IPSwitch MOVEit Automation¶
About¶
These logs capture FTP transactions. With the parser we will grab the filename, path, and user name when provided in the logs. Parse rate is expected to fluctuate as “keepalive” logs will be dropped by the parser intentionally.
Product Details¶
Vendor URL: MOVEit File Transfer Automation Software
Product Type: FTP Server
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90-100%
* Parser will drop logs KEEPALIVE events
Data Label: IPSWITCH_MOVEIT_AUTOMATION
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| hostname | observer.hostname |
| _event | metadata.description |
| _task | metadata.product_event_type |
| _srcUser | principal.user.userid |
| _transaction | principal.application |
| _srcHost | principal.hostname |
| _fileName | target.application |
| _filePath | target.file.full_path |
| _portNum | target.port |
| _targetHost | target.hostname |
Log Sample¶
<13>1 2022-01-10T02:40:47.659020-06:00 hostname1 - - - [NXLOG@55555 EventReceivedTime="2022-01-10 02:40:47" SourceModuleName="ftp_internal" SourceModuleType="im_file"] 2022-01-10 02:40:47 z4 11a0: T555555555: $$ Logging \\host\filepath/filepath/filename.xlsm to size 0 err 0
Sample Parsing¶
metadata.event_timestamp = "2022-01-10T02:40:47Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Ipswitch MOVEit"
principal.application = "T555555555"
target.application = "\\host\filepath/filepath/filename.xlsm"
observer.hostname = "hostname1"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon