Skip to content




Puppet is the industry standard for IT automation. Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

Product Details

Vendor URL: Puppet: Powerful infrastructure automation and delivery

Product Type: IT Automation

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Advanced logging configuration - Puppet

Log Guide: logstash-logback-encoder/ at main - GitHub

Parser Details

Log Format: Syslog

Expected Normalization Rate: 75%

Data Label: PUPPET

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
command principal.process.command_line
response_code network.http.response_code
request target.url
cap_fver additional.fields
cap_fe additional.fields
cap_fi additional.fields
cap_fp additional.fields
objtype additional.fields
inode additional.fields
item additional.fields
key additional.fields
ses additional.fields
tty additional.fields
fsgid additional.fields
sgid additional.fields
egid additional.fields
fsuid additional.fields
suid additional.fields
euid additional.fields
gid additional.fields
ppid principal.process.parent_pid
items additional.fields
a3 additional.fields
a2 additional.fields
a1 additional.fields
a0 additional.fields
exit additional.fields
syscall additional.fields
arch additional.fields
comm principal.application
p_path principal.process.file.full_path
file_name src.file.full_path
auid additional.fields
uid principal.user.userid
proctitle src.process.file.full_path
type additional.fields
vendor metadata.vendor_name
product metadata.product_name
version metadata.product_version
product_event metadata.product_event_type
Statically Defined metadata.event_type
src principal.hostname
src principal.ip
dst target.hostname
dst target.ip
dhost target.hostname
dhost target.ip
shost principal.hostname
shost principal.ip
suser principal.user.userid
summary security_result.summary
observer observer.hostname
observer observer.ip
observer_domain observer.administrative_domain
log_data metadata.description
description metadata.description
INFORMATIONAL/LOW/MEDIUM/HIGH security_result.severity

Product Event Types

type,subtype severity UDM Event Classification alerting enabled

Log Sample

<13>Dec 16 09:26:05 sysloghost osqueryd: osqueryd worker (4425) stopping: Maximum sustainable CPU utilization limit exceeded: 12

Sample Parsing

metadata.event_timestamp = "2021-12-16T09:26:05Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Puppet"
metadata.product_event_type = "osqueryd"
metadata.description = "osqueryd worker (4425) stopping: Maximum sustainable CPU utilization limit exceeded: 12"
metadata.ingested_timestamp = "2021-12-16T09:26:09.190075Z"
target.hostname = "NULL"
target.namespace = "COMPANYNAME"
target.asset.hostname = "hostname"
observer.hostname = "sysloghost"
observer.administrative_domain = "domain"
observer.namespace = "COMPANYNAME"

Parser Alerting

This product currently does not have any Parser-based Alerting


Coming Soon