Log Source Optimization
This guide provides information about LogRhythm's Log Source Optimization (LSO) project, which provides an updated mapping schema for log sources in LogRhythm using new MPE rules. This guide includes instructions on how to enable and disable the new log source policies and MPE rules in your LogRhythm deployment, how to make the log processing policy changes required to reap the benefits of LSO, and detailed information about log field parsing by common event.
LSO currently supports the log source types shown in the list below, which are identified with "(Mapping Doc)" at the end of the page title.
To implement LSO, you must use one of these log source types and apply the LogRhythm Default v2.0 log processing policy.
LSO: Syslog - Check Point Log Exporter (Mapping Doc)
- Anti-Malware
- Application Control
- Application Control URL Filtering 1
- Connectra Logs 1
- Content Awareness Events
- Data Loss Prevention 2
- Forensics Events
- HTTPS Inspection 1
- Identity Awareness 1
- Identity Logging 1
- Log Update
- MTA Events
- New Anti-Virus
- SmartDefense
- Syslog Message
- Threat Emulation 1
- Threat Extraction Events
- URL Filtering
- WEB_API
LSO : Syslog - Cisco ISE (Mapping Doc)
- Accounting Messages
- AD-Connector Messages
- Administrative And Operational Audit
- Advanced License Problems
- Alarm Information
- Anomalous Behavior Detected
- Catch All : Level 1 (Syslog - Cisco ISE)
- Catch All: Level 2 - Passed Authentications
- Catch All: Level 3 - Passed Authentications
- Catch All: Passed Authentications
- Catch All Level 3 - CISE_Profiler
- Certificate And Authentication Messages
- CISE Failed Attempts Format 2 (Cisco ISE)
- Cisco Access Success
- Cisco AuthType
- Cisco UPDOWN Message 1
- CISE_Authentication_Flow_Diagnostics
- CISE_Posture_and_Client_Provisioning_Audit - 2
- CISE Posture And Client Provisioning Audit
- Data Purge Audit
- Data Purging Operations
- Devices Successfully Registered
- DOT1X FAIL
- EAP Authentication Information
- EAP Connection Timeout
- EPM POLICY
- Failed Attempts
- Failed Attempts Access Reject Message
- Failed Attempts Deny Access Message
- Failed Attempts Format : 1
- Failed Attempts IPSEC
- Guest Message
- High Load Average
- Identity Stores Diagnostics
- Radius Accounting Start-Stop Request
- Last Message Repeated (Syslog - Cisco ISE)
- Log Session Messages
- MDM Server Connection Failure
- Messages Not Received
- Misc Messages (Syslog - Cisco ISE)
- Monitoring Data Purge Audit
- Passed Authentication Group Information
- Passed Authentications
- Posture Check
- RADIUS Accounting
- RADIUS Authentication Request Dropped
- Radius Authorization Policy Messages
- RADIUS Diagnostics
- SSL Error
- System Statistics (Syslog - Cisco ISE)
- TACACS+ Accounting
- TACACS Diagnostics
- TIME SHIFT DETECTED
LSO : Syslog - Cisco Meraki (Mapping Doc)
- Carrier Change Event
- Catch All : Level 1 9
- Cisco AnyConnect VPN Event
- Events
- File Scanned (Part-1)
- File Scanned (Part-2)
- Firewall Messages 1
- Flow Messages (Part-1)
- Flow Messages (Part-2)
- General Event Messages (Part-1)
- General Event Messages (Part-2)
- Intrusion Detection Messages
- Last Message Repeated 2
- Random Event Messages (Part-1)
- Random Event Messages (Part-2)
- Security Event
- Site-To-Site VPN Event
- Sniffer Rule Event
- Switch Port Messages (Part-1)
- Switch Port Messages (Part-2)
- URL Messages
LSO: Syslog - Cylance (Mapping Doc)
- Add Device to Zone (Audit Event)
- Add Device to Zone (Device Event)
- Application Control Messages
- Catch All : Level 1 11
- Catch All : Level 2
- CylanceOPTICS : File Events
- CylanceOPTICS : Memory Events
- CylanceOPTICS : Network Events
- CylanceOPTICS : Process Events
- CylanceOPTICS : Registry Events
- Device Edit
- Device Policy Assigned
- Device Policy Changed
- Device Registration
- Device Removed
- Exploit Attempt
- Global Threat Quarantine
- Last Message Repeated 10
- Policy Edit
- Scan Messages
- Script Control Messages
- System Security Messages
- Test Connection Message
- Threat Classification Messages
- Threat Data Report Download
- Threat Messages 1
- Threat Safe List
- USB Device Blocked
- User Added
- User Login
- User Removed
- Zone Edit
- Zone Rule Edit
LSO : Syslog - FireEye MPS (Mapping Doc)
- Action Log Messages
- Application Process Information
- Archiver Messages
- AUTO-INIT Process Information
- AVC Process SIGCHLD
- AVC PVNA CC Info
- AVC SIGCHLD : Process Exited
- AVC Statistics
- AVC Work Order
- Behavioral Analysis Logic Engine Message
- Catch All: Level 1
- Central Management Console Message
- CMS/MPS Messages - Ips-Event
- CMS Messages - Deprecated
- CMS Messages - Domain Match
- CMS Messages - Infection Match
- CMS Messages - Malware Callback
- CMS Messages - Malware Object
- CMS Messages - Riskware Object
- CMS Messages - Web Infection
- Command Line Interface Message
- Configuration/Enable Mode
- Curl Messages
- ETP Messages
- FENET Messages
- File Network Information
- General Thread Information
- Graveyard Sweep Message
- HX Messages
- Initialized Service
- KERNEL Messages
- Last Message Repeated 6
- Licensing Messages
- Linux Process Messages
- Linux Superuser Messages
- Loaded Configs
- Malicious Email
- Malware Object Information
- Management Config Change
- Management Messages
- MCE Error Message
- MPS Malware Activity - Depreciated
- MPS Messages
- Network HTTPD Activity
- Notify Message
- RGP Job Information
- SC-Upload Messages
- Taskernode Information
- Threat Messages
- VMMD Process Information
- VXE Messages
LSO : Syslog - Fortinet FortiAnalyzer (Mapping Doc)
- LSO FortiAnalyzer - Anomaly : Anomaly
- LSO FortiAnalyzer - Attack : Webattack Messages
- LSO FortiAnalyzer - Attack Message
- LSO FortiAnalyzer - Catch All
- LSO FortiAnalyzer - Catch All : Level 3
- LSO FortiAnalyzer - CFG : Object Change Messages
- LSO FortiAnalyzer - DNS : Messages
- LSO FortiAnalyzer - Event : Compliance
- LSO FortiAnalyzer - Event : Connector
- LSO FortiAnalyzer - Event : DVM
- LSO FortiAnalyzer - Event : Endpoint
- LSO FortiAnalyzer - Event : General Information
- LSO FortiAnalyzer - Event : HA
- LSO FortiAnalyzer - Event : Link
- LSO FortiAnalyzer - Event : LogDB
- LSO FortiAnalyzer - Event : LogDev
- LSO FortiAnalyzer - Event : LogFile
- LSO FortiAnalyzer - Event : Logging
- LSO FortiAnalyzer - Event : Router
- LSO FortiAnalyzer - Event : Security Rating
- LSO FortiAnalyzer - Event : SMTP
- LSO FortiAnalyzer - Event : Spanning Tree
- LSO FortiAnalyzer - Event : System
- LSO FortiAnalyzer - Event : User
- LSO FortiAnalyzer - Event : VPN
- LSO FortiAnalyzer - Event : Wad
- LSO FortiAnalyzer - Event : Wireless
- LSO FortiAnalyzer - General Process Messages
- LSO FortiAnalyzer - KEvent : Update
- LSO FortiAnalyzer - Spam : Default
- LSO FortiAnalyzer - Statistics
- LSO FortiAnalyzer - Traffic : Forward
- LSO FortiAnalyzer - Traffic : Https/Http Mesages
- LSO FortiAnalyzer - Traffic : Local
- LSO FortiAnalyzer - Traffic : Messages
- LSO FortiAnalyzer - Traffic : Multicast
- LSO FortiAnalyzer - Traffic : Sniffer
- LSO FortiAnalyzer - Traffic : System
- LSO FortiAnalyzer - Traffic/UTM Messages
- LSO FortiAnalyzer - UTM : App
- LSO FortiAnalyzer - UTM : DLP
- LSO FortiAnalyzer - UTM : IPS
- LSO FortiAnalyzer - UTM : Virus
- LSO FortiAnalyzer - UTM : WebFilter
- LSO FortiAnalyzer - UTM : WAF
- LSO FortiAnalyzer - UTM : Voip
- LSO FortiAnalyzer - Virus : Fortisandbox
- LSO FortiAnalyzer - Virus : Infected
- LSO FortiAnalyzer - Virus : Malware - Outbreak
LSO : Syslog - Fortinet FortiGate (Mapping Doc)
- LSO FortiGate - Anomaly : Anomaly
- LSO FortiGate - Catch All : Level 1
- LSO FortiGate - Catch All : Level 3
- LSO FortiGate - DNS : Messages
- LSO FortiGate - Event : Compliance
- LSO FortiGate - Event : Connector
- LSO FortiGate - Event : Endpoint
- LSO FortiGate - Event : HA
- LSO FortiGate - Event : Router
- LSO FortiGate - Event : Router : Gateway Logs
- LSO FortiGate - Event : SDWAN : SLA Information
- LSO FortiGate - Event : Security Rating
- LSO FortiGate - Event : Switch-Controller
- LSO FortiGate - Event : System
- LSO FortiGate - Event : System : Attribute Configured : NTP Info
- LSO FortiGate - Event : System : Failed Window AD Network Messages
- LSO FortiGate - Event : System : VMID 32002 Admin Login Failed
- LSO FortiGate - Event : User
- LSO FortiGate - Event : VPN
- LSO FortiGate - Event : Wad
- LSO FortiGate - Event : Wireless
- LSO FortiGate - Traffic: Forward
- LSO FortiGate - Traffic : Local
- LSO FortiGate - Traffic : Multicast
- LSO FortiGate - Traffic: Sniffer
- LSO FortiGate - UTM : App
- LSO FortiGate - UTM : DLP
- LSO FortiGate - UTM : DNS
- LSO FortiGate - UTM : Email Filter
- LSO FortiGate - UTM : File Filter
- LSO FortiGate - UTM : IPS
- LSO FortiGate - UTM : SSH
- LSO FortiGate - UTM : SSL Messages
- LSO FortiGate - UTM : Virus
- LSO FortiGate - UTM : Voip
- LSO FortiGate - UTM : WebFilter
LSO: Syslog - LogRhythm Network Monitor (Mapping Doc)
- LSO: LogRhythm NetMon - Catch All Level 1
- LSO: LogRhythm NetMon - Flow : Format 1
- LSO: LogRhythm NetMon - Flow : Format 2
- LSO: LogRhythm NetMon - Flow : Format 3
- LSO: LogRhythm NetMon - Flow : Format 5
- LSO: LogRhythm NetMon - Flow : Format 999
- LSO: LogRhythm NetMon - Lua Alarm
- LSO: LogRhythm NetMon - Diagnostics
LSO : Flat File - Microsoft IIS W3C File (Mapping Doc)
- 404 Error Messages
- Catch All : Level 1 3
- Catch All : Level 3
- Comment Line
- Email Attachment Enumeration Messages 1
- Fan Status Information 1
- General SMTP Messages
- HTTP GET Method (GET Position - 1)
- HTTP GET Method (GET Position - 2)
- HTTP GET Method (Get Position - 5)
- HTTP Get Requests 1
- HTTP POST Method (Post Position - 1)
- HTTP POST Method (Post Position - 2)
- HTTP POST Method (Post Position - 3)
- HTTP POST Method (Post Position - 4)
- HTTP POST Method (Post Position - 5)
- HTTP Post Request 1
- HTTP Requests
- HTTP Request Status Messages
- Propfind Messages Request
- RPC Data Messages
- SMPD RCPT/MAIL Commands
- SMTP DATA Messages
- SMTP EHLO Events
- SMTP QUIT MESSAGES
- SMTPRELAY Messages
- SMTP RSET/BDAT MESSAGES
- TCP Request Denied
- Timer Connection Messages
- User Logon 1
- VERSION And BASELINE Control Information 1
- Web Server Access 1
LSO: MS Windows Event Logging XML - System (Mapping Doc)
- Catch All : Level 2 5
- Connection Status Events (Part 1)
- Connection Status Events (Part 2)
- Connection Status Events (Part 3)
- Connection Status Events (Part 4)
- DHCP Scope Full/Nearly Full
- Disk Messages (Part 1)
- Disk Messages (Part 2)
- EVID 1: System Time Changed
- EVID 1 & 6: Filter Driver Load/Unload (Part 1)
- EVID 1 & 6: Filter Driver Load/Unload (Part 2)
- EVID 11: KDC Duplicate Name
- EVID 28: Kerberos Unsuitable Key Verification
- EVID 35 & 37: Time Synchronization (Part 1)
- EVID 35 & 37: Time Synchronization (Part 2)
- EVID 56: Client Disconnected - Protocol Error
- EVID 98: Offline Chkdsk Needed For Volume
- EVID 104: Log Cleared
- EVID 109: Kernel Power Initiated Shutdown
- EVID 137: Transact. Resource Mgr Error On Volume
- EVID 156: ExtMirr Unable To Get File System Info
- EVID 219: Driver Failed To Load
- EVID 220: Resync Of Volume
- EVID 1001: Bugcheck Reboot
- EVID 1014: Name Resolution Timed Out
- EVID 1030: Failed Processing Of Group Policy
- EVID 1044: DHCP/BINL Service Authorized To Start
- EVID 1063: No IPs Available For Lease In Scope
- EVID 1067: Cannot Register SPN
- EVID 1074 & 1076: Restart/Shutdown Events (Part 1)
- EVID 1074 & 1076: Restart/Shutdown Events (Part 2)
- EVID 1085: Group Policy Extension Failure
- EVID 1111: Term Services : Unknown Printer Driver
- EVID 1151 & 1152: Dell Server Voltage Sensor Info (Part 1)
- EVID 1151 & 1152: Dell Server Voltage Sensor Info (Part 2)
- EVID 1340: DNS Registration Failed For Client
- EVID 1342: Scope Out Of IPs
- EVID 1376: DHCP Scope Nearly Exhausted
- EVID 4105: Cannot Update License Attributes
- EVID 5719: Logon Domain Controller
- EVID 5722 & 5723: NETLOGON Authentication Failure (Part 1)
- EVID 5722 & 5723: NETLOGON Authentication Failure (Part 2)
- EVID 5805: Session Setup Failed To Authenticate
- EVID 5807: Connections From Unmapped IP Addresses
- EVID 5823: System Password Changed On DC
- EVID 5840: NETLOGON: Netlogon Service
- EVID 6013: System Uptime
- EVID 7000: Service Failed To Start
- EVID 7001-7002: CEIP Notification (Part 1)
- EVID 7001-7002: CEIP Notification (Part 2)
- EVID 7001-7003: Service Start Errors
- EVID 7009 & 7011: Service Timeout
- EVID 7032: Service Recovery Failed
- EVID 7034: Service Terminated Unexpectedly
- EVID 7036: Service Status
- EVID 7038: Service Unable To Logon
- EVID 7040: Service Start Type Changed
- EVID 7042: Service Stopped Successfully
- EVID 7045: Service Installed
- EVID 8018: Failed To Register Host Records
- EVID 10009: DCOM Unable To Communicate With Comp
- EVID 10016: DCOM Access Denied
- EVID 10028: DCOM Unable To Communicate With Comp
- EVID 10154: WinRM - SPN Creation Failure
- EVID 12294: SAM Lockout Failed : Resources
- EVID 14554: Shared Folder Initialization By DfsSvc
- EVID 20250: User Connected
- EVID 20271 & 20255: Connection Prevented (Part 1)
- EVID 20271 & 20255: Connection Prevented (Part 2)
- EVID 20272: User Disconnected
- EVID 20274: IP Address Assigned To User
- EVID 20275: User Disconnected
- EVID 36867: Creating SSL Credential
- EVID 36880: Handshake Completed Successfully
- EVID 45058: Oldest Cached Logon Info Removed
- Group Policy Messages (Part 1)
- Group Policy Messages (Part 2)
- Group Policy Messages (Part 3)
- Group Policy Messages (Part 4)
- Group Policy Messages (Part 5)
- Group Policy Messages (Part 6)
- Group Policy Messages (Part 7)
- Group Policy Messages (Part 8)
- Group Policy Messages (Part 9)
- Kerberos Key Integrity Error (Part 1)
- Kerberos Key Integrity Error (Part 2)
- Kerberos Key Integrity Error (Part 3)
- Kernel EVID 16: Hive Access History Cleared
- Machine Account Vulnerable NetLogon Connections (Part 1)
- Machine Account Vulnerable NetLogon Connections (Part 2)
- Machine Account Vulnerable NetLogon Connections (Part 3)
- Microsoft Windows Bits Client Messages
- Mirror State Change
- MPIO Messages
- NTP Local And Manual (Part 1)
- NTP Local And Manual (Part 2)
- NTP Messages (Part 1)
- NTP Messages (Part 2)
- NTP Messages (Part 3)
- NTP Time Synchronization Offset
- Pattern 2: General Error Messages
- Pattern 3: General Warning Messages
- Pattern 4: General Informational Messages
- Pattern Catch All : Level 3
- RPM Session Events (Part 1)
- RPM Session Events (Part 2)
- RPM Session Events (Part 3)
- RPM Session Events (Part 4)
- Service Error (Part 1)
- Service Error (Part 2)
- Service Error (Part 3)
- Service Terminated Unexpectedly
- Shadow Copy Messages (Part 1)
- Shadow Copy Messages (Part 2)
- Storage Adapter Messages (Part 1)
- Storage Adapter Messages (Part 2)
- Storage Adapter Messages (Part 3)
- Storage Adapter Messages (Part 4)
- Storage Adapter Messages (Part 5)
- Storage Adapter Messages (Part 6)
- Storage Adapter Messages (Part 7)
- Storage Adapter Messages (Part 8)
- Storage Adapter Messages (Part 9)
- Storage Adapter Messages (Part 10)
- Storage Adapter Messages (Part 11)
- Storage Adapter Messages (Part 12)
- Storage Adapter Messages (Part 13)
- TCP/IP Network Interface Configuration (Part 1)
- TCP/IP Network Interface Configuration (Part 2)
- Trust Account Vulnerable NetLogon Connections
- Windows Update Client
LSO: Syslog - Palo Alto Firewall (Mapping Doc)
- V 2.0 Catch-all : General DHCP Messages
- V 2.0 Authentication Lockout Expired
- V 2.0 Authentication Messages
- V 2.0 Catch-all
- V 2.0 Catch-all : General Authentication Event
- V 2.0 Catch-all : System Messages
- V 2.0 Configuration Messages 1
- V 2.0 Correlated Event Messages 1
- V 2.0 Data/File/Virus/Spyware Threat Messages 1
- V 2.0 Decryption Event Messages 1
- V 2.0 Flood/Packet Threat Messages
- V 2.0 General Authentication Event 2
- V 2.0 General Authentication Event
- V 2.0 General DHCP Messages 1
- V 2.0 General DNS Signature Information
- V 2.0 General Dynamic DNS Messages
- V 2.0 General GlobalProtect Messages
- V 2.0 General HA Messages
- V 2.0 General Logical Link Discovery Protocol 1
- V 2.0 General NTPD Messages 1
- V 2.0 General Path-Based Forwarding Messages
- V 2.0 General Port Message
- V 2.0 General Remote Access Manager Messages 1
- V 2.0 General Routing Messages
- V 2.0 General SAML Message
- V 2.0 General Satellite Connection Messages 1
- V 2.0 General SSL Manager Messages
- V 2.0 General System Event
- V 2.0 General URL-Filtering System Messages
- V 2.0 General User Profile System Messages (Palo Alto Firewall)
- V 2.0 General VPN Status Messages 1
- V 2.0 General Wildfire System Messages
- V 2.0 GlobalProtect Status Messages
- V 2.0 GTP Log Messages
- V 2.0 Host Profile Messages
- V 2.0 IP Tag Messages 1
- V 2.0 Scan Threat Messages 1
- V 2.0 SCTP Messages 1
- V 2.0 Traffic Messages
- V 2.0 URL Threat Messages
- V 2.0 User ID Messages 1
- V 2.0 Vulnerability Threat Messages (Palo Alto Firewall)
- V 2.0 Wildfire Threat Messages 1
- V 2.0 Wildfire-Virus Threat Messages 1
LSO: Syslog - Symantec Endpoint Server (Mapping Doc)
- V 2.0 : Catch All : SEPM System Events 1
- V 2.0 : General SEP LiveUpdate Information 1
- V 2.0 : Inbound SEP Host Packet Events
- V 2.0 : Inbound SEP Host Traffic Events 1
- V 2.0 : Inbound SEP Malicious Activity Detected 1
- V 2.0 : Outbound SEP Host Packet Events
- V 2.0 : Outbound SEP Host Traffic Events 1
- V 2.0 : Outbound SEP Malicious Activity Detected
- V 2.0 : SEP Administrative Events 1
- V 2.0 : SEP General Agent Activity Messages
- V 2.0 : SEP General Agent System Messages
- V 2.0 : SEP General Object Access Message
- V 2.0 : SEP General Suspicious Activity Detected
- V 2.0 : SEP Logs Purged
- V 2.0 : SEP Malware Scan Information
- V 2.0 : SEP Policy Information
- V 2.0 : SEP SONAR General Susp. Activity Detected
- V 2.0 : SEP Update Information
LSO : Syslog - Tanium (Mapping Doc)
- Application Server Logs (Part 1)
- Application Server Logs (Part 2)
- Application Server Logs (Part 3)
- Application Server Logs (Part 4)
- Application Server Logs (Part 5)
- Application Server Logs (Part 6)
- Application Server Logs (Part 7)
- Application Server Logs (Part 8)
- Application Server Logs (Part 9)
- Application Server Logs (Part 10)
- Application Server Logs (Part 11)
- Application Server Logs (Part 12)
- Audit Logs
- Catch All Level 1 (Syslog - Tanium)
- Tanium Application Server Information
LSO: Syslog - Trend Micro Apex One (Mapping Doc)
- Attack Discovery Detections
- Behavior Monitoring Log Messages
- CNC Callback and Suspicious Connection Log Message (Part-1)
- Device Access Control Log Messages
- Engine Update Status Log
- Intrusion Prevention Log Messages
- Product Auditing Events
- Spyware Detected Log Messages
- Update Status Log
- Web Filter Log Messages
- File Logging Information Messages
- Antivirus Log Messages
- CNC Callback and Suspicious Connection Log Message (Part-2)
LSO : Syslog - Zscaler Nano Streaming Service (Mapping Doc)
- LSO: Syslog Zscaler Nano - Action Query Logs
- LSO: Syslog Zscaler Nano - Catch All : Level 1
- LSO: Syslog Zscaler Nano - Catch All : Level 4
- LSO: Syslog Zscaler Nano - DNS Message
- LSO: Syslog Zscaler Nano - General Firewall Messages
- LSO: Syslog Zscaler Nano - IPSec Phase1
- LSO: Syslog Zscaler Nano - IPSec Phase2
- LSO: Syslog Zscaler Nano - Last Message Repeated
- LSO: Syslog Zscaler Nano - Network Traffic
- LSO: Syslog Zscaler Nano - Tunnel Event
- LSO: Syslog Zscaler Nano - Tunnel Messages
- LSO: Syslog Zscaler Nano - Tunnel Samples
- LSO: Syslog Zscaler Nano - Zscaler General Network Traffic Messages
- LSO: Syslog Zscaler Nano - Zscaler Network Details
- LSO: Syslog Zscaler Nano - Zscaler NSS Message