DNS Audit Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
DNS Audit Events | Base Rule | General Audit Message | Other Audit |
EVID 513: Zone Delete | Sub Rule | Zone Object Deleted | Information |
EVID 514: Zone Updated | Sub Rule | Zone Update | Information |
EVID 515: Record Create | Sub Rule | Object Created | Access Success |
EVID 516: Record Delete | Sub Rule | Object Deleted/Removed | Access Success |
EVID 517: RRSET Delete | Sub Rule | Object Deleted/Removed | Access Success |
EVID 518: Node Delete | Sub Rule | Object Deleted/Removed | Access Success |
EVID 519: Record Create - Dynamic Update | Sub Rule | Object Created | Access Success |
EVID 520: Record Delete - Dynamic Update | Sub Rule | Object Deleted/Removed | Access Success |
EVID 521: Record Scavenge | Sub Rule | General Information Log Message | Information |
EVID 522: Zone Scope Create | Sub Rule | Object Created | Access Success |
EVID 523: Zone Scope Delete | Sub Rule | Zone Object Deleted | Information |
EVID 525: Zone Sign | Sub Rule | General Information Log Message | Information |
EVID 526: Zone Unsign | Sub Rule | General Information Log Message | Information |
EVID 527: Zone Re-sign | Sub Rule | General Information Log Message | Information |
EVID 528: Key Rollover Start | Sub Rule | Service Start | Startup and Shutdown |
EVID 529: Key Rollover End | Sub Rule | Session Ended | Other Audit Success |
EVID 530: Key Retire | Sub Rule | Session Ended | Other Audit Success |
EVID 531: Key Rollover Triggered | Sub Rule | General Information Log Message | Information |
EVID 533: Key Poke Rollover | Sub Rule | General Information Log Message | Information |
EVID 534: Export DNSSEC | Sub Rule | General Information Log Message | Information |
EVID 535: Import DNSSEC | Sub Rule | General Information Log Message | Information |
EVID 536: Cache Purge | Sub Rule | Cache Information | Information |
EVID 537: Forwarder Reset | Sub Rule | General Information Log Message | Information |
EVID 540: Root Hints | Sub Rule | General Information Log Message | Information |
EVID 541: Server Setting | Sub Rule | Server Must Process Message | Information |
EVID 542: Server Scope Create | Sub Rule | Object Created | Access Success |
EVID 543: Server Scope Delete | Sub Rule | Object Deleted/Removed | Access Success |
EVID 544: Add Trust Point DNSKEY | Sub Rule | General Information Log Message | Information |
EVID 545: Add Trust Point DS | Sub Rule | Domain Trust Information | Information |
EVID 546: Remove Trust Point | Sub Rule | Domain Trust Information | Information |
EVID 547: Add Trust Point Root | Sub Rule | Domain Trust Information | Information |
EVID 548: Restart Server | Sub Rule | General Server Information | Information |
EVID 549: Clear Debug Logs | Sub Rule | General Debug Message | Information |
EVID 550: Write Dirty Zones | Sub Rule | General Information Log Message | Information |
EVID 551: Clear Statistics | Sub Rule | General Information Log Message | Information |
EVID 552: Start Scavenging | Sub Rule | Session Started | Other Audit Success |
EVID 553: Enlist Directory Partition | Sub Rule | General Information Log Message | Information |
EVID 554: Abort Scavenging | Sub Rule | General Information Log Message | Information |
EVID 555: Prepare For Demotion | Sub Rule | General Information Log Message | Information |
EVID 556: Write Root Hints | Sub Rule | General Information Log Message | Information |
EVID 557: Listen Address | Sub Rule | General Information Log Message | Information |
EVID 558: Active Refresh Trust Points | Sub Rule | General Information Log Message | Information |
EVID 559: Pause Zone | Sub Rule | General ZONE Message | Information |
EVID 560: Resume Zone | Sub Rule | General ZONE Message | Information |
EVID 561: Reload Zone | Sub Rule | General ZONE Message | Information |
EVID 562: Refresh Zone | Sub Rule | General ZONE Message | Information |
EVID 563: Expire Zone | Sub Rule | General ZONE Message | Information |
EVID 564: Update From DS | Sub Rule | Zone Update | Information |
EVID 565: Write And Notify | Sub Rule | BGP Notify Msg | Activity |
EVID 566: Force Aging | Sub Rule | General Information Log Message | Information |
EVID 567: Scavenge Servers | Sub Rule | General Information Log Message | Information |
EVID 568: Transfer Key Master | Sub Rule | General Information Log Message | Information |
EVID 569: Add SKD | Sub Rule | General Information Log Message | Information |
EVID 570: Modify SKD | Sub Rule | General Information Log Message | Information |
EVID 571: Delete SKD | Sub Rule | General Information Log Message | Information |
EVID 572: Modify SKD State | Sub Rule | General Information Log Message | Information |
EVID 573: Add Delegation | Sub Rule | General Information Log Message | Information |
EVID 574: Create Client Subnet Record | Sub Rule | Object Created | Access Success |
EVID 575: Delete Client Subnet Record | Sub Rule | Object Deleted/Removed | Access Success |
EVID 576: Update Client Subnet Record | Sub Rule | Update | Information |
EVID 577: Create Server Level Policy | Sub Rule | General Server Information | Information |
EVID 578: Create Zone Level Policy | Sub Rule | Zone Update | Information |
EVID 579: Create Forwarding Policy | Sub Rule | Policy Status | Other Audit |
EVID 580: Delete Server Level Policy | Sub Rule | General Server Information | Information |
EVID 581: Delete Zone Level Policy | Sub Rule | Zone Object Deleted | Information |
EVID 582: Delete Forwarding Policy | Sub Rule | Policy Status | Other Audit |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
Provider Name | N/A | N/A | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
EventID | <vmid> | Number | The identifier that the provider used to identify the event. |
Version | N/A | N/A | The version number of the event's definition. |
Level | <severity> | Text/String | The severity level defined in the event. |
Task | <vendorinfo> | Text/String | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
Opcode | N/A | N/A | The opcode defined in the event. Task and opcode are typcially used to identify the location in the application from where the event was logged. |
Keywords | <result> | Text/String | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
TimeCreated | N/A | N/A | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
EventRecordID | N/A | N/A | The record number assigned to the event when it was logged. |
Correlation | N/A | N/A | The activity identifiers that consumers can use to group related events together. |
Execution | N/A | N/A | Contains information about the process and thread that logged the event. |
Channel | N/A | N/A | The channel to which the event was logged. |
Computer | <dname> | Text/String | The name of the computer on which the event occurred. |
Security | <login> | Text/String | N/A |
RuleName | <policy> | Text/String | N/A |
Type | N/A | N/A | N/A |
NAME | <sname> | Text/String | N/A |
TTL | N/A | N/A | N/A |
BufferSize | N/A | N/A | N/A |
RDATA | N/A | N/A | N/A |
Zone | N/A | N/A | N/A |
ZoneScope | N/A | N/A | N/A |
Source | <sip> | IP Address | N/A |