HTTP Connection Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| HTTP Connection Events | Base Rule | Information | |
| Packet Forwarded | Sub Rule | Information | Forwarding Data |
| Packet Dropped | Sub Rule | Warning | Request Dropped |
| Management Packet | Sub Rule | Information | Management Pack Received |
| No Packet Associated | Sub Rule | Information | General Information Log Message |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhthm Schema | Data Type | Schema Description |
|---|---|---|---|
| id | N/A | N/A | N/A |
| sn | <serialnumber> | Number | Indicates the device serial number |
| time | N/A | N/A | Reports the time of event |
| fw | N/A | N/A | Indicates the WAN IP Address |
| pri | <severity> | Number | Displays the event priority level (0=emergency, 7=debug) |
| c | <vmid> | Number | Indicates the legacy category number (Note: SonicOS/X does not currently send new category information) |
| gcat | N/A | N/A | Display event group category when using Enhanced Syslog |
| m | N/A | N/A | Provides the message ID number |
| srcMac | <smac> | Text/String | Source MAC Address |
| src | <sip> <sport> <sinterface> | IP Address Number Text/String | Indicates the source IP address, and optionally, port, network interface, and resolved name |
| srcZone | N/A | N/A | Displays source zone |
| dstMac | <dmac> | Text/String | Destination MAC Address |
| dst | <dip> <dport> <dinterface> | IP Address Number Text/String | Destination IP address, and optionally, port, network interface, and resolved name |
| dstZone | N/A | N/A | Displays destination zone |
| usr | <login> | Text/String | Displays the user name (“user” is the tag used by WebTrends) |
| proto | <protname> | Text/String | Displays the protocol information (rendered as “proto=[protocol]” or just “[proto]/[service]”) |
| sent | <bytesout> | Number | Displays the number of bytes sent within connection |
| rcvd | <bytesin> | Number | Indicates the number of bytes received within connection |
| spkt | <packetsout> | Number | Display the number of packets sent |
| rpkt | <packetsin> | Number | Display the number of packet received |
| cdur | <duration> | Number | Displays the connection duration in milliseconds (ms) and only applies to m=537 “Connection Closed” Syslog |
| rule | <policy> | Text/String | Used to identify a policy or a rule associated with an event |
| app | <object> | Number | Indicates the application for the applied Syslog. Only displays when Flow Reporting is enabled |
| appName | <objectname> | Text/String | Indicates the non-signature Application Name that matches the Application ID “app” or “f” of the Syslog; Only displays when Flow Reporting is enabled |
| msg | <vendorinfo> | Text/String | Displays the message which is composed of either or both a predefined message and a dynamic message containing a string %s or numeric %d argument |
| n | <quantity> | Number | Indicates the number of times event occurs |
| fw_action | <action> <tag1> | Text/String | The explicit action performed on network traffic (packets) encountered by the firewall based on built-in or user-configured policies that may allow or drop packets. Possible values are:
|
| dpi | N/A | N/A | Indicates that a flow underwent inspection by Deep Packet Inspection. Possible values for dpi are:
|