Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Event : VPN |
Base Rule |
Network Traffic |
General VPN Traffic Event |
|
VPN Event SSL VPN User SSL Login Fail |
Sub Rule |
Authentication Failure |
Connection Authentication Failed |
|
VPN Event SSL VPN Session Tunnel Stats |
Sub Rule |
Information |
VPN Session Information |
|
VPN Neg I P1 Error |
Sub Rule |
Error |
General IPSec Error |
|
VPN Conn Stats |
Sub Rule |
Information |
General IPSec Information |
|
VPN Event VPN Cert Regen |
Sub Rule |
Activity |
Certificate Renewal Request |
|
VPN Event SSL VPN User Tunnel DOWN |
Sub Rule |
Other Audit Success |
VPN Connection Closed |
|
VPN Event SSL VPN Session New Con |
Sub Rule |
Network Traffic |
VPN Session Started |
|
VPN Event SSL VPN Session Tunnel Up |
Sub Rule |
Network Traffic |
VPN Session Started |
|
VPN Event SSL VPN Session Tunnel Down |
Sub Rule |
Network Traffic |
VPN Session Terminated |
|
VPN Neg Generic P2 Notif IKEV2 |
Sub Rule |
Network Traffic |
IPSec Negotiation |
|
VPN Neg I P1 Error IKEV2 |
Sub Rule |
Error |
IPSec Negotiation Error |
|
VPN Neg Progress P1 Notif IKEV2 |
Sub Rule |
Information |
IPSec Information Message |
|
VPN Neg Progress P2 Notif IKEV2 |
Sub Rule |
Information |
IPSec Information Message |
|
VPN Conn Stats IKEV2 |
Sub Rule |
Information |
IPSec Information Message |
|
VPN Install SA IKEV2 |
Sub Rule |
Information |
Installed IPSec Security Association |
|
VPN Neg Progress P1 Error |
Sub Rule |
Error |
IPSec Progress Error |
|
VPN Neg Progress P2 Error |
Sub Rule |
Error |
IPSec Progress Error |
|
VPN Neg Progress P1 Error IKEV2 |
Sub Rule |
Error |
IPSec Progress Error |
|
VPN Event SSL VPN Session Cert Ok |
Sub Rule |
Information |
Certificate Valid |
|
VPN Event SSL VPN User Tunnel UP |
Sub Rule |
Other Audit Success |
VPN Session Started |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
severity |
<severity> |
Text/String |
severity |
|
logid |
<vmid> <tag1> |
Number |
N/A |
|
logdesc |
<status> |
Text/String |
N/A |
|
action |
<action> |
Text/String |
N/A |
|
tunnelid |
<session> |
Text/String/Number |
N/A |
|
remip |
<sip> |
IP Address |
N/A |
|
user |
N/A |
Text/String |
N/A |
|
group |
<group> |
Text/String |
N/A |
|
dst_host |
<dname> |
Text/String |
N/A |
|
reason |
<reason> |
Text/String |
N/A |
|
duration |
<seconds> |
Number |
N/A |
|
sentbyte |
<bytesout> |
Number |
N/A |
|
rcvdbyte |
<bytesin> |
Number |
N/A |
|
msg |
<subject> |
Text/String |
N/A |
|
locip |
<dip> |
IP Address |
IP Address |
|
remport |
<sport> |
Number |
N/A |
|
locport |
<dport> |
Number |
N/A |
|
outintf |
<sinterface> |
Text/String/Number |
N/A |
|
result |
<result> |
Text/String |
N/A |