ArcSight Built-in Tokens

This table lists ArcSight built-in tokens

_

Note: Events must follow the RFC5424 standard.

Token String

Description

Tokens Available for Database Parsers Only

_DB_DRIVER

JDBC Driver Name.

_DB_URL

Database URL.

_DB_HOST

Host name or IP Address of the machine hosting the database.

_DB_PORT

Port where the database is listening for SQL queries.

_DB_NAME

Database name.

Tokens Available for Syslog Parsers Only

_SYSLOG_TIMESTAMP

Time stamp received in the header of the syslog message.

_SYSLOG_SENDER

Host name or IP address of the sender received in the header of the syslog message. In the unusual case if the header did not contain a host name or IP address, this will be the address that the connector received the packet from.

_SYSLOG_SOURCE_ADDR

The actual IP address that the connector received the syslog message from. The token value can be assigned to the event field of your choice. (For example, event.deviceCustomString6=_SYSLOG_SOURCE_ADDR). The value of this token can be an IPv4 or an IPv6 address.

_SYSLOG_FACILITY

Facility received in the header of the syslog message (applies only to Syslog Daemon connector).

_SYSLOG_PRIORITY

Priority received in the header of the syslog message (applies only to Syslog Daemon connector).
Tokens Available for Syslog NG Daemon Only
_SYSLOG_APP_NAME Identifies the device or application that originated the message.
_SYSLOG_PROCID Often used to provide the process name or process ID associated with a Syslog system.

_SYSLOG_MSGID

Identifies the type of message.

_SYSLOG_STRUCTURED_DATA: STRUCTURED-DATA

 Provides a mechanism to express information in a well-defined, easily parseable and interpretable data format, it can contain zero, one, or multiple-structured data elements.
   

Customers can obtain a value for of a built-in token if they map ESM fields in the parser's content. Ensure that the message field is parsed by the corresponding parser.

For example:

<151>1 2017-01-24T08:57:21+01:00 NBG-ECIT225 AlarmLog 16 aleAlarm [tsvSDID@15251 SENDHOST="nbg-ecit225" SENDHOST-IP="10.182.210.172" TSV="NBG-ELT214null"] bs_SGC_10 Diameter supervisor processing cleared No connectivity to accounting server with realm: tcdf2.t-online.de. This alarm will be cleared when the connectivity to the accounting server is established SGC 17-19 4294967295

we need to let value "bs_SGC_10 Diameter superviser processing cleared No connectivity to accounting server with realm: tcdf2.t-online.de. This alarm will be cleared when the connectivity to the accounting server is established SGC 17-19 4294967295" is parsed by the corresponding parser then we can get data of 4 built-in tokens as below_SYSLOG_APP_NAME: AlarmLog_SYSLOG_PROCID: 16_SYSLOG_MSGID: aleAlarm_SYSLOG_STRUCTURED_DATA: [tsvSDID@15251 SENDHOST="nbg-ecit225" SENDHOST-IP="10.182.210.172" TSV="NBG-ELT214null"]