ArcSight Logger - Commonly Used Event Fields

Example Queries:
Free text search: "bwalth01" or "130.64.205.66"
All Juniper VPN activity: deviceVendor contains "Juniper" AND deviceProduct = "Netscreen VPN"
All traffic going to a particular IP: destinationAddress = "94.100.18.41"
All traffic to a set of IP addresses: destinationAddress IN [seim:"130.64.205.66","130.64.205.72","130.64.205.178"]
All failed login attempts: categoryBehavior CONTAINS "Verify" AND categoryOutcome = "/Failure"
Example Load Balancer log (for when you need Load Balancer specific searches): Rule Log-to-Arcsite <;SERVER_CONNECTED>;: Got
connection: Client(130.64.177.249:61338)<;>;(130.64.212.185:443)LTM(10.250.136.10:61338)<;>;(10.250.136.82:443)Server

Useful fields for narrowing down Logger queries:

eventId - always a distinct, sequential integer. No two events have the same EventId
destinationAddress - the IP address to which packets, requests, or connections were sent
sourceAddress - the IP address from which packets, requests, or connections were sent
name - the human-readable description of the event
message - a human readable description or debug output associated with the event
destinationPort, sourcePort - the ports used in network connections
sourceHostName, destinationHostName - the hostnames that resolves with the sourceAddress and destinationAddress
eventTime - the time at which the logging service first recorded the event
destinationMacAddress, sourceMacAddress - for networking events which record MAC addresses
destinationUserName, sourceUserName - the username involved with requesting an action which generated the event
baseEventId - for correlated or aggregated events, the eventId associated with the rule that triggered this new derivative event
baseEventCount - the number of aggregated events that were combined to form this new derivative event
device - the server hostname on which the SmartConnector is installed that captured this event
deviceReceiptTime - the time which the ArcSight SmartConnector received the log
deviceCustomString[seim:1-6] - special values associated with a particular event that do not fit inside other fields. Sometimes related distances,
MAC addresses, or other misc details.
CategoryBehavior - the action associated with this event. Usually among:
/Access
/Access/Start
/Access/Stop
/Authentication/Verify
/Authorization
/Communicate
/Communicate/Query
/Communicate/Response
/Create
/Execute
/Execute/Query
/Execute/Response
/Execute/Start
/Execute/Stop
/Found/Defective
/Found/Exhausted
/Modify/Configuration
/Modify/Content
CategoryOutcome - the reported outcome of the event. Among:
/Attempt
/Success
/Failure

CategoryObject - the type of device associated with this event. Usually among:
/Actor/User
/Host
/Host/Application
/Host/Application/Database
/Host/Application/Service
/Host/Application/Service/Email
/Host/Operating System
/Host/Resource
/Host/Resource/Interface
/Host/Resource/Memory
Network
CategorySignificance - the reported event significance type. Usually among:
/Hostile
/Informational
/Informational/Error
/Informational/Normal
/Informational/Warning
/Normal
/Recon
/Rule/Action/Success
/Suspicious
transportProtocol - usually among:
 TCP
UDP
ICMP
IGMP
DeviceProduct - the brand name of the product which triggered the event. Examples:
Apache
ArcSight
CiscoRouter
Device Product
IntruShield
IP Flow
Logger
Microsoft Windows
Mobility Controller
Netscreen VPN
NSM
NT syslog
Peoplesoft Financials
Peoplesoft HR
Sendmail
Switch
Tomcat
Unix
WebLogic
DeviceVendor - the brand name of the owner/vendor of the product. Examples:
Apache
ArcSight
Aruba Networks
BEA
CISCO
Extreme Networks
IP Flow
Juniper
McAfee
Microsoft
Oracle
SaberNet
Unix
DeviceAction - the arbitrary action reported by the device. Examples:
DHCPACK
DHCPDISCOVER
DHCPINFORM
DHCPNAK
DHCPOFFER
DHCPRELEASE
DHCPREQUEST
200
400
5
Accept
accepted
closed
connect
info
moved
notice
pckt dropped
Postponed
REFUSED
Sent
SERVFAIL
succeeded
Suspicious
Warning