Solarwinds Serv U¶
About¶
The SolarWinds Serv-U File Server (Serv-U) is a multi-protocol file server capable of sending and receiving files from other networked computers through various means.
Product Details¶
Vendor URL: Solarwinds Serv U
Product Type: FTP Server
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 85%
Data Label: SOLARWINDS_SERV_U
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action_details |
| application | target.application |
| description | metadata.description |
| event_type | metadata.event_type |
| facility_code | security_result.threat_id |
| observer | observer.hostname |
| observer_domain | observer.domain.name |
| principal | principal.hostname |
| principal_domain | principal.administrative_domain |
| principal_host | principal.hostname |
| principal_port | principal.port |
| principal_user | principal.user.userid |
| product | metadata.product_name |
| product_event | metadata.product_event_type |
| result | security_result.threat_name |
| severity | security_result.severity_details |
| summary | security_result.summary |
| target_domain | target.domain.name |
| target_host | target.hostname |
| target_port | target.port |
| target_url | target.url |
| target_user | target.user.userid |
| vendor | metadata.vendor_name |
| version | metadata.product_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | GENERIC_EVENT |
Log Sample¶
<188>1234567: 1234567: May 31 11:19:11: %SEC_LOGIN-1-LOGIN_FAILED: Login failed [user: user_A] [Source: 10.10.10.10] [localport: 22] [Reason: Login Authentication Failed] at 11:19:11 EDT Wed May 31 2023
Sample Parsing¶
metadata.description = "Login Authentication Failed"
metadata.event_timestamp = "2023-05-31T11:19:11Z"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "SOLARWINDS_SERV_U"
observer.hostname = "user_A"
principal.ip = "10.10.10.10"
principal.port = 22
security_result.severity_details = "1"
security_result.summary = "Login failed"
security_result.threat_id = "SEC_LOGIN"
security_result.threat_name = "LOGIN_FAILED"
Rules¶
Coming Soon