WS_FTP¶
About¶
WS_FTP secure file transfer products use industry-leading security at every level of data management, protecting data before, during, after transit, and verifying that files reach intended destinations uncompromised.
Product Details¶
Vendor URL: WS_FTP
Product Type: FTP Server
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: ~100%
Data Label: WS_FTP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| c_Id | security_result.detection_fields |
| c_Window | security_result.detection_fields |
| Client | principal.ip |
| Client | principal.port |
| Command | network.ftp.command |
| connection_id | additional.fields |
| description | security_result.action_details |
| Filename | target.file.full_path |
| FileSize | target.file.size |
| Host | target.hostname |
| Listener | intermediary.ip |
| Listener | intermediary.port |
| observer | observer.hostname |
| Parameters | target.file.names |
| protocol | network.application_protocol |
| s_Id | security_result.detection_fields |
| s_Window | security_result.detection_fields |
| SessionID | network.session_id |
| User | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Connection events | NETWORK_CONNECTION |
| Generic | GENERIC_EVENT |
| User logged in/logon success | USER_LOGIN |
Log Sample¶
<14>Jan 19 11:02:29 HOSTNAME SSH: Client closed connection: 1234567 <Host=target.host.local, SessionID=12345678, Listener=100.10.10.10:22, Client=0.0.0.0:8088, User=principal_user>
Sample Parsing¶
additional.fields["Connection ID"] = "1234567"
intermediary.ip = "100.10.10.10"
intermediary.port = 22
metadata.description = "Client closed connection: 1234567"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_event_type = "SSH"
metadata.product_name = "WS_FTP"
metadata.vendor_name = "Progress"
network.application_protocol = "SSH"
network.session_id = "12345678"
observer.hostname = "HOSTNAME"
principal.ip = "0.0.0.0"
principal.port = 8088
principal.user.userid = "principal_user"
security_result.action_details = "Client closed connection"
security_result.action = "UNKNOWN_ACTION"
target.hostname = "target.host.local"