Guardium CEF Log Messages

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
Guardium CEF Log Messages	Base Rule	General Alert Log Message	Activity
User Activity Log Message	Sub Rule	General User Activity Monitor Event	Other Audit
Cross-Site Scripting Log Message	Sub Rule	Cross-Site Scripting	Attack
Authorized Admin Users Log Message	Sub Rule	General Admin Alert	Critical
SQL Injection Log Message	Sub Rule	SQL Injection	Attack
Unauthorized Client Log Message	Sub Rule	Unauthorized Activity	Misuse
Database Configuration And Schema Log Message	Sub Rule	Configuration Changed	Error
DML Command Log Message	Sub Rule	Command Executed	Access Success
Failed Login Log Message	Sub Rule	User Logon Failure	Authentication Failure
OS Command Injection Log Message	Sub Rule	OS Information	Information

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	CEF Version
N/A	N/A	N/A	Device Vendor
N/A	<vendorinfo>	Text/String	Device Product
N/A	N/A	N/A	Device Version
N/A	<processid>	Number	Report/Rule ID
N/A	<process> <tag1>	Text/String	Report/Rule Title
N/A	N/A	N/A	Severity
rt	N/A	N/A	%%receiptTimeMills
cs1	<severity>	Text/String	%%severity
cs1Label	N/A	N/A	Severity
cs2	<objecttype>	Text/String	%%serverType
cs2Label	N/A	N/A	Server Type
cs3	<reason>	Text/String	%%classification
cs3Label	N/A	N/A	Classification
cat	N/A	N/A	%%category
app	N/A	N/A	%%DBProtocol
cs4	<version>	Text/String	%%DBProtocolVersion
cs4Label	N/A	N/A	DB Protocol Version
suser	<sname>	Text/String	%%AppUserName
sproc	<parentprocesspath>	Text/String	%%SourceProgram
act	<object>	Text/String	%%requestType
start	N/A	N/A	%%sessionStartMills
externalId	N/A	N/A	%%violationID
duser	<dname>	Text/String	%%DBUser
dst	<dip>	IP Address	%%serverIP
dpt	<dport>	Number	%%serverPort
src	<sip>	IP Address	%%clientIP
spt	<sport>	Number	%%clientPort
proto	<protname>	Text/String	%%netProtocol
msg	<subject>	Text/String	%%SQLString