WS_FTP¶
About¶
WS_FTP secure file transfer products use industry-leading security at every level of data management, protecting data before, during, after transit, and verifying that files reach intended destinations uncompromised.
Product Details¶
Vendor URL: WS_FTP
Product Type: FTP Server
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: ~100%
Data Label: WS_FTP
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
c_Id | security_result.detection_fields |
c_Window | security_result.detection_fields |
Client | principal.ip |
Client | principal.port |
Command | network.ftp.command |
connection_id | additional.fields |
description | security_result.action_details |
Filename | target.file.full_path |
FileSize | target.file.size |
Host | target.hostname |
Listener | intermediary.ip |
Listener | intermediary.port |
observer | observer.hostname |
Parameters | target.file.names |
protocol | network.application_protocol |
s_Id | security_result.detection_fields |
s_Window | security_result.detection_fields |
SessionID | network.session_id |
User | principal.user.userid |
Product Event Types¶
Event | UDM Event Classification |
---|---|
Connection events | NETWORK_CONNECTION |
Generic | GENERIC_EVENT |
User logged in/logon success | USER_LOGIN |
Log Sample¶
<14>Jan 19 11:02:29 HOSTNAME SSH: Client closed connection: 1234567 <Host=target.host.local, SessionID=12345678, Listener=100.10.10.10:22, Client=0.0.0.0:8088, User=principal_user>
Sample Parsing¶
additional.fields["Connection ID"] = "1234567"
intermediary.ip = "100.10.10.10"
intermediary.port = 22
metadata.description = "Client closed connection: 1234567"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_event_type = "SSH"
metadata.product_name = "WS_FTP"
metadata.vendor_name = "Progress"
network.application_protocol = "SSH"
network.session_id = "12345678"
observer.hostname = "HOSTNAME"
principal.ip = "0.0.0.0"
principal.port = 8088
principal.user.userid = "principal_user"
security_result.action_details = "Client closed connection"
security_result.action = "UNKNOWN_ACTION"
target.hostname = "target.host.local"