File Logging Information Messages
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
N/A | <severity> | N/A |
Header (logVer) | N/A | N/A |
Header (vendor) | N/A | N/A |
Header (pname) | N/A | N/A |
Header (pver) | <version> | N/A |
Header (eventid) | <vendorinfo> | <vmid> |
Header (eventName) | <threatname> | <threatname> |
Header (severity) | <severity> | <severity> |
deviceExternalId | N/A | N/A |
rt | N/A | N/A |
cnt | N/A | <quantity> |
dhost | <dname> | <dname> |
duser | N/A | <account> |
act | <action> | <action> |
cn1Label | N/A | N/A |
cn1 | N/A | N/A |
cn2Label | N/A | N/A |
cn2 | N/A | N/A |
cs1Label | N/A | N/A |
cs1 | <policy> | N/A |
cs2Label | N/A | N/A |
cs2 | N/A | N/A |
cs3Label | N/A | N/A |
cs3 | N/A | <version> |
cs4Label | N/A | N/A |
cs4 | <reason> | N/A |
cs5Label | N/A | N/A |
cs5 | N/A | <result> |
cs6Label | N/A | N/A |
cs6 | N/A | N/A |
cat | <processid> | N/A |
dvchost | <sname> | N/A |
cn3Label | N/A | N/A |
cn3 | N/A | N/A |
fname | <object> | <object> |
filePath | <parentprocesspath> | N/A |
msg | N/A | <subject> |
shost | N/A | <sname> |
suser | N/A | <login> |
dst | <dip> | <dip> |
c6a3Label | N/A | N/A |
c6a3 | N/A | N/A |
fileHash | <hash> | <hash> |
deviceFacility | N/A | N/A |
reason | N/A | <reason> |
deviceNtDomain | N/A | N/A |
dntdom | N/A | N/A |
ApexCentralHost | N/A | N/A |
devicePayloadId | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|---|
1010817 | File Logging Information Messages | Base Rule | Information | General Logging Information |
File Cleaned Messages | Sub Rule | Access Success | Log Cleared | |
File Quarantined Messages | Sub Rule | Information | Primary Action - Quarantine File | |
Unable To Quarantine Messages | Sub Rule | Error | Quarantine Error | |
Encrypted Messages | Sub Rule | Activity | Encrypted Files Detected |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|---|
1012156 | V 2.0 : Virus/Malware Logs | Base Rule | Malware | Detected Malware Activity |
V 2.0 : Virus/Malware : Unknown | Sub Rule | Other Security | General Security | |
V 2.0 : Virus/Malware : Not Applicable | Sub Rule | Other Security | General Security | |
V 2.0 : Virus/Malware : File Cleaned | Sub Rule | Failed Malware | Failed Malware Activity | |
V 2.0 : Virus/Malware : File Deleted | Sub Rule | Failed Malware | Failed Malware Activity | |
V 2.0 : Virus/Malware : File Quarantined | Sub Rule | Activity | Quarantine | |
V 2.0 : Virus/Malware : File Renamed | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware : File Passed | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware:Unable To Clean File, Passed | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware:Unable To Clean File,Deleted | Sub Rule | Failed Malware | Failed Malware Activity | |
V 2.0 : Virus/Malware:Unable To Clean File,Renamed | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/MW:Unable To Clean File, Quarantined | Sub Rule | Activity | Quarantine | |
V 2.0 :Virus/Malware:Unable To Clean File,Stripped | Sub Rule | Failed Malware | Failed Malware Activity | |
V 2.0 : Virus/Malware : File Replaced | Sub Rule | Failed Malware | Failed Malware Activity | |
V 2.0 : Virus/Malware : File Dropped | Sub Rule | Failed Malware | Failed Malware Activity | |
V 2.0 : Virus/Malware : File Archived | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware : Blocked Successfully | Sub Rule | Failed Malware | Failed Malware Activity | |
V 2.0 : Virus/Malware : Quarantined Successfully | Sub Rule | Activity | Quarantine | |
V 2.0 : Virus/Malware : Stamped Successfully | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware : File Uploaded | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware : Access Denied | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware : No Action | Sub Rule | Malware | Detected Malware Activity | |
V 2.0 : Virus/Malware : Scan Stopped | Sub Rule | Information | Scan Stopped | |
V 2.0 : Virus/Malware : Encrypted | Sub Rule | Activity | Encrypted Files Detected | |
V 2.0 : Virus/Malware : Undefined | Sub Rule | Activity | General Activity | |
V 2.0 : Virus/Malware : System Rebooted | Sub Rule | Startup and Shutdown | System Restarted | |
V 2.0 : Virus/Malware : Action Failed | Sub Rule | Activity | General Activity | |
V 2.0 : Virus/Malware : Action Required | Sub Rule | Activity | General Activity |