Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type and values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means no value is parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
date |
N/A |
N/A |
|
time |
N/A |
N/A |
|
devname |
<subject> |
N/A |
|
logid |
<vmid>
|
<vmid> |
|
type |
<parentprocessname> |
<vendorinfo> |
|
subtype |
<parentprocessid> |
N/A |
|
level |
<severity> |
<severity> |
|
vd |
N/A |
<sessiontype> |
|
eventtime |
N/A |
N/A |
|
srcip |
<sip> |
<sip> |
|
srcport |
<sport> |
<sport> |
|
srcintf |
<sinterface> |
<sinterface> |
|
srcintfrole |
N/A |
N/A |
|
dstip |
<dip> |
<dip> |
|
dstname |
<url> |
N/A |
|
dstport |
<dport> |
<dport> |
|
dstintf |
<dinterface> |
<dinterface> |
|
dstinetsvc |
<object> |
N/A |
|
dstintfrole |
N/A |
N/A |
|
srcuuid |
N/A |
N/A |
|
dstuuid |
N/A |
N/A |
|
poluuid |
N/A |
N/A |
|
sessionid |
<session> |
<session> |
|
proto |
<protnum> |
<protnum> |
|
action |
<action>
|
<action>
|
|
policyid |
<policy> |
<policy> |
|
policytype |
<process> |
N/A |
|
service |
N/A |
<parentprocessname> |
|
user |
<login> |
<login>
|
|
dstuser |
N/A |
<account> |
|
group |
<group> |
N/A |
|
dstcountry |
N/A |
N/A |
|
srccountry |
N/A |
N/A |
|
trandisp |
N/A |
N/A |
|
tranip |
<dnatip> |
N/A |
|
transip |
<snatip> |
<snatip> |
|
transport |
N/A |
<snatport> |
|
appid |
<processid> |
<object> |
|
app |
<object> |
<objectname> |
|
appcat |
<objectname> |
<objecttype> |
|
apprisk |
<severity> |
<threatname> |
|
applist |
N/A |
N/A |
|
appact |
<status> |
N/A |
|
url |
N/A |
N/A |
|
duration |
<seconds> |
<seconds> |
|
sentbyte |
<bytesout> |
<bytesout> |
|
rcvdbyte |
<bytesin> |
<bytesin> |
|
sentpkt |
<packetsout> |
<packetsout> |
|
rcvdpkt |
<packetsin> |
<packetsin> |
|
utmaction |
<result>
|
<status>
|
|
countapp |
N/A |
<quantity> |
|
osname |
N/A |
N/A |
|
mastersrcmac |
N/A |
N/A |
|
srcmac |
N/A |
<smac> |
|
srcserver |
N/A |
N/A |
|
utmref |
N/A |
N/A |
|
dstmac |
<dmac> |
<dmac> |
|
devtype |
<objecttype> |
N/A |
|
srcfamily |
<sessiontype> |
N/A |
|
unauthuser |
<login> |
N/A |
|
srcname |
N/A |
<sname> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1010521 |
Traffic: Forward |
Base Rule |
Network Traffic |
Network Traffic |
|
Sniffer Traffic Accept |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Forwarded Traffic Blocked |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
Forwarded Traffic Timeout |
Sub Rule |
User Session Timeout |
Information |
|
|
Forwarded Traffic Close |
Sub Rule |
Connection Closed |
Network Traffic |
|
|
Forwarded Traffic Accept - Reset |
Sub Rule |
Connection Reset |
Network Traffic |
|
|
Local Traffic Denied |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
Forwarded Traffic Denied |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
Forward Traffic Deny |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
ICMP Traffic Allow |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Invalid Traffic |
Sub Rule |
Connection Failed |
Network Traffic |
|
|
Malware Activity Blocked |
Sub Rule |
Failed Botnet Activity |
Failed Malware |
|
|
Forwarded Traffic Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Forwarded Traffic Start |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Local Traffic Accepted |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Forwarded Traffic |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Forwarded Traffic Session Closed |
Sub Rule |
Connection Closed |
Network Traffic |
|
|
Forwarded Traffic Accept |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Local Traffic Accept |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
Local Traffic Timeout |
Sub Rule |
Session Disconnected |
Other Audit Success |
|
|
Network/Traffic Allowed Messages |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
LOG_ID_TRAFFIC_END_FORWARD |
Sub Rule |
IP Forwarding Events |
Network Traffic |
|
|
LOG_ID_TRAFFIC_START_FORWARD |
Sub Rule |
Session Connected |
Network Traffic |
|
|
LOG_ID_TRAFFIC_ALLOW |
Sub Rule |
TCP Traffic Allowed |
Network Traffic |
|
|
LOG_ID_TRAFFIC_DENY |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
LOG_ID_TRAFFIC_OTHER_START |
Sub Rule |
General Traffic Allowed |
Network Traffic |
|
|
LOG_ID_TRAFFIC_OTHER_ICMP_ALLOW |
Sub Rule |
Permitted ICMP Traffic |
Network Traffic |
|
|
LOG_ID_TRAFFIC_OTHER_ICMP_DENY |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
LOG_ID_TRAFFIC_WANOPT |
Sub Rule |
WAN Optimization Traffic |
Network Traffic |
|
|
LOG_ID_TRAFFIC_WEBCACHE |
Sub Rule |
Web Cache Traffic |
Network Traffic |
|
|
LOG_ID_TRAFFIC_EXPLICIT_PROXY |
Sub Rule |
Traffic Allowed by Proxy |
Network Allow |
|
|
LOG_ID_TRAFFIC_FAIL_CONN |
Sub Rule |
Connection Failed |
Network Traffic |
|
|
LOG_ID_TRAFFIC_STAT |
Sub Rule |
Statistics Collector Message |
Information |
|
|
LOG_ID_TRAFFIC_UTM_CORRELATION |
Sub Rule |
General Traffic Allowed |
Network Traffic |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1013575 |
V 2.0: Traffic: Forward: VMID13 |
Base Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
V 2.0: 13_Traffic Blocked |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
V 2.0: 13_Traffic Session Timeout |
Sub Rule |
Session Timeout |
Warning |
|
|
V 2.0: 13_Local Traffic Session Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
V 2.0: 13_Traffic Session Started |
Sub Rule |
Network Session Created |
Network Traffic |
|
|
V 2.0: 13_Traffic Session Denied |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
V 2.0: 13_Traffic Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
V 2.0: 13_Forward Traffic Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
V 2.0: 13_Traffic Reset |
Sub Rule |
Connection Reset |
Network Traffic |
|
|
V 2.0: 13_Forward Traffic Client-rst |
Sub Rule |
Connection Reset |
Network Traffic |
|
|
V 2.0: 13_Forward Traffic Servert-rst |
Sub Rule |
Connection Reset |
Network Traffic |