This document explains the changes required to apply new Message Processing Engine (MPE) rules developed during the Log Source Optimization (LSO) project for the Syslog - FireEye Web MPS/CMS/ETP/HX
Vendor Documentation
Prerequisites
-
Download and apply the Knowledge Base. For more information, see KB Synchronization Settings for LSO.
-
Enable the new MPE rules in the LogRhythm System Monitor.
Select log source type Syslog - FireEye MPS.Enable log processing policy LogRhythm Default v2.0.For details on how to enable LogRhythm Default v2.0, see Apply LogRhythm Default v2.0 on a Log Source.
Supported Log Messages
The following table lists the log message types supported in the current MPE rules. Each page contains detailed information on parsing changes and new log processing settings.
|
Log Message Type |
Event Type |
|
Action Log Messages |
Command Executed |
|
Application Process Information |
General Application Information |
|
Archiver Messages |
Archive Message |
|
AUTO-INIT Process Information |
General Process Information |
|
AVC Process SIGCHLD |
Current Process |
|
AVC PVNA CC Info |
Host Information Added |
|
AVC SIGCHLD : Process Exited |
Process/Service Stopped |
|
AVC Statistics |
General Performance Statistics |
|
AVC Work Order |
Configuration Modified : System |
|
Behavioral Analysis Logic Engine Message |
Content Analysis Queue Message |
|
Catch All: Level 1 |
General Information |
|
Central Management Console Message |
Management Console Connected |
|
CMS Messages - Deprecated |
Detected Malware Activity |
|
CMS Messages - Domain Match |
Unauthorized Website |
|
CMS Messages - Infection Match |
Detected Virus Activity |
|
CMS Messages - Malware Callback |
Detected Malware Activity |
|
CMS Messages - Malware Object |
Detected Malware Activity |
|
CMS Messages - Riskware Object |
Possible Malware Activity |
|
CMS Messages - Web Infection |
Detected Virus Activity |
|
CMS/MPS Messages - Ips-Event |
Possible Malware Activity |
|
Command Line Interface Message |
SSH Command Line Interface Message |
|
Configuration/Enable Mode |
Entering Enable Mode |
|
Curl Messages |
General Process Information |
|
ETP Messages |
Detected Malware Activity |
|
FENET Messages |
Updater Message |
|
File Network Information |
File Information Obtained |
|
General Thread Information |
General Thread Information |
|
Graveyard Sweep Message |
Performing Cleanup |
|
HX Messages |
General Firewall Log |
|
Initialized Service |
General Process Information |
|
KERNEL Messages |
Kernel Information |
|
Last Message Repeated |
Last Message Repeated |
|
Licensing Messages |
License Info |
|
Linux Process Messages |
System Information-Only Event |
|
Linux Superuser Messages |
General Sudo Command |
|
Loaded Configs |
Configuration Loaded : System |
|
Malicious Email |
Possible Malware Activity |
|
Malware Object Information |
Detected Malware Activity |
|
Management Config Change |
Configuration Modified : System |
|
Management Messages |
Entering Enable Mode |
|
MCE Error Message |
General Processor Error |
|
MPS Malware Activity - Depreciated |
Detected Malware Activity |
|
MPS Messages |
Detected Malware Activity |
|
Network HTTPD Activity |
HTTPD Information |
|
Notify Message |
FireEye Notification |
|
RGP Job Information |
Job Change General Information |
|
SC-Upload Messages |
General Information-Only Event |
|
Taskernode Information |
Internal Communication Information |
|
Threat Messages |
Detected Malware Activity |
|
VMMD Process Information |
General Process Information |
|
VXE Messages |
General IPS Message |
Log Processing Policy Updates
This section details log processing policy updates made to AIE Rules, system reports, system investigations, system report templates, and system tails as part of LSO.
Updates to AIE Rules
-
No changes
Updates to System Reports
-
No changes
Updates to System Investigations
-
No changes
Updates to System Report Templates
-
No changes
Updates to System Tails
-
No changes