Comodo Help
Find the desired product help
Xcitium SIEM

Xcitium SIEM

cWatch Network Admin Guide

English

Print Help Download Help
Appendix 1 – Field Groups And Event Items Description
  • Introduction To Comodo CWatch Network
    • Purchase A License
    • Log-in To The Admin Console
  • The Main Interface
  • The Dashboard
  • Customer Asset Management
    • Add Customers
    • Add Assets For Monitoring
      • Hard Assets
      • Soft Assets
    • Configure Nxlog And Rsyslog To Send Logs To CWatch Network Server
    • Edit Customers
  • Query Management
    • Configure Event Queries
    • Long Term Analysis
    • Configure Custom Dashboards
    • Event Field Selection Settings
  • Manage Rules
    • Manage Correlation Rules
    • Manage Tagged Rules
    • Manage Aggregation Rules
  • Incidents
    • Manage Incidents
    • Incident Category Management
    • Category Action Management
  • Lists
    • Manage Live Lists
    • Manage Live List Content
    • Manage Range List Content
    • Manage IP Range List Content
    • Manage Multiple Column List Content
  • Manage Reports
  • Administration
    • Event Collection
    • Phantom Settings
    • Manage Users
    • View License And Subscription Details
  • Appendix 1 – Field Groups And Event Items Description
  • Appendix 2 – CWatch Supported Logs
  • About Comodo Security Solutions

Appendix 1 – Field Groups and Event Items Description


S.No

Field Groups

Description

Event Items

Description

1

agent

Log collector

agent_id

ID of collector

agent_ip

IP address of collector

2

application

Application information contained in events

app_name

Application Name

app_pid

Application Process ID

3

classification

Event classification fields

class_action

Type of action attempted as part of the event

class_domain

Environment or domain of the event

class_object

Type of object that is targeted oraffected by the event

class_service

Service involved in event

class_status

Status of the event action identified by the action field

class_subject

Type of object that started the event action identified by the action field

4

custom

Custom field labels and their values

co_1

Custom Value 1

co_1label

Custom Label 1

co_2

Custom Value 2

co_2label

Custom Label 2

co_3

Custom Value 3

co_3label

Custom Label 3

co_4

Custom Value 4

co_4label

Custom Label 4

co_5

Custom Value 5

co_5label

Custom Label 5

5

destination

Event target device

dst_city

Depending on country, it's either city or state of target device

dst_country

Country Name of target device

dst_host

Host name of target device

dst_ip

IP Address of target device

dst_ip_private

To show whether this target IP is private or not

dst_ip_loc

Latıtude and Longitude coordiantes of target device

dst_mac

MAC Address of target device

dst_port

Port that is targeted

dst_sd_1

If country has state, it's the state of target device's country(ex: USA/Kentucky)

dst_sd_2

Subdivision of state of target device's country

dst_tr_ip

Translated IP Address of target device

dst_tr_port

Translated Port

6

device

Device where logs are produced on

dvc_host

Host name of device

dvc_ip

IP Address of device

7

event

General event fields

agent_time

The time (in miliseconds) that raw log is processed on collector

central_time

The time (in miliseconds) that rae log is transformed to an event

customer_id

identifier for the customer of mssp

dvc_time

The time (in miliseconds) that log is seen on device

event_id

Unique id of the event

It_1

Indicates list name event

It_2

Indicates list event field group and list name event

It_3

Indicates list event field group and list name and list type event

message

Message of the event

mssp_id

identifier for mssp

name

Name of the event

raw_log

The log text seen on device

raw_size

Received log size in bytes encoded in UTF-8

size

Normalized event size in bytes encoded in UTF-8

tag_list

Event tags seperated with pipe character (|)

type

Type of the event

8

file

File information contained in events

f_name

File name

f_size

File size

f_type

File type

f_uri_path

File uri path

f_url

File url

f_md5

MD5 hash value of the file

f_sha1

SHA1 hash value of the file

f_sha256

SHA256 hash value of the file

9

network

Network-related information contained in events

app_proto

Application protocol used in event

bytes_in

Bytes received

bytes_out

Bytes sent

int_in

Interface in

int_out

Out interface

session_id

Session id

trans_proto

Transport protocol used in event

10

product

Product that produces raw logs that will be converted to events

prod_name

Name of the product

prod_vendor

Vendor of the product

prod_version

Version of the product

11

rule

Rule (firewall, ips, antivirus rule etc.) information contained in events

rule_hit_count

Represents how many hits occurred for the rule

rule_id

ID of the rule

rule_info

Extra information related to the rule

rule_name

Name of the rule

rule_sig_id

ID of the signature related to rule

rule_sig_name

Name of the signature related to rule

12

source

Event source device

src_city

Depending on country, it's either city or state of source device

src_country

Country of source device

src_host

Host name of source device

src_ip

IP Address of source device

src_ip_private

To show whether this source IP is private or not

src_loc

Latıtude and Longitude coordiantes of source device

src_mac

MAC Address of source device

src_port

Event source port

src_sd_1

If country has state, it's the state of source device's country(ex: USA/Kentucky)

src_sd_2

Subdivision of state of source device's country

src_tr_ip

Translated IP Address of source device

src_tr_port

Source Port

13

syslog

Syslog information

facility

Syslog facility field

priority

Syslog priority field

severity

Syslog severity field

14

time

Time-related information

(calculated based on agent_time)

partition_time

Represents collection time of log in terms of day (calculated based on agent time)

pass_days

Represents how many days have passed since January 1, 1970 UTC

pass_hours

Represents how many hours have passed since January 1, 1970 UTC

pass_minutes

Represents how many minutes have passed since January 1, 1970 UTC

pass_months

Represents how many months have passed since January 1, 1970 UTC

pass_years

Represents how many years have passed since January 1, 1970 UTC

15

user

User information contained in events

usr_domain

Domain of the user

usr_name

Name of the user

usr_uid

UID of the user

target_domain

Tageted User's Domain

target_name

Tageted User's Name

target_uid

Tageted User's Unique Id



Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2025. All rights reserved.