Collector Deployment
Management
Getting Started
Alerts / Notifications / Actions

Events

The Events page addresses the review of raw events data prior to fusion (flow). The Time Range capabilities are similar to that of the Flow page, except there is no search within a minute option.

Page Layout

Base Event Record

When data enters the Fluency system, it is assigned metadata to note where and when data the message came into the system. This recording of metadata provides a further layer of timing data to ensure addressing PCI DSS (10.4 and 10.3.3) and NIST 800-53 (AU-8).

{
"@message": "This is the raw message received by the system",
"@facility": "local0",
"@level": "alert",
"@tags": [
"fl_suricata"
],
"@source": "fl_source",
"@sender": "127.0.0.1",
"@fields": {
This is the parsed data of the record stored as an object of key-values.
This object can be nested.
}
},
"@timestamp": 1540383607496
}

Messages are sorted by the incoming timestamp. This means that polling message logs, like cloud logs, are often clustered together.

Field

Description

@message

This is a complete record of the incoming message before parsing.

@facility

A defined group/facility area.

@level

This is the messages priority level.

@tags

An array of any tags what had a matching attribute.

@source

The module that produced this message.

@sender

The capture system that is the source of the message.

@fields

This is the resulting parsed data.

@timestamp

this is the millisecond epoch time. This provides a central timestamp verification of all incoming message

Parsing Process

Messages that come into the system are stored in the @message field. Comparing the @message field to the @fields object allows for parsing verification.

After adding or updating a system the log should be reviewed to ensure that the incoming message is being properly parsed. This is done by filtering to the Event Table to the changed source and then comparing the @message to @fields attributes.

JSON Sources

Some sources do not contain @fields attributes. These are sources that already produce formatted JavaScript Object Notation (JSON) messages. In this special case, the system can leverage the parsed data and add to the associated flow.

Special Views

Just like the Flow page, there are certain events that receive a different, more readable format, most notably the Office365 formatting. This is done to allow the events database to be used for analysis that does not involve a known flow or asset.