Default templates
| Apache | Standard Apache web server log |
| Fortinet | Standard Fortinet Fortigate log, in CEF format |
| Fortinet Lite | Standard Fortinet Fortigate log, in CEF format, with reduced IP address and port ranges |
| Infotecs-ids | Standard Infotecs IDS log in CEF format |
| Kaspersky Anti Targeted Attack Platform | Standard log of one of Kaspersky Anti Targeted Attack Platform modules in CEF format |
| Nginx | Standard log of Nginx web server |
| Nginx (proxy) | Standard Nginx web server log in reverse proxy mode |
| Nginx (OpenVas) | Standard Nginx web server log, always using OpenVAS as User-Agent |
| Squid | Standard Squid proxy server log |
| Squid (IP List) | Standard Squid proxy server log, using the list of IP addresses from the file |
| Synology | Standard Synology file storage log, with a random set of file and user reads |
| Suricata | Suricata IDS standard log in eve.json syslog format |
| ElasticSearch | Example of an event template in ElasticSearch |
| Kafka | Example of an event template in Kafka |
| Redis | Example of an event template in Redis |
| Suricata | Template Suritata IDS Eve format forwarding via Syslog |
| Suricata (json) | Suritata IDS Eve template |
| HTTP DEMO | Example of HTTP data sending template |
| Solar Web Proxy | Solar Web Proxy server-server log (Requires Kraken at least 2.15.12) |
| Linux SSHD | SSHD authorization log (Requires Kraken 2.15.13 or higher) |
| CentOS | RSyslog logs of a CentOS-based system with auditing enabled. (Requires Kraken at least 2.15.14) |
| Keenetic | Template with examples of Keenetic Router events in syslog format |
Template creation
Parameters
MAIN section
template - template of a new event of the event.
index - Name for sending events, you can specify a variable as the value:
- ElasticSearch Index name
- Kafka Topic Name
- Redis list name
- URL for HTTP
name - name of the template to be displayed in the interface (unique).
UserAgent - optional field, specifies the User-Agent for HTTP requests, the value can be used as a permen
The template can be derived from two parameters in the configuration files
For a single line in a template, example:
[MAIN]
name=HAProxy
template=<134>%date5% haproxy[5403]: ubuntu %Ip1%:%port1% 192.168.204.146:3128 %HOME_NET_192_168_0%:%HTTP_PORTS% [%date14%.%utc_zzz%] frontend backend/apache0%R254% 0/0/0/1/1 ST=%http_code% %id% - - ---- 1/1/0/0/0 0/0 URI="%http_method% %web_proto%://%domain%%url% HTTP/1.1"Template section
For multiple templates within a single configuration file, section. If there is a [template] section, the template- parameter is ignored.
Example:
[template]
1=<133>%date10% host : %ASA-5-111010: User '%user_name%', running 'CLI' from IP %HOME_NET_172%, executed '%cisco_cmd%'
2=<166>%date10% host : %ASA-6-605004: Login denied from %HOME_NET_172%/%port1% to interface10:%HOME_NET_172%/https for user "%user_name%"
3=<166>%date10% host : %ASA-6-605004: Login denied from %HOME_NET_172%/%port1% to interface10:%HOME_NET_172%/https for user "%user_name%"POST section
Contains a set of data to be sent in a POST request, in key=value format.
The section is shipped in its entirety.
Variables are supported
Example
[POST]
filename=%file_name%
md5=%md5%
sha1=%sha1%
email=%emailAddress%
English 
Русский 
Deutsch 
Română