LSO: LogRhythm NetMon - Diagnostics

Vendor Documentation

https://docs.logrhythm.com/docs/netmon/appendices/stand-alone-netmon-syslog-parsing/syslog-event-type

Log Fields and Parsing

This section details the log fields available in this log message type and values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
N/A	<vmid>	<severity>
N/A	<severity>	<vmid>
N/A	<process>	<tag1>
N/A	<tag1>	<objectname>
N/A	<command>	<process>
N/A	<login>	<login>
N/A	<sip>	<sip>
N/A	<subject>	<subject>
N/A	<session>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1007979	Network Monitor Diagnostics	Base Rule	LogRhythm Diagnostics Event	Other Operations
	Authentication Failure	Sub Rule	User Logon Failure	Authentication Failure
	Authentication Success	Sub Rule	User Logon	Authentication Success
	DPA Rule Added	Sub Rule	Policy Created: Object	Policy
	DPA Rule Deleted	Sub Rule	Policy Modified: Object	Policy
	DPA Rule Disabled	Sub Rule	Policy Disabled: Object	Policy
	DPA Rule Enabled	Sub Rule	Policy Enabled: Object	Policy
	DPA Rule Modified	Sub Rule	Policy Modified: Object	Policy
	DPA Rule Uploaded	Sub Rule	Policy Created: Object	Policy
	File Reconstruction	Sub Rule	File Write	Other Audit Success
	NM Configuration Change	Sub Rule	Configuration Modified: System	Configuration
	Security Configuration Change	Sub Rule	Configuration Modified: Security	Configuration
	User Created	Sub Rule	User Account Created	Account Created
	User Deleted	Sub Rule	User Account Deleted	Account Deleted
	User Setting Changed	Sub Rule	User Account Attribute Modified	Account Modified
	PCAP Reconstruction	Sub Rule	PCAP File Written	Information
	Session Expired	Sub Rule	Session Expired	Information
	License Change	Sub Rule	License Warning	Warning
	Logout	Sub Rule	User Logoff	Authentication Success
	NM Upgrade	Sub Rule	Upgrade Complete	Information
	Password Change	Sub Rule	Performing Password Change	Information
	Reboot	Sub Rule	Process/Service Restarted	Startup and Shutdown
	Restart Services	Sub Rule	Process/Service Restarted	Startup and Shutdown
	Search Performed	Sub Rule	Search	Information
	Service Start	Sub Rule	Process/Service Started	Startup and Shutdown
	Service Terminate	Sub Rule	Process/Service Stopped	Startup and Shutdown
	Shutdown	Sub Rule	Process/Service Stopped	Startup and Shutdown
	Drive Capacity Low	Sub Rule	Drive Space Low	Critical

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1013933	V 2.0: General Diagnostics Event	Base Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: NOT SET Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: SERVICE START Messages	Sub Rule	Service Started	Information
	V 2.0: SERVICE TERMINATE Messages	Sub Rule	Process/Service Stopped	Startup and Shutdown
	V 2.0: ELASTIC SEARCH HEALTH Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: DRIVE 50 PERCENT Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: DRIVE 90 PERCENT Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: SEARCH Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: AUTHENTICATION SUCCESS Messages	Sub Rule	General Authentication Information	Information
	V 2.0: AUTHENTICATION FAILURE Messages	Sub Rule	General Authentication Information	Information
	V 2.0: LOGOUT Messages	Sub Rule	Logout Request	Information
	V 2.0: EXPIRED SESSION Messages	Sub Rule	Session Message	Information
	V 2.0: NM CONFIG CHANGE Messages	Sub Rule	Configuration Information	Information
	V 2.0: SECURITY CONFIG CHANGE Messages	Sub Rule	Configuration Information	Information
	V 2.0: PASSWORD CHANGE Messages	Sub Rule	Performing Password Change	Information
	V 2.0: USER CREATED Messages	Sub Rule	User Account Created	Account Created
	V 2.0: USER SETTING CHANGED Messages	Sub Rule	Object Modified	Access Success
	V 2.0: FILE RECONSTRUCTION Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: PCAP RECONSTRUCTION Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: USER DELETED Messages	Sub Rule	User Account Deleted	Account Deleted
	V 2.0: RESTART SERVICES Messages	Sub Rule	Process/Service Restarting	Startup and Shutdown
	V 2.0: SHUTDOWN Messages	Sub Rule	System Shutdown	Startup and Shutdown
	V 2.0: REBOOT Messages	Sub Rule	Process/Service Restarting	Startup and Shutdown
	V 2.0: LICENSE CHANGE Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: NM UPGRADE Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: DPA RULE ADDED Messages	Sub Rule	Object Added	Access Success
	V 2.0: DPA RULE ENABLED Messages	Sub Rule	Object Modified	Access Success
	V 2.0: DPA RULE DISABLED Messages	Sub Rule	Object Modified	Access Success
	V 2.0: DPA RULE MODIFIED Messages	Sub Rule	Object Modified	Access Success
	V 2.0: DPA RULE UPLOADED Messages	Sub Rule	Object Modified	Access Success
	V 2.0: DPA RULE DELETED Messages	Sub Rule	Object Deleted/Removed	Access Success
	V 2.0: NM UPGRADE FAILURE Messages	Sub Rule	Object Update Failed	Error
	V 2.0: NM UPGRADE SUCCES Messages	Sub Rule	Object Modified	Access Success
	V 2.0: FILE DOWNLOADED Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: FILE UPLOADED Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations
	V 2.0: DPA RULES RELOADED Messages	Sub Rule	LogRhythm Diagnostics Event	Other Operations