Format of syslog messages for incidents

To define the format and a set of fields for syslog messages that PT ISIM proView Sensor sends for incidents, templates are used. The templates are stored in the following directory: /opt/ptisim/lib/ptisim-httpapi/templates/alerts/notify. For each message type, there is a corresponding template in the directory:

alert_create_message/syslog is for notifying of a new incident.
alert_status_message/syslog is for notifying that an incident state changed.
alert_progress_message/syslog is for notifying that a new step of an incident is detected (for incidents that consist of several steps, such as "Possible disconnection of PT ISIM").

Besides the fields specified in the templates, you can add other fields to the message text by enclosing them in double braces: {{ … }}—for example, {{ incident.status }}. The following table contains a list of basic incident parameters that you can use as fields for syslog messages. All available fields are listed in the file /opt/ptisim/etc/fullview/httpapi.conf.d/incidents-notify-fields.yaml.

Syslog message fields
Field	Data type	Description
`incident.id`	UInt32	Incident ID
`incident.type`	String	Incident type
`incident.status`	String	Current incident state: `open`, `in_progress`, or `closed`
`incident.progress`	UInt32	Current incident step (for incidents that consist of several steps)
`incident.capacity`	UInt32	Total number of possible incident steps
`incident.events`	String	List of incident events
`incident.start`	Timestamp	Incident creation time
`incident.end`	Timestamp	Time of the most recent incident event (may coincide with `incident.start` if the incident consists of one event)
`change`	Timestamp	Time of the most recent change in incident properties. Changes include the following: an incident state changes; an incident is starred; a new event is created; a new step begins
`incident.source`	String	ID of the incident source node
`incident.destination`	String	ID of the incident target node
`incident.model_state`	UInt32	ID of the model state at the time of incident detection
`incident.src_ip`	String	IP address of the incident source
`incident.src_mac`	String	MAC address of the incident source
`incident.dst_ip`	String	IP address of the incident target
`incident.dst_mac`	String	MAC address of the incident target
`incident.group`	String	Incident group
`incident.severity_level`	String	Incident severity level: `high`, `medium`, `low`, or `info`
`incident_url`	String	Link to the incident in the web interface
`station_name`	String	View Sensor node name
`now`	String	Current time
`ip`	String	ISIM node IP address
`src_ip`	String	IP address of the event source
`dst_ip`	String	IP address of the event recipient
`src_mac`	String	MAC address of the event source
`dst_mac`	String	MAC address of the event recipient
`type`	String	Incident type
`incident.name.rus`	String	Incident name in Russian
`incident.name.eng`	String	Incident name in English