The keys listed in the following table are used in the bodies of CEF messages of audit event classes.
Possible values of fields for common keys of audit events
Key |
Value |
|---|---|
externalId |
Globally unique ID (GUID) of the event. |
suser |
Login of the user that initiated the event, or user name of the user that initiated the event, from an external Active Directory or LDAP. |
KSMGUserRole |
List of roles of the user that initiated the event. If there are multiple roles, they are specified as a comma-separated list. Not logged if the user has no roles. |
KSMGAccountType |
Account type of the KSMG user that initiated the event. |
src |
IPv4 address of the computer from which the event was initiated. |
c6a2Label |
The value is always Logged if the IP address of the computer from which the event was initiated is in IPv6 format. |
c6a2 |
IPv6 address of the computer from which the event was initiated. |
dst |
IPv4 address of the node that processed the event. |
c6a3Label |
The value is always Logged if the IP address of the node that processed the event is in IPv6 format. |
c6a3 |
IPv6 address of the node that processed the event. |
dpt |
Port of the node that processed the event. |
cn1Label |
The value is always |
cn1 |
Number of the part with information about the event. |
cn2Label |
The value is always |
cn2 |
Total number of parts with information about the event. |
outcome |
Event result. Possible values: |