A Syslog Basic Anomaly message reports an alert for a single anomaly instance. The following example shows the message fields for a Basic Anomaly message:
02-12-2009 17:51:42 Local0.Alert 10.0.23.138 Feb 12 17:51:42 sk23-138 CEF:0|NetQoS|AnomalyDetector|2.0.12.1|23|Frags and Loss Sources|5|src=XXX.XX.X.XXX start=2/12/2009 5:36:00 PM msg=metric 2 anomaly probability 1%. A router close to the issue (for further analysis or ACL) is XX.XXX.XX.XXX and IN interface is 2130925934
The sixth CEF field, the msg=metric field, identifies the sensor type that detected the violation. The sensor type in the example is Frags and Loss Sources. The main body of the CA Anomaly Detector information follows msg=.
msg=metric METRICVALUE anomaly probability PROBVALUE%. OptionalROUTERINFOVALUE
where:
Actual value, expressed in the units of measure for the sensor. This value is an integer with a value over 0 in the example. The data type is double, and double.maxvalue is positive 1.79769313486232e308. The significance of the integer depends on the sensor type. For example, the integer for a FanOut sensor represents the number of hosts with which the source IP communicated. For information about the units of measure that each sensor type measures, see Configure Sensor Thresholds and Options.
The percentage of anomaly probability, expressed as a value between 1 and 100. In the example, the value is 1. This value is the statistical probability that a sensor has detected anomalous traffic. You can use thresholds to suppress Syslog messages when the probability is low. You can specify the threshold for each sensor independently.
(Optional) The optional ROUTERINFOVALUE field is provided for anomalies that are based on NetFlow. The close router and interface information is derived from the router that sent the flow data.
A router close to the issue (for further analysis or ACL) is ROUTERIPADDRESSVALUE and IN interface is INIFINDEX
where:
IP address of the router, as reported by NetFlow.
Interface (IF) index on the incoming interface of the router, as reported by NetFlow.
Note: If you want to write a parser to handle Syslog Basic Anomaly or Anomaly Cluster messages, specify a value for the msg= field. The other fields are in the CEF standard format, and you do not need to specify their values.
| Copyright © 2013 CA. All rights reserved. |
|