes}
network.direction	${flow_direction}			SCRIPT()
network.iana_number	${protocol}
network.packets	${packets}		${event.netflow.pkts}
network.protocol			${event.app_proto}
network.transport	SCRIPT()		SCRIPT()
network.type	${type}
process.name																									${proc}	${proc}
process.pid														${postgresql_pid}											${pid}	${pid}
rds.cluster_identifier														SCRIPT()				SCRIPT()
rds.database_name														${postgresql_database}	${mysql_database}
rds.instance_identifier														SCRIPT()				SCRIPT()
rds.message														${postgresql_message}			${mysql_message mysql_server_audit_message}
rds.query														SCRIPT()	SCRIPT()	SCRIPT()	SCRIPT()	SCRIPT()
rds.query_time														SCRIPT()				${mysql_query_time}
related.hosts																				${[workspaceId]}	${[ComputerName, WorkspaceId]}
related.ip	${[srcaddr, dstaddr, pkt_srcaddr, pkt_dstaddr]}	${[sourceIPAddress]}	${[event.dest_ip, event.src_ip]}	${[resource.instanceDetails.networkInterfaces.0.privateIpAddress, service.action.networkConnectionAction.localIpDetails.ipAddressV4, resource.instanceDetails.networkInterfaces.0.publicIp, service.action.awsApiCallAction.remoteIpDetails.ipAddressV4, service.action.networkConnectionAction.remoteIpDetails.ipAddressV4, service.action.portProbeAction.portProbeDetails.0.remoteIpDetails.ipAddressV4]}	${[ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/privateIpAddress, ProductFields.aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4, ProductFields.aws/guardduty/resource/instanceDetails/networkInterfaces.0_/publicIp, ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4, ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4]}	${[client_ip, destination_ip]}	${[target_ip, client_ip, http_host]}	${[backend_ip, client_ip]}	${[RemoteIP]}	${[c_ip]}	${[c_ip]}	${[httpRequest.clientIp]}	${[srcaddr]}	${postgresql_source_address}	${[mysql_host]}			${[mysql_source_ip]}		${[clientIpAddress]}	${[IpAddress]}	${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]}	${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]}	${[Event.EventData.Data.DestAddress, Event.EventData.Data.IpAddress, Event.EventData.Data.SourceAddress]}
related.user				${[resource.accessKeyDetails.userName]}											${[mysql_username, rds.query]}			${[mysql_username]}			${[UserName]}	${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]}	${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]}	${[Event.EventData.Data.SubjectUserName, Event.EventData.Data.TargetUserName]}
rule.description				${title}	${Description}
rule.id			${event.alert.signature_id}
rule.name		${eventName}	${event.alert.signature}	${type}	${Types}							${terminatingRuleId}
rule.ruleset												SCRIPT()
rule.version			${event.alert.rev}
service.node.name			${firewall_name}
source	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()								GEOIP()		GEOIP()	GEOIP()	GEOIP()	GEOIP()	GEOIP()
source.address	${srcaddr}	${sourceIPAddress}		SCRIPT()	${ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4}	${client_ip}	${client_ip}	${client_ip}	${RemoteIP}	${c_ip}	${c_ip}	${httpRequest.clientIp}	${srcaddr}	${postgresql_source_address}	${mysql_host}
source.bytes	${bytes}		${event.netflow.bytes}
source.ip	${srcaddr}	${sourceIPAddress}	${event.src_ip}	SCRIPT()	${ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4 ProductFields.aws/guardduty/service/action/portProbeAction/portProbeDetails.0_/remoteIpDetails/ipAddressV4}	${client_ip}	${client_ip}	${client_ip}	${RemoteIP}	${c_ip}	${c_ip}	${httpRequest.clientIp}	${srcaddr}	${postgresql_source_address}	${mysql_host}			${mysql_source_ip}		${clientIpAddress}		${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress}	${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress}	${Event.EventData.Data.IpAddress Event.EventData.Data.SourceAddress}	SCRIPT()	SCRIPT()
source.packets	${packets}		${event.netflow.pkts}
source.port	${srcport}		${event.src_port}	SCRIPT()	${ProductFields.aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port}	${client_port}	${client_port}	${client_port}		${c_port}	${c_port}		${srcport}	${postgresql_source_port}								${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort}	${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort}	${Event.EventData.Data.IpPort Event.EventData.Data.SourcePort}	SCRIPT()	SCRIPT()
url.domain			${event.http.hostname event.tls.sni}			${domain_name}	${http_host}	${http_host}	${EndPoint}	${cs_host}	${x_host_header}
url.full							SCRIPT()	SCRIPT()		SCRIPT()	SCRIPT()
url.original									${RequestURI_key}
url.path							${http_path}	${http_path}		SCRIPT()	${cs_uri_stem}	${httpRequest.uri}
url.port						${destination_port}	${http_port}	${http_port}
url.query							${http_query}	${http_query}		${cs_uri_query}	${cs_uri_query}	${httpRequest.args}
url.scheme							${http_protocol}	${http_protocol}		${cs_protocol}	${cs_protocol}
user.domain																						${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName}	${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName}	${Event.EventData.Data.SubjectDomainName Event.EventData.Data.TargetDomainName}
user.id		${userIdentity.accessKeyId}		${resource.accessKeyDetails.accessKeyId}	SCRIPT()																${UserName}	${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid}	${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid}	${Event.EventData.Data.SubjectUserSid Event.EventData.Data.TargetUserSid}	SCRIPT()	SCRIPT()
user.name		SCRIPT()		${resource.accessKeyDetails.userName}	SCRIPT()				SCRIPT()					${postgresql_user}	${mysql_username rds.query}			${mysql_username}			${UserName}	${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName}	${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName}	${Event.EventData.Data.SubjectUserName Event.EventData.Data.TargetUserName}	SCRIPT()	SCRIPT()
user_agent.original		${userAgent}	${event.http.http_user_agent}				${useragent}	${useragent}	${UserAgent}	SCRIPT()	SCRIPT()	SCRIPT()

Back To README | READMEに戻る

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

suppoted_log_type.md

suppoted_log_type.md

Supported Log Types

Files

suppoted_log_type.md

Latest commit

History

suppoted_log_type.md

File metadata and controls

Supported Log Types