GoAnywhere MFT¶
About¶
GoAnywhere MFT is a secure managed file transfer software solution that streamlines the exchange of data between systems, employees, customers, and trading partners.
Product Details¶
Vendor URL: GoAnywhere
Product Type: Data Security
Product Tier: Tier III
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: GOANYWHERE_MFT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "Fortra" | metadata.vendor_name |
| "GoAnywhere MFT" | metadata.product_name |
| observer | observer.hostname |
| msg2, msg3 | metadata.description |
| observer | principal.hostname |
| prin_ip | principal.ip |
| pport | principal.port |
| user | principal.user.userid |
| "MACHINE" | extensions.auth.type |
| targapp | target.application |
| targ_ip | target.ip |
| tport | target.port |
| msg | security_result.summary |
| channel | security_result.detection_fields |
| channelStatus | security_result.decetion_fields |
Product Event Types¶
| Product Event | UDM Event |
|---|---|
| message contains "logged in" | USER_LOGIN |
| message contains "logged out" | USER_LOGOUT |
| message contains principal info | STATUS_UPDATE |
| All other events | GENERIC_EVENT |
Log Sample¶
<15>May 9 01:07:03 hostname Added entry /10.4.7.161:61641 com.sample.name.utils.Class@1234. There are 4 entries in the map.
Sample Parsing¶
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "Fortra"
metadata.product_name = "GoAnywhere MFT"
metadata.description = "Added entry"
principal.hostname = "hostname"
principal.ip = "10.4.7.161"
principal.port = 61641
target.application = "com.sample.name.utils.Class@1234"
observer.hostname = "hostname"
security_result.summary: "Added entry /10.4.7.161:61641 com.sample.name.utils.Class@1234. There are 4 entries in the map."