Puppet¶
About¶
Puppet is the industry standard for IT automation. Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.
Product Details¶
Vendor URL: Puppet: Powerful infrastructure automation and delivery
Product Type: IT Automation
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Advanced logging configuration - Puppet
Log Guide: logstash-logback-encoder/README.md at main - GitHub
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 75%
Data Label: PUPPET
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| command | principal.process.command_line |
| response_code | network.http.response_code |
| request | target.url |
| cap_fver | additional.fields |
| cap_fe | additional.fields |
| cap_fi | additional.fields |
| cap_fp | additional.fields |
| objtype | additional.fields |
| inode | additional.fields |
| item | additional.fields |
| key | additional.fields |
| ses | additional.fields |
| tty | additional.fields |
| fsgid | additional.fields |
| sgid | additional.fields |
| egid | additional.fields |
| fsuid | additional.fields |
| suid | additional.fields |
| euid | additional.fields |
| gid | additional.fields |
| ppid | principal.process.parent_pid |
| items | additional.fields |
| a3 | additional.fields |
| a2 | additional.fields |
| a1 | additional.fields |
| a0 | additional.fields |
| exit | additional.fields |
| syscall | additional.fields |
| arch | additional.fields |
| comm | principal.application |
| p_path | principal.process.file.full_path |
| file_name | src.file.full_path |
| auid | additional.fields |
| uid | principal.user.userid |
| pid | principal.process.pid |
| proctitle | src.process.file.full_path |
| type | additional.fields |
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| version | metadata.product_version |
| product_event | metadata.product_event_type |
| Statically Defined | metadata.event_type |
| src | principal.hostname |
| src | principal.ip |
| dst | target.hostname |
| dst | target.ip |
| dhost | target.hostname |
| dhost | target.ip |
| shost | principal.hostname |
| shost | principal.ip |
| suser | principal.user.userid |
| summary | security_result.summary |
| observer | observer.hostname |
| observer | observer.ip |
| observer_domain | observer.administrative_domain |
| log_data | metadata.description |
| description | metadata.description |
| INFORMATIONAL/LOW/MEDIUM/HIGH | security_result.severity |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT |
Log Sample¶
<13>Dec 16 09:26:05 sysloghost osqueryd: osqueryd worker (4425) stopping: Maximum sustainable CPU utilization limit exceeded: 12
Sample Parsing¶
metadata.event_timestamp = "2021-12-16T09:26:05Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Puppet"
metadata.product_event_type = "osqueryd"
metadata.description = "osqueryd worker (4425) stopping: Maximum sustainable CPU utilization limit exceeded: 12"
metadata.ingested_timestamp = "2021-12-16T09:26:09.190075Z"
target.hostname = "NULL"
target.namespace = "COMPANYNAME"
target.asset.hostname = "hostname"
observer.hostname = "sysloghost"
observer.administrative_domain = "domain"
observer.namespace = "COMPANYNAME"
Parser Alerting¶
This product currently does not have any Parser-based Alerting