WTI Console Server¶
About¶
WTI is an industry leader in out-of-band network management dedicated to developing solutions that solve problems on the worlds most advanced networks.
Product Details¶
Vendor URL: WTI Console Server
Product Type: Remote Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: WTI Console Server
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: WTI_CONSOLE_SERVERS
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
"GENERIC_EVENT" | metadata.event_type |
"WTI" | metadata.vendor_name |
"CONSOLE SERVER" | metadata.product_name |
action | metadata.product_event_type |
srcIp | principal.ip |
srcPort | principal.port |
username | principal.user.userid |
dvc | intermediary.hostname |
asset:serialNum | intermediary.asset_id |
process.pid | intermediary.pid |
proto | network.application_protocol |
"BLOCK" | security_result.action |
"AUTH_VIOLATION" | security_result.category |
description | security_result.description |
action | security_result.summary |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all event types | GENERIC_EVENT |
Log Sample¶
278 <38>1 2022-02-21T23:53:07+00:00 SERVERNAME sshd 31000 - [meta sequenceId="137051" vendorId="COMPANY" enterpriseId="1111.1.1.0" assetTag="" serialNum="012345678901371"] DSM:SERVERNAME / COMPANY, (AUTHPRIV LOG) USER/SOURCE: sshd - Failed password for root from 10.1.2.3 port 51145 ssh2
Sample Parsing¶
event_timestamp
metadata.event_type= GENERIC_EVENT
metadata.vendor_name= "WTI"
metadata.product_name= "CONSOLE SERVER"
metadata.product_event_type= "Failed password"
principal.user.userid= "root"
principal.ip= "10.1.2.3"
principal.port= 51145
intermediary.hostname= "SERVERNAME"
intermediary.asset_id= "asset:012345678901371"
intermediary.process.pid= "31000"
security_result.category= AUTH_VIOLATION
security_result.summary= "Failed password"
security_result.description= "Failed password for invalid user dada from 10.1.2.3 port 51145 ssh2"
security_result.action= BLOCK
network.application_protocol= SSH
Parser Alerting¶
This product currently does not have any Parser-based Alerting