Audit Log Messages

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
Audit Log Messages	Base Rule	General Audit Message	Other Audit
Pending Audit Logs	Sub Rule	Hold Action	Information
Success Audit Logs	Sub Rule	Successful Activity	Other Audit Success
Error Audit Logs	Sub Rule	General Error	Error

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Log Entry Timestamp	N/A	N/A	Selects the entries that match the specified input for timestamp. This will be in a human-readable format <day> <month> <day of month> <hour>:<min>:<sec> <year> in the local timezone.
Node	<process> <severity> <processid>	Text/String/Number	Selects the entries that match the specified input for node.
Session ID	<session>	Text/String/Number	This is the "session id" for this audit record. Each ssh/console session is assigned a unique session ID. Each ZAPI/HTTP/SNMP request is assigned a unique session ID
Command ID	N/A	N/A	This is useful with ssh/console sessions. Each command in a session is assigned a unique command ID. Each ZAPI/HTTP/SNMP request does not have a command ID.
Protocol	<protname>	Text/String	This is the application used to connect to the cluster. Possible values include the following: internal, console, ssh, http, ontapi, snmp, rsh, telnet, service-processor
Remote user location	<sip> <sport>	IP Address/Number	The remote IP address or remote access point.
Vserver name	N/A	N/A	Storage Virtual Machine name
Username	<domainorigin> <login>	Text/String	Username
Command being executed	<command>	Text/String	The operation being attempted
State of this audit request	<result> <tag1>	Text/String	State of this request {Pending\|Success\|Error}
Additional information and/or error message	<subject>	Text/String	Additional information which may be error or informative message.