Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Audit Log Messages |
Base Rule |
General Audit Message |
Other Audit |
|
Pending Audit Logs |
Sub Rule |
Hold Action |
Information |
|
Success Audit Logs |
Sub Rule |
Successful Activity |
Other Audit Success |
|
Error Audit Logs |
Sub Rule |
General Error |
Error |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
Log Entry Timestamp |
N/A |
N/A |
Selects the entries that match the specified input for timestamp. This will be in a human-readable format <day> <month> <day of month> <hour>:<min>:<sec> <year> in the local timezone. |
|
Node |
<process>
|
Text/String/Number |
Selects the entries that match the specified input for node. |
|
Session ID |
<session> |
Text/String/Number |
This is the "session id" for this audit record. Each ssh/console session is assigned a unique session ID. Each ZAPI/HTTP/SNMP request is assigned a unique session ID |
|
Command ID |
N/A |
N/A |
This is useful with ssh/console sessions. Each command in a session is assigned a unique command ID. Each ZAPI/HTTP/SNMP request does not have a command ID. |
|
Protocol |
<protname> |
Text/String |
This is the application used to connect to the cluster. Possible values include the following: internal, console, ssh, http, ontapi, snmp, rsh, telnet, service-processor |
|
Remote user location |
<sip> <sport> |
IP Address/Number |
The remote IP address or remote access point. |
|
Vserver name |
N/A |
N/A |
Storage Virtual Machine name |
|
Username |
<domainorigin> <login> |
Text/String |
Username |
|
Command being executed |
<command> |
Text/String |
The operation being attempted |
|
State of this audit request |
<result> <tag1> |
Text/String |
State of this request {Pending|Success|Error} |
|
Additional information and/or error message |
<subject> |
Text/String |
Additional information which may be error or informative message. |