LSO: Syslog CyberArk - General Login And Other Processes
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
N/A | N/A | <vendorinfo> |
N/A | <version> | <version> |
N/A | <vmid> | <vmid> |
N/A | <process> | N/A |
N/A | N/A | <action> |
N/A | <severity> | <severity> |
suser | <login> | <login> |
fname | <object> | <object> |
N/A | N/A | <sname> |
dhost | <dname> | <dname> |
suser or cs1 | <account> | <account> |
dvc | <dip> | <dip> |
src | <sip> | <sip> |
N/A | N/A | <protname> |
reason | <command> <reason> | <reason> |
N/A | N/A | <subject> |
cs2 | <objectname> | N/A |
msg | <group> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
1002623 | General Login And Other Processes | Base Rule | General Process Information | Information |
General Login And Other Processes | Base Rule | General Process Information | Information | |
Auto Clear Safes History End | Sub Rule | General Process Information | Information | |
Auto Clear Safes History Start | Sub Rule | General Process Information | Information | |
Auto Clear Users History End | Sub Rule | General Process Information | Information | |
Auto Clear Users History Start | Sub Rule | General Process Information | Information | |
Backup Files Maintenance End | Sub Rule | Backup Job Completed | Information | |
Backup Files Maintenance Start | Sub Rule | Process/Service Started | Startup and Shutdown | |
Backup Metadata | Sub Rule | Backup Job Started | Information | |
Backup Process Initiated | Sub Rule | Backup Job Started | Information | |
Clear Safe History | Sub Rule | General Process Information | Information | |
Full Gateway Connection | Sub Rule | Gateway Is Up | Information | |
LDAP Synchronization End | Sub Rule | General LDAP Message | Information | |
LDAP Synchronization Start | Sub Rule | General LDAP Message | Information | |
Logoff - Backup | Sub Rule | Service Logoff | Authentication Success | |
Logon - Backup | Sub Rule | Service Logon | Authentication Success | |
Logon | Sub Rule | User Logon | Authentication Success | |
Old Backup Files Deletion Start | Sub Rule | General Backup Information | Information | |
Old Backup Files Deletion End | Sub Rule | General Backup Information | Information | |
Prepare Backup Metadata | Sub Rule | General Backup Information | Information | |
Set Password | Sub Rule | Password Change Requested | Information | |
User Authentication Failure | Sub Rule | User Logon Failure | Authentication Failure | |
Open File | Sub Rule | File Opened | Information | |
Retrieve File | Sub Rule | File Received | Information | |
Retrieve Password - Forgotten | Sub Rule | Object Accessed | Access Success | |
Logoff | Sub Rule | User Logoff | Authentication Success | |
Monitor DR Replication Start | Sub Rule | Replication Information | Information | |
Monitor DR Replication End | Sub Rule | Replication Successful | Information | |
Monitor Backup Replication Start | Sub Rule | Replication Information | Information | |
Monitor Backup Replication End | Sub Rule | Replication Successful | Information | |
Monitor License Expiration Date Start | Sub Rule | Scheduled Task Started | Information | |
Monitor License Expiration Date End | Sub Rule | Scheduled Task Completed | Information | |
Monitor FW Rules Start | Sub Rule | General Firewall Event | Information | |
Monitor FW Rules End | Sub Rule | General Firewall Event | Information | |
CPM Verify Password Failed | Sub Rule | User Logon Failure | Authentication Failure | |
CPM Change Password Failed | Sub Rule | Failed Password Change Attempt | Other Audit Failure | |
CPM Disable Password | Sub Rule | User Logon Failure : Account Disabled | Authentication Failure | |
Retrieve Password | Sub Rule | Object Accessed | Access Success | |
CPM Verify Password | Sub Rule | Password Reminder | Information | |
PSM Connect | Sub Rule | Client Connected | Other Audit Success | |
PSM Disconnect | Sub Rule | Client Disconnected | Other Audit Success | |
Use Password | Sub Rule | Password Reminder | Information | |
Keystroke Logging | Sub Rule | Event Logged | Information | |
Window Title | Sub Rule | General Information | Information |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
1013218 | V 2.0 Cyberark Vault Audit Events | Base Rule | General Information Log Message | Information |