Reference: CEF message format - Adaptive Applications - BlueCat Gateway - 23.2.3

BlueCat Distributed DDNS Administration Guide
ft:locale
en-US
Product name
BlueCat Gateway
Version
23.2.3
When configuring remote logging, the log files are sent in CEF format. The following represents the format of the CEF message:
Jan 18 11:07:54 host CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
Where each field represents the following:
  • Version—an integer value that identifies the version of the CEF format. The current CEF version is 0.
  • Device Vendor—a string that uniquely identifies the type of device sending the log message. The value is BCN.
  • Device Product—a string that uniquely identifies the type of device sending the log message. The value is D-DDNS.
  • Device Version—a string that uniquely identifies the type of device sending the log message. The value is 23.2.3.
  • Device Event Class ID—a string or integer that uniquely identifies the event-type. In Distributed DDNS, this value represents the type of container that sends the message. The value can be one of the following: DDNS_APP, DDNS_SERVICE, or DDNS_DATABASE.
  • Name—a string representing the description of the event. In Distributed DDNS, the name is provided with an event type of a program running on a specific container.
    If the Device Event Class ID is DDNS_APP, the value of Name is one of the following:
    • [app]: Application feature events.
    • [session]: Events that occur where there are requests to the application or Address Manager.
    • [auth]: Authorization events.
    • SCHEDULE_TASK: Events where the scheduler running is assigned tasks.
    • DO_REQUEST_TO_SC: Events that occur where there are requests to the services control.
    • DDNS_APP: Events related to the Distributed DDNS UI.
    If the Device Event Class ID is DDNS_SERVICE, the value of Name is one of the following:
    • DDNS_RECEIVER: Events related to the DDNS receiver service. It listens and processes the DNS update messages from the clients.
    • DDNS_PROCESSOR: Events related to the DDNS processor service. It receives the DNS update messages from the queue and sends them to the DNS service, and writes the information to the database.
    • QUEUE_SERVICE: Events related to the internal queue service used by the DDNS receiver and DDNS processor.
    • ZEBRA: Events related to the Anycast service.
    • BGP: Events related to Anycast BGP service.
    • OSPF: Events related to Anycast OSPF service.
    • OSPF6: Events related to Anycast OSPFv3 service.
    • SERVICE_CONTROL: Events related to the web server that received particular requests to perform set actions.
    • SYNC_DDNS_CONFIG: Events related to an internal program that synchronizes the DDNS configuration in the Memcached server with the DDNS configuration in the database.
    • MEMCACHED: Events related to the Memcached server. It is an internal program that stored cached data.
    If the Device Event Class ID is DDNS_DATABASE, the value of Name is one of the following:
    • SYNC_DATA: Events related to the service that synchronizes Address Manager data to the database.
    • DISK_MONITOR: Events related to the service that monitors disk space on the data node.
    • AUTO_BACKUP: Events related to the service that performs database backups.
    • AUTO_SCAVENGE: Events related to the service that scavenges stale records from the database and DNS server.
    • DATABASE_APP: Events related to the web server that received particular requests to perform set actions.
    • MARIADB; Events related to the database service.
  • Severity—a string or integer that reflects the importance of the event. The value can be one of the following: Low, Medium, High, and Very-High.
  • [Extension]—a field that contains a collection of key-value pairs. An event can contain multiple key-value pairs separated by spaces. The key name is as follows:
    • msg: An arbitrary message providing additional details about the event.