Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Syslog management

You can choose to send output from IPS/IDS devices to FortiNAC. Syslog Files that you create and store under Syslog Management are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output.

Default files

Default files include:

  • FireEye
  • FortiOS4
  • FortiOS5
  • Palo Alto Networks Firewall
  • Sourcefire IPS
  • StoneGate IPS
  • TippingPoint SMS
  • Top Layer IPS

Each of these files has corresponding events in the events list. You can add configurations for other Syslog files if they conform to either the CSV, CEF or TAG/VALUE formats.

Events and alarms

When those new Syslog configurations are added, corresponding events and alarms are created in the Events List. See Events and alarms list for a complete list of events that can be tracked.

If a syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore a single host could generate multiple events and alarms.

Device model

You must model any device that sends Syslog information to FortiNAC in the Topology. See Add or modify a pingable device for detailed instructions.

Navigation

To access the Syslog Management view, select System > Settings > System Communication > Syslog Files.

Settings

Field

Definition

Table configuration

Enable Buttons

Enables or disables the selected Syslog file. If a file is disabled it is not used when processing inbound syslog messages.

Table columns

Name

The name of the syslog file. This is a unique name for this syslog definition.

This value is required.

Enabled

A green check mark indicates that the file is enabled. A red circle indicates that the file is disabled.

Label

The label for the Event or Alarm that will be generated.

This value is required.

Format

Message format for the Syslog file. Supported formats include:

  • CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
  • TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.
  • CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

Delimiter

Character used to separate the fields in the syslog message. Options include: space, comma (,) and pipe (|).

This field is not available for the TAG/VALUE format. A space is used as the delimiter.

IP Tag/Column

Name of the field or number of the column containing the source IP address.

This value is required.

Filter Tag/
Column

Name of the field or number of the column containing the filter.

This value is required.

Filter Value

The value contained in the filter column or field. Only entries that contain matching data will be used.

This value is required.

Severity Tag/Column

Name of the field or number of the column containing the severity.

This value is required.

Low Severity Values

Entries containing one of these matching values in the severity field or column cause a Low Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Medium
Severity Values

Entries containing one of these matching values in the severity column will cause a Medium Severity event to be generated. For CSV format, multiple values are entered separated by commas.

High Severity Values

Entries containing one of these matching values in the severity field or column cause a High Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Event Tag/
Column

Names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the Event Tag field in the order they appear.

Right click options

Add

Opens the Add Syslog Files dialog.

Delete

Deletes the selected action.

Modify

Opens the Modify Security Action window for the selected action.

In Use

Shows if the Syslog File is in use or not

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Enable

Enables the syslog file.

Disable

Disables the syslog file.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data.

Inbound file formats

There are three supported syslog formats, CSV, TAG/VALUE and CEF. The CSV syslog output format is a comma-separated entry with seven items. Identify each item in the entry by its column number when you create the Event Message format. The TAG/VALUE syslog output format is a set of messages where the TAG indicates the name of the program or process that generated the message and the VALUE is the content of the message. The CEF syslog output format uses tags to mark the data so that it can be located by the device receiving the syslog file.

Example:
Denied,10,192.168.1.1,00:10:8B:A7:EF:AA,IPS Sensor,214,P2P-TCP-BitTorrent-Network-Connect 

Column Number

Description

Data From Example

1

Action taken by IPS/IDS

Denied

2

Alert Severity

10

3

Source IP address

192.168.1.1

4

Source MAC address

00:10:8B:A7:EF:AA

5

Component ID

IPS Sensor

6

Rule ID

214

7

Situation

P2P-TCP-BitTorrent-Network-Connect

Example:

<38>Apr 14 09:48:55 192.168.5.199 IPS5500-1000: id=060001 pt=TLN-TM prot=TCP cip=192.168.10.182 cprt=49161 sip=192.168.10.10 sprt=445 atck=tln-001017 disp=mitigate ckt=1 src=extern msg="NETWK: TCP Connection With Missed Setup"

Note

Only the fields used by Syslog Management are defined in the table.

Note

Values within the TAG/VALUE syslog must not contain spaces, unless the value is contained within double-quotes ("), such as msg="NETWK: TCP Connection With Missed Setup."

TAG Name

Description

VALUE From Example

cip

IP address of the host

192.168.10.182

prot

Protocol

TCP

atck

Filter - severity

tln-001017

TLN-

Filter

tln-

msg

Message

"NETWK: TCP Connection With Missed Setup"

Example:

CEF:0|FireEye|MPS|5.1.0.55701|MC|malware-callback|9|src=195.2.252.157 spt=80 smac=00:0d:66:4d:fc:00 rt=May 08 2010 14:24:45 dst=128.12.95.64 dpt=0 dmac=00:18:74:1c:a1:80 cn1Label=vlan cn1=0 cn2Label=sid cn2=33331600 cs1Label=sname cs1=Trojan.Piptea.2 msg= https://mil.fireeye.com/edp.php?sname\=Trojan.Piptea.2 cs4Label=link cs4= https://172.16.127.7/event_stream/events?event_id\=111 cs5Label=ccName cs5=195.2.252.157 cn3Label=ccPort cn3=80 proto=tcp shost=rescomp-09-149735.Standard.EDU dvcHost=mslms dvc=172.16.127.7 externalId=111

The first part of the message has a common format and is not tagged. It follows the format shown below. Other fields are customized.

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Note

This only an example and does not list all of the possible combinations of data that can be used to generate events and alarms.

TAG Name

Description

VALUE From Example

src

IP address of the host

195.2.252.157

Severity

Severity

9

Name

Event Name

malware-callback

proto

Transport Protocol

tcp

cs1

Signature Name

Trojan Piptea 2

Add or modify a syslog file

Refer to for file format information.

Note

The asterisk (*) wildcard can be used at the beginning and end of all values you enter.

  1. Click System > Settings.
  2. Select Syslog Files from the tree.
  3. Click Add or select an existing Syslog File from the list and click Modify.
  4. Check the Processing Enabled check box to enable this Syslog file.
  5. Enter a Name for the Syslog File.
  6. Use the table below to enter the file information.
  7. Click OK to save the new Syslog file.
  8. You need to add the IDS/IPS device if it is not already in the Topology. See Add or modify a pingable device for detailed instructions.
Settings
Note

All possible fields are shown in the table. Fields on the Add or Modify dialog will vary depending on whether you chose CSV or TAG/VALUE format.

Field

Definition

Name

The name of the syslog file. This is a unique name for this syslog definition. This value is required.

Processing Enabled

Enables/disables processing of this type of inbound syslog messages.

Event Label

The label for the Event or Alarm that will be generated by FortiNAC. This value is required.

Format

Supported message formats include:

  • CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
  • TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following: cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.1182 is the value associated with that tag.
  • CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

IP Tag
IP Column

Name of the field or number of the column containing the source IP address. This value is required.

Filter Tag

Filter Column

Name of the field or number of the column containing the filter.

Note

This value is required. If left blank, there will be no matches and no syslog data is sent to FortiNAC.

Filter Values

The values contained in the filter column or field. Only entries that contain matching data will be used. This value is required.

If left blank, everything is a match.

Severity Tag/Column

Name of the field or number of the column containing the severity. This value is required.

Severity Values

Entries containing one of these matching values in the severity field or column cause a Low, Medium or High Severity event to be generated. For CSV format, separate values with commas if entering more than one possible value.

Event Tag

Event Column

The names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Entire Syslog

Insert %syslog% as an event column in the location where you want the syslog message to appear in the event.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the event tag parameter in the order they appear.

Delete a syslog file

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select Syslog Files from the tree.
  4. Select the file to delete and click Delete.
  5. The program asks if you are sure. Click Yes to continue.

Examples of syslog messages

Here are some examples of syslog messages that are returned from FortiNAC. In these examples, the Syslog server is configured as follows:

  • Type: Syslog
  • IP address: a.b.c.d
  • Port: 514
  • Facility: Authorization

Event

Description

Syslog Message

Login Success

This is the event that is logged with a user logs into the admin UI.

02-28-2014 08:16:04 Auth.Notice 192.168.34.31 Feb 27 22:16:14 : 2014/02/27 22:16:14 EST,1,545570,Login Success,0,12,,,,,User root logged in.

Map IP To MAC Failure

This is a legacy event logged when a scheduled task runs (these are no longer used for IP-MAC) and the ARP is not read.

--

Probe - Map IP To MAC Failure

This is the event when we fail to poll and L3 device for IP->MAC (reading Arp Cache) L3 Polling

02-28-2014 09:00:14 Auth.Notice 192.168.34.31 Feb 27 23:00:24 : 2014/02/27 23:00:24 EST,1,545702,Probe - MAP IP To MAC Failure,0,28,,Switch,192.168.34.1,,Failed to read IP address mappings from device Switch.

User Logged Out

This is the event that is logs when a user logs out of the admin UI.

02-28-2014 08:48:55 Auth.Notice 192.168.34.31 Feb 27 22:49:04 : 2014/02/27 22:49:04 EST,1,545670,User Logged Out,0,12,,,,,User root Logged Out.

User Logged off Host

This event is logged when a user logs off a host

02-28-2014 08:44:25 Auth.Notice 192.168.34.31 Feb 27 22:44:34 : 2014/02/27 22:44:34 EST,1,545655,User Logged off Host,0,4155,,,,,"User Man, Bat logged off session 1 on host BRADSUPP7-LT

User Logged onto Host

This event is logged when a user logs onto a host

02-28-2014 08:37:58 Auth.Notice 192.168.34.31 Feb 27 22:38:07 : 2014/02/27 22:38:07 EST,1,545633,User Logged onto Host,0,4155,,,,,"User Man, Bat logged onto session 1 on host BRADSUPP7-LT"

User Remotely Connected to Host

An event that is logged when a user remotely connected to a terminal session on a host using the PA

--

User Locked Session

This event is logged when a user locks his workstation

02-28-2014 08:49:53 Auth.Notice 192.168.34.31 Feb 27 22:50:03 : 2014/02/27 22:50:03 EST,1,545681,User Locked Session,0,4155,,,,,"User Man, Bat locked session 2 on host BRADSUPP7-LT"

User Unlocked Session

This event is logged when a user unlocks his workstation

02-28-2014 08:52:07 Auth.Notice 192.168.34.31 Feb 27 22:52:16 : 2014/02/27 22:52:16 EST,1,545691,User Unlocked Session,0,4155,,,,,"User Man, Bat unlocked session 2 on host BRADSUPP7-LT"

Syslog management

You can choose to send output from IPS/IDS devices to FortiNAC. Syslog Files that you create and store under Syslog Management are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output.

Default files

Default files include:

  • FireEye
  • FortiOS4
  • FortiOS5
  • Palo Alto Networks Firewall
  • Sourcefire IPS
  • StoneGate IPS
  • TippingPoint SMS
  • Top Layer IPS

Each of these files has corresponding events in the events list. You can add configurations for other Syslog files if they conform to either the CSV, CEF or TAG/VALUE formats.

Events and alarms

When those new Syslog configurations are added, corresponding events and alarms are created in the Events List. See Events and alarms list for a complete list of events that can be tracked.

If a syslog message is received for a host that has more than one adapter, an event is generated for each adapter. Therefore a single host could generate multiple events and alarms.

Device model

You must model any device that sends Syslog information to FortiNAC in the Topology. See Add or modify a pingable device for detailed instructions.

Navigation

To access the Syslog Management view, select System > Settings > System Communication > Syslog Files.

Settings

Field

Definition

Table configuration

Enable Buttons

Enables or disables the selected Syslog file. If a file is disabled it is not used when processing inbound syslog messages.

Table columns

Name

The name of the syslog file. This is a unique name for this syslog definition.

This value is required.

Enabled

A green check mark indicates that the file is enabled. A red circle indicates that the file is disabled.

Label

The label for the Event or Alarm that will be generated.

This value is required.

Format

Message format for the Syslog file. Supported formats include:

  • CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
  • TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following : cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.
  • CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

Delimiter

Character used to separate the fields in the syslog message. Options include: space, comma (,) and pipe (|).

This field is not available for the TAG/VALUE format. A space is used as the delimiter.

IP Tag/Column

Name of the field or number of the column containing the source IP address.

This value is required.

Filter Tag/
Column

Name of the field or number of the column containing the filter.

This value is required.

Filter Value

The value contained in the filter column or field. Only entries that contain matching data will be used.

This value is required.

Severity Tag/Column

Name of the field or number of the column containing the severity.

This value is required.

Low Severity Values

Entries containing one of these matching values in the severity field or column cause a Low Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Medium
Severity Values

Entries containing one of these matching values in the severity column will cause a Medium Severity event to be generated. For CSV format, multiple values are entered separated by commas.

High Severity Values

Entries containing one of these matching values in the severity field or column cause a High Severity event to be generated. For CSV format, multiple values are entered separated by commas.

Event Tag/
Column

Names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the Event Tag field in the order they appear.

Right click options

Add

Opens the Add Syslog Files dialog.

Delete

Deletes the selected action.

Modify

Opens the Modify Security Action window for the selected action.

In Use

Shows if the Syslog File is in use or not

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Enable

Enables the syslog file.

Disable

Disables the syslog file.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. Low, Medium and High severity levels are not included in the exported data. See Export data.

Inbound file formats

There are three supported syslog formats, CSV, TAG/VALUE and CEF. The CSV syslog output format is a comma-separated entry with seven items. Identify each item in the entry by its column number when you create the Event Message format. The TAG/VALUE syslog output format is a set of messages where the TAG indicates the name of the program or process that generated the message and the VALUE is the content of the message. The CEF syslog output format uses tags to mark the data so that it can be located by the device receiving the syslog file.

Example:
Denied,10,192.168.1.1,00:10:8B:A7:EF:AA,IPS Sensor,214,P2P-TCP-BitTorrent-Network-Connect 

Column Number

Description

Data From Example

1

Action taken by IPS/IDS

Denied

2

Alert Severity

10

3

Source IP address

192.168.1.1

4

Source MAC address

00:10:8B:A7:EF:AA

5

Component ID

IPS Sensor

6

Rule ID

214

7

Situation

P2P-TCP-BitTorrent-Network-Connect

Example:

<38>Apr 14 09:48:55 192.168.5.199 IPS5500-1000: id=060001 pt=TLN-TM prot=TCP cip=192.168.10.182 cprt=49161 sip=192.168.10.10 sprt=445 atck=tln-001017 disp=mitigate ckt=1 src=extern msg="NETWK: TCP Connection With Missed Setup"

Note

Only the fields used by Syslog Management are defined in the table.

Note

Values within the TAG/VALUE syslog must not contain spaces, unless the value is contained within double-quotes ("), such as msg="NETWK: TCP Connection With Missed Setup."

TAG Name

Description

VALUE From Example

cip

IP address of the host

192.168.10.182

prot

Protocol

TCP

atck

Filter - severity

tln-001017

TLN-

Filter

tln-

msg

Message

"NETWK: TCP Connection With Missed Setup"

Example:

CEF:0|FireEye|MPS|5.1.0.55701|MC|malware-callback|9|src=195.2.252.157 spt=80 smac=00:0d:66:4d:fc:00 rt=May 08 2010 14:24:45 dst=128.12.95.64 dpt=0 dmac=00:18:74:1c:a1:80 cn1Label=vlan cn1=0 cn2Label=sid cn2=33331600 cs1Label=sname cs1=Trojan.Piptea.2 msg= https://mil.fireeye.com/edp.php?sname\=Trojan.Piptea.2 cs4Label=link cs4= https://172.16.127.7/event_stream/events?event_id\=111 cs5Label=ccName cs5=195.2.252.157 cn3Label=ccPort cn3=80 proto=tcp shost=rescomp-09-149735.Standard.EDU dvcHost=mslms dvc=172.16.127.7 externalId=111

The first part of the message has a common format and is not tagged. It follows the format shown below. Other fields are customized.

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Note

This only an example and does not list all of the possible combinations of data that can be used to generate events and alarms.

TAG Name

Description

VALUE From Example

src

IP address of the host

195.2.252.157

Severity

Severity

9

Name

Event Name

malware-callback

proto

Transport Protocol

tcp

cs1

Signature Name

Trojan Piptea 2

Add or modify a syslog file

Refer to for file format information.

Note

The asterisk (*) wildcard can be used at the beginning and end of all values you enter.

  1. Click System > Settings.
  2. Select Syslog Files from the tree.
  3. Click Add or select an existing Syslog File from the list and click Modify.
  4. Check the Processing Enabled check box to enable this Syslog file.
  5. Enter a Name for the Syslog File.
  6. Use the table below to enter the file information.
  7. Click OK to save the new Syslog file.
  8. You need to add the IDS/IPS device if it is not already in the Topology. See Add or modify a pingable device for detailed instructions.
Settings
Note

All possible fields are shown in the table. Fields on the Add or Modify dialog will vary depending on whether you chose CSV or TAG/VALUE format.

Field

Definition

Name

The name of the syslog file. This is a unique name for this syslog definition. This value is required.

Processing Enabled

Enables/disables processing of this type of inbound syslog messages.

Event Label

The label for the Event or Alarm that will be generated by FortiNAC. This value is required.

Format

Supported message formats include:

  • CSV: Message is a series of data fields typically separated by commas. Comma separated value. Other characters can be used to separate data fields.
  • TAG/VALUE: Message is series of fields each with a tag and a value. For example, the message could contain the following: cip=192.168.10.182. cip is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.1182 is the value associated with that tag.
  • CEF: Message is a series of fields, some in a standard position, others with a tag and a value. For example the message could contain the following: src=192.168.10.182. src is the tag indicating that this is the IP address of the user causing the problem. 192.168.10.182 is the value associated with that tag.

IP Tag
IP Column

Name of the field or number of the column containing the source IP address. This value is required.

Filter Tag

Filter Column

Name of the field or number of the column containing the filter.

Note

This value is required. If left blank, there will be no matches and no syslog data is sent to FortiNAC.

Filter Values

The values contained in the filter column or field. Only entries that contain matching data will be used. This value is required.

If left blank, everything is a match.

Severity Tag/Column

Name of the field or number of the column containing the severity. This value is required.

Severity Values

Entries containing one of these matching values in the severity field or column cause a Low, Medium or High Severity event to be generated. For CSV format, separate values with commas if entering more than one possible value.

Event Tag

Event Column

The names of the fields or numbers of the columns used when populating items from the syslog entry into the Event Format.

Entire Syslog

Insert %syslog% as an event column in the location where you want the syslog message to appear in the event.

Event Format

Message that is displayed when the event is generated. The text is generated from the items listed in the event tag parameter in the order they appear.

Delete a syslog file

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select Syslog Files from the tree.
  4. Select the file to delete and click Delete.
  5. The program asks if you are sure. Click Yes to continue.

Examples of syslog messages

Here are some examples of syslog messages that are returned from FortiNAC. In these examples, the Syslog server is configured as follows:

  • Type: Syslog
  • IP address: a.b.c.d
  • Port: 514
  • Facility: Authorization

Event

Description

Syslog Message

Login Success

This is the event that is logged with a user logs into the admin UI.

02-28-2014 08:16:04 Auth.Notice 192.168.34.31 Feb 27 22:16:14 : 2014/02/27 22:16:14 EST,1,545570,Login Success,0,12,,,,,User root logged in.

Map IP To MAC Failure

This is a legacy event logged when a scheduled task runs (these are no longer used for IP-MAC) and the ARP is not read.

--

Probe - Map IP To MAC Failure

This is the event when we fail to poll and L3 device for IP->MAC (reading Arp Cache) L3 Polling

02-28-2014 09:00:14 Auth.Notice 192.168.34.31 Feb 27 23:00:24 : 2014/02/27 23:00:24 EST,1,545702,Probe - MAP IP To MAC Failure,0,28,,Switch,192.168.34.1,,Failed to read IP address mappings from device Switch.

User Logged Out

This is the event that is logs when a user logs out of the admin UI.

02-28-2014 08:48:55 Auth.Notice 192.168.34.31 Feb 27 22:49:04 : 2014/02/27 22:49:04 EST,1,545670,User Logged Out,0,12,,,,,User root Logged Out.

User Logged off Host

This event is logged when a user logs off a host

02-28-2014 08:44:25 Auth.Notice 192.168.34.31 Feb 27 22:44:34 : 2014/02/27 22:44:34 EST,1,545655,User Logged off Host,0,4155,,,,,"User Man, Bat logged off session 1 on host BRADSUPP7-LT

User Logged onto Host

This event is logged when a user logs onto a host

02-28-2014 08:37:58 Auth.Notice 192.168.34.31 Feb 27 22:38:07 : 2014/02/27 22:38:07 EST,1,545633,User Logged onto Host,0,4155,,,,,"User Man, Bat logged onto session 1 on host BRADSUPP7-LT"

User Remotely Connected to Host

An event that is logged when a user remotely connected to a terminal session on a host using the PA

--

User Locked Session

This event is logged when a user locks his workstation

02-28-2014 08:49:53 Auth.Notice 192.168.34.31 Feb 27 22:50:03 : 2014/02/27 22:50:03 EST,1,545681,User Locked Session,0,4155,,,,,"User Man, Bat locked session 2 on host BRADSUPP7-LT"

User Unlocked Session

This event is logged when a user unlocks his workstation

02-28-2014 08:52:07 Auth.Notice 192.168.34.31 Feb 27 22:52:16 : 2014/02/27 22:52:16 EST,1,545691,User Unlocked Session,0,4155,,,,,"User Man, Bat unlocked session 2 on host BRADSUPP7-LT"