Release 2008.2
Understanding Extension Document Elements
5
Table 4
provides a list of valid field names for use in the matcher field parameter (see
Table 3
).
Table 4
Matcher Field Names
Field Name
Description
EventName
(Required)
Specify the event name to be retrieved from the QID to
identify the event.
EventCategory
Specify an event category for any event with a category
not handled by an
event-match-single
entity or an
event-match-multiple
entity.
Combined with EventName, EventCategory is used to
search for the event in the QID.
SourceIp
Specify the source IP address for the message.
SourcePort
Specify the source port for the message.
SourceIpPreNAT
Specify the source IP address for the message before
Network Address Translation (NAT) occurs.
SourceIpPostNAT
Specify the source IP address for the message after NAT
occurs.
SourceMAC
Specify the source MAC address for the message.
SourcePortPreNAT
Specify the source port for the message before NAT
occurs.
SourcePortPostNAT
Specify the source port for the message after NAT occurs.
DestinationIp
Specify the destination IP address for the message.
DestinationPort
Specify the destination port for the message.
DestinationIpPreNAT
Specify the destination IP address for the message before
NAT occurs.
DestinationIpPostNAT
Specify the destination IP address for the message after
NAT occurs.
DestinationPortPreNAT
Specify the destination port for the message before NAT
occurs.
DestinationPortPostNAT
Specify the destination port for the message after NAT
occurs.
DestinationMAC
Specify the destination MAC address for the message.
DeviceTime
Specify the time that the event was sent, according to the
device (this is NOT the time that the event arrived).
STRM detects timestamps in the following formats:
•
Valid syslog timestamp in the form of mm dd hh:mm:ss,
for example:
Jan 13 12:33:10
•
Current locale timestamp
Any other formats will not properly convert.
