Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Header Severity |
<severity> |
N/A |
|
pri_num |
N/A |
N/A |
|
time |
N/A |
N/A |
|
IP address/hostname |
N/A |
N/A |
|
cat_name |
N/A |
<vendorinfo> |
|
msg_id |
<object> |
N/A |
|
total_seg |
N/A |
N/A |
|
seg_num |
N/A |
N/A |
|
timestamp |
N/A |
N/A |
|
sequence_num |
N/A |
N/A |
|
msg_code |
N/A |
<vmid>
|
|
msg_sev |
N/A |
<severity> |
|
msg_class |
N/A |
<subject> |
|
msg_text |
<vendorinfo> |
<action> |
|
ConfigVersionId |
<version> |
N/A |
|
NetworkDeviceGroups |
N/A |
N/A |
|
RequestTime |
N/A |
N/A |
|
ResponseTime |
N/A |
N/A |
|
FailureReason |
N/A |
<reason> |
|
MacAddress |
<smac> |
<dmac> |
|
OperatingSystem |
<useragent> |
N/A |
|
PostureAgentVersion |
<objecttype> / <useragent> |
N/A |
|
PostureStatus |
<status> |
N/A |
|
PosturePolicyMatched |
<policy> |
N/A |
|
PRAAction |
<action> |
N/A |
|
UserName |
<domainorigin>
|
<account> |
|
SessionId |
<session> |
<session> |
|
IpAddress |
<sip> |
<dip> |
|
SystemName |
<dname> |
N/A |
|
SystemDomain |
<domainorigin> |
N/A |
|
SystemUser |
<login> |
N/A |
|
SystemUserDomain |
<domainimpacted> |
N/A |
|
SupplicantProfile |
N/A |
N/A |
|
AntiVirusInstalled |
N/A |
N/A |
|
AntiSpywareInstalled |
N/A |
N/A |
|
FeedUrl |
N/A |
<url> |
|
NumOfUpdates |
N/A |
N/A |
|
PostureReport |
<status>
|
N/A |
|
Key1 |
N/A |
N/A |
|
Key2 |
N/A |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1010227 |
CISE Posture And Client Provisioning Audit |
Base Rule |
General Auditing Message |
Other Audit |
|
Auditing Failed |
Sub Rule |
Auditing Failed |
Other Audit Failure |
|
|
Auditing Passed |
Sub Rule |
Successful Activity |
Other Audit Success |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|
1012625 |
V 2.0 Posture And Client Provisioning Audit Event |
Base Rule |
Audit Message |
Other Audit |
|
V 2.0 EVID 87000 Endpoint Posture Report Received |
Sub Rule |
General Endpoint Message |
Information |
|
|
V 2.0 EVID 87001 EP Reassessment Report Receive |
Sub Rule |
General Endpoint Message |
Information |
|
|
V 2.0 EVID 87002 Endpoint Session Termination |
Sub Rule |
General Endpoint Message |
Information |
|
|
V 2.0 EVID 87004 EP USB-Check Report Received |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87500 Client Provisioning Success |
Sub Rule |
Successful Activity |
Other Audit Success |
|
|
V 2.0 EVID 87501 Client Provisioning Fail Event |
Sub Rule |
Provisioning Failed |
Warning |
|
|
V 2.0 EVID 87600 Supplicant Provisioning Success |
Sub Rule |
Successful Activity |
Other Audit Success |
|
|
V 2.0 EVID 87601 Supplicant Provisioning Fail |
Sub Rule |
Provisioning Failed |
Warning |
|
|
V 2.0 EVID 87602 Supplicant Provision Inprogress |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87603 Supplicant Provisioning Disable |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87604 CA Server Down |
Sub Rule |
The Server Is Down |
Information |
|
|
V 2.0 EVID 87605 CA Server Up |
Sub Rule |
Server Is Up |
Information |
|
|
V 2.0 EVID 87606 Certificate Request Forwarding |
Sub Rule |
Certificate Verification Failure |
Error |
|
|
V 2.0 EVID 87607 OCSP Transactions High Volume |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87608 EST Service Down |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87609 EST Service Up |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87750 EP Protection Svc Perform Op. |
Sub Rule |
General Endpoint Message |
Information |
|
|
V 2.0 EVID 87751 EP Protection Svc Operation Res |
Sub Rule |
General Endpoint Message |
Information |
|
|
V 2.0 EVID 87752 Provisioning Portal -Req Submit |
Sub Rule |
Certificate Request |
Activity |
|
|
V 2.0 EVID 87753 Provisioning Portal-Status Update |
Sub Rule |
Certificate Update Request |
Activity |
|
|
V 2.0 EVID 87754 Provisioning Portal -User Login |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87901 EP Scripts Provisioned New Job |
Sub Rule |
General Endpoint Message |
Information |
|
|
V 2.0 EVID 87921 EndPoint Scripts Execution Res |
Sub Rule |
General Endpoint Message |
Information |
|
|
V 2.0 EVID 87005 PSN Posture Compliant State |
Sub Rule |
General Information Log Message |
Information |
|
|
V 2.0 EVID 87006 Posture Queries For MNT Session |
Sub Rule |
General Information Log Message |
Information |