Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
HTTP Connection Events |
Base Rule |
Information |
General HTTP Information |
|
Packet Forwarded |
Sub Rule |
Information |
Forwarding Data |
|
Packet Dropped |
Sub Rule |
Warning |
Request Dropped |
|
Management Packet |
Sub Rule |
Information |
Management Pack Received |
|
No Packet Associated |
Sub Rule |
Information |
General Information Log Message |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhthm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
id |
N/A |
N/A |
N/A |
|
sn |
<serialnumber> |
Number |
Indicates the device serial number |
|
time |
N/A |
N/A |
Reports the time of event |
|
fw |
N/A |
N/A |
Indicates the WAN IP Address |
|
pri |
<severity> |
Number |
Displays the event priority level (0=emergency, 7=debug) |
|
c |
<vmid> |
Number |
Indicates the legacy category number (Note: SonicOS/X does not currently send new category information) |
|
gcat |
N/A |
N/A |
Display event group category when using Enhanced Syslog |
|
m |
N/A |
N/A |
Provides the message ID number |
|
srcMac |
<smac> |
Text/String |
Source MAC Address |
|
src |
<sip>
|
IP Address
|
Indicates the source IP address, and optionally, port, network interface, and resolved name |
|
srcZone |
N/A |
N/A |
Displays source zone |
|
dstMac |
<dmac> |
Text/String |
Destination MAC Address |
|
dst |
<dip>
|
IP Address
|
Destination IP address, and optionally, port, network interface, and resolved name |
|
dstZone |
N/A |
N/A |
Displays destination zone |
|
usr |
<login> |
Text/String |
Displays the user name (“user” is the tag used by WebTrends) |
|
proto |
<protname> |
Text/String |
Displays the protocol information (rendered as “proto=[protocol]” or just “[proto]/[service]”) |
|
sent |
<bytesout> |
Number |
Displays the number of bytes sent within connection |
|
rcvd |
<bytesin> |
Number |
Indicates the number of bytes received within connection |
|
spkt |
<packetsout> |
Number |
Display the number of packets sent |
|
rpkt |
<packetsin> |
Number |
Display the number of packet received |
|
cdur |
<duration> |
Number |
Displays the connection duration in milliseconds (ms) and only applies to m=537 “Connection Closed” Syslog |
|
rule |
<policy> |
Text/String |
Used to identify a policy or a rule associated with an event |
|
app |
<object> |
Number |
Indicates the application for the applied Syslog. Only displays when Flow Reporting is enabled |
|
appName |
<objectname> |
Text/String |
Indicates the non-signature Application Name that matches the Application ID “app” or “f” of the Syslog; Only displays when Flow Reporting is enabled |
|
msg |
<vendorinfo> |
Text/String |
Displays the message which is composed of either or both a predefined message and a dynamic message containing a string %s or numeric %d argument |
|
n |
<quantity> |
Number |
Indicates the number of times event occurs |
|
fw_action |
<action>
|
Text/String |
The explicit action performed on network traffic (packets) encountered by the firewall based on built-in or user-configured policies that may allow or drop packets. Possible values are:
|
|
dpi |
N/A |
N/A |
Indicates that a flow underwent inspection by Deep Packet Inspection. Possible values for dpi are:
|