Avaya

LogZilla App Store application: Avaya

Overview

Avaya Communication Manager is an enterprise telephony platform that provides voice communications, unified messaging, and contact center capabilities. The system manages VoIP phone registrations, call routing, and network connectivity for enterprise telephony deployments.

App Function

The Avaya app parses log messages from Avaya Communication Manager and extracts metadata for network connectivity, security threats, system health, and authentication events. The app provides MITRE ATT&CK mapping for security events and Event Class-aligned dashboards for different analyst roles.

Device Configuration

To send logs to LogZilla, the Avaya Communications Manager must be configured appropriately:

  1. Access the Avaya System Administration Terminal (SAT)
  2. Configure syslog destination with the LogZilla server IP
  3. Enable logging for IP events, security events, and system events
  4. Save the configuration

Vendor Documentation

Incoming Log Format

Log messages are sent as syslog messages from the Communications Manager with program name logmanager. The log format uses key-value pairs delimited by = and separated by spaces. Event types are prefixed with category identifiers:

  • IPEVT - IP/network events (registrations, connections)
  • SECEVT - Security events (toll fraud, violations)
  • SYSEVT - System events (failovers, alarms, license warnings)
  • AUTHEVT - Authentication events (login success/failure)

Event Classes

The app categorizes events into the following Event Classes:

Event ClassDescriptionExample Events
networkVoIP endpoint connectivityIPT_REG, IPT_TCP_UP, IPT_TCP_DOWN
securitySecurity threats and violationsTOLL_FRAUD, SECURITY_VIOLATION
systemSystem health and alarmsBOARD_ALARM, LICENSE_WARNING
haHigh availability eventsPROCR_FAILOVER
authAuthentication eventsLOGIN success/failed

Parsed Metadata Fields

Tag NameExampleDescription
Event ClassnetworkCross-vendor event classification
Avaya EventIPT_TCP_UPAvaya event type
Avaya BoardPROCRAvaya board identifier
Board IP11.22.33.44IP address of the Avaya board
VoIP IP55.66.77.88IP address of the VoIP endpoint
Avaya ReasonrecoveryReason for the event
Station7768Station or terminal identifier
UseradminUsername for authentication events
ActionsuccessResult of authentication attempt
MitreIdT1110MITRE ATT&CK technique identifier
MITRE TacticCredential AccessMITRE ATT&CK tactic category

MITRE ATT&CK Mapping

EventMITRE TechniqueTactic
TOLL_FRAUDT1498 (Network Denial of Service)Impact
SECURITY_VIOLATIONT1110 (Brute Force)Credential Access
LOGIN failedT1110 (Brute Force)Credential Access

Log Examples

VoIP Phone Registration

text
IPEVT IPT_REG board=PROCR ip=11.22.33.44 net_reg= 241 ext= 7768 ip=55.66.77.88; 1024 net_reg= 241 reason=recovery

VoIP Phone Network Status Change

text
IPEVT IPT_TCP_UP board=PROCR ip=11.22.33.44 net_reg= 241 ext= 7632 the 1st ip=55.66.77.88;35770 the 2nd ip=0.0.0.0; 0 net_reg= 241 reason=endpoint_request

Toll Fraud Detection

text
SECEVT TOLL_FRAUD station=7768 called=19005551234 trunk=1 duration=3600

Authentication Failure

text
AUTHEVT LOGIN user=admin station=SAT result=failed reason=invalid_password

PROCR Failover

text
SYSEVT PROCR_FAILOVER from=01A07 to=01B07 reason=heartbeat_loss

Dashboards

The Avaya app includes the following dashboards:

  • Avaya: Network - VoIP connectivity events, endpoints, boards, registrations
  • Avaya: Security - Toll fraud, security violations, MITRE ATT&CK mapping
  • Avaya: Operations - System health, HA failovers, license warnings, auth events

Triggers

TriggerDescriptionActionable
Avaya: VoIP Endpoint DownVoIP endpoint disconnectionYes
Avaya: VoIP Endpoint UpEndpoint recoveryNo
Avaya: Phone RegistrationPhone registrationNo
Avaya: MITRE ATT&CK Threat DetectedAny MITRE-mapped threatYes
Avaya: Toll Fraud DetectedToll fraud attemptYes
Avaya: Security ViolationSecurity policy violationYes
Avaya: Authentication FailureFailed login attemptYes
Avaya: Authentication SuccessSuccessful loginNo
Avaya: PROCR FailoverHA failover eventYes
Avaya: Critical Board AlarmCritical hardware alarmYes
Avaya: License WarningLicense expiration warningYes
Avaya | LogZilla Documentation