LSO FortiAnalyzer - Event : System
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
Header: Severity | <severity> | N/A |
devname | <objecttype> | N/A |
log_id | <vmid> | N/A |
subtype | <object> | N/A |
logdesc | <vendorinfo> | N/A |
sn | <serialnumber> | N/A |
user | <login> | N/A |
method | <sessiontype> | N/A |
srcip | <sip> | N/A |
dstip | <dip> | N/A |
action | <action> | N/A |
status | <status> | N/A |
reason | <reason> | N/A |
msg | <subject> | N/A |
ui | <sip> | N/A |
cfg_tid | <processid> | N/A |
cfg_path | <process> | N/A |
cfg_obj | <objectname> | N/A |
cfg_attr | <result> | N/A |
src_int | <sinterface> | N/A |
dst_int | <dinterface> | N/A |
srcport | <sport> | N/A |
dstport | <dport> | N/A |
proto | <protnum> | N/A |
group | <account> | N/A |
version | <version> | N/A |
banned_rule | <threatname> | N/A |
sensor | <policy> | N/A |
interface | <sinterface> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1013090 | Event : System | Base Rule | General Event Log Information | Information |
Event Mail Sent Fail | Sub Rule | General Failed Activity | Failed Activity | |
Event Reportd Report Success | Sub Rule | Report Generation | Information | |
Event Reportd Report Success | Sub Rule | Report Deleted | Information | |
Event Session Clash | Sub Rule | Possible Address Conflict | Information | |
Event VWL Volume Status | Sub Rule | VLAN Manager Info Msg | Information | |
Event DHCP Ack | Sub Rule | DHCP ACK | Network Traffic | |
Event DHCP Stat | Sub Rule | General DHCPServer Information | Information | |
Event DHCP Client Lease | Sub Rule | DHCP Lease Obtained | Information | |
Event Auth Snmp Query Failed | Sub Rule | Error : SNMP_GET_ERROR1 | Error | |
Event Admin Login Succ | Sub Rule | Authentication Activity | Authentication Success | |
Event Admin Login Fail | Sub Rule | Authentication Failure Activity | Authentication Failure | |
Event Admin Login Logout | Sub Rule | Logout Request | Information | |
Event Log Roll | Sub Rule | General Disk Information | Information | |
Event Admin Login Disable | Sub Rule | Account Disabled | Access Revoked | |
Event Log Del Dir | Sub Rule | Object Deleted/Removed | Access Success | |
Event Log Del File | Sub Rule | Object Deleted/Removed | Access Success | |
Event Log Roll Forticron | Sub Rule | Rotation Information | Information | |
Event Report Deleted | Sub Rule | Object Deleted/Removed | Access Success | |
Event Report Deleted GUI | Sub Rule | Object Deleted/Removed | Access Success | |
Event Backup Conf By Scp | Sub Rule | Backup Completed | Information | |
Event Conf Chg | Sub Rule | Configuration Modified : System | Configuration | |
Event Sys Perf | Sub Rule | General Performance Statistics | Information | |
Event Upd Fgt Succ | Sub Rule | Operation Succeeded | Information | |
Event Upd Fsa Virdb | Sub Rule | Database Update Event | Information | |
Event Nac Quarantine | Sub Rule | Quarantine | Activity | |
Event Delete Object | Sub Rule | Object Deleted/Removed | Access Success | |
Event Config Attr | Sub Rule | Object Added | Access Success | |
Event Add Object Attribute | Sub Rule | Object Added | Access Success | |
Event DSSCC Exec | Sub Rule | General Policy Compliance Information | Other Audit | |
Event Ext Remote | Sub Rule | General Remote Access Information | Information |
LogRhythm Default v2.0
N/A