WTI Console Server¶
About¶
WTI is an industry leader in out-of-band network management dedicated to developing solutions that solve problems on the worlds most advanced networks.
Product Details¶
Vendor URL: WTI Console Server
Product Type: Remote Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: WTI Console Server
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: WTI_CONSOLE_SERVERS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "GENERIC_EVENT" | metadata.event_type |
| "WTI" | metadata.vendor_name |
| "CONSOLE SERVER" | metadata.product_name |
| action | metadata.product_event_type |
| srcIp | principal.ip |
| srcPort | principal.port |
| username | principal.user.userid |
| dvc | intermediary.hostname |
| asset:serialNum | intermediary.asset_id |
| process.pid | intermediary.pid |
| proto | network.application_protocol |
| "BLOCK" | security_result.action |
| "AUTH_VIOLATION" | security_result.category |
| description | security_result.description |
| action | security_result.summary |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all event types | GENERIC_EVENT |
Log Sample¶
278 <38>1 2022-02-21T23:53:07+00:00 SERVERNAME sshd 31000 - [meta sequenceId="137051" vendorId="COMPANY" enterpriseId="1111.1.1.0" assetTag="" serialNum="012345678901371"] DSM:SERVERNAME / COMPANY, (AUTHPRIV LOG) USER/SOURCE: sshd - Failed password for root from 10.1.2.3 port 51145 ssh2
Sample Parsing¶
event_timestamp
metadata.event_type= GENERIC_EVENT
metadata.vendor_name= "WTI"
metadata.product_name= "CONSOLE SERVER"
metadata.product_event_type= "Failed password"
principal.user.userid= "root"
principal.ip= "10.1.2.3"
principal.port= 51145
intermediary.hostname= "SERVERNAME"
intermediary.asset_id= "asset:012345678901371"
intermediary.process.pid= "31000"
security_result.category= AUTH_VIOLATION
security_result.summary= "Failed password"
security_result.description= "Failed password for invalid user dada from 10.1.2.3 port 51145 ssh2"
security_result.action= BLOCK
network.application_protocol= SSH
Parser Alerting¶
This product currently does not have any Parser-based Alerting