Skip to main content
Skip table of contents

LSO: LogRhythm NetMon - Diagnostics

Vendor Documentation

Log Fields and Parsing

This section details the log fields available in this log message type and values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

N/A

<vmid>

<severity>

N/A

<severity>

<vmid>

N/A

<process>

<tag1>

N/A

<tag1>

<objectname>

N/A

<command>

<process>

N/A

<login>

<login>

N/A

<sip>

<sip>

N/A

<subject>

<subject>

N/A

<session>

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1007979

Network Monitor Diagnostics

Base Rule

LogRhythm Diagnostics Event

Other Operations

Authentication Failure

Sub Rule

User Logon Failure

Authentication Failure

Authentication Success

Sub Rule

User Logon

Authentication Success

DPA Rule Added

Sub Rule

Policy Created: Object

Policy

DPA Rule Deleted

Sub Rule

Policy Modified: Object

Policy

DPA Rule Disabled

Sub Rule

Policy Disabled: Object

Policy

DPA Rule Enabled

Sub Rule

Policy Enabled: Object

Policy

DPA Rule Modified

Sub Rule

Policy Modified: Object

Policy

DPA Rule Uploaded

Sub Rule

Policy Created: Object

Policy

File Reconstruction

Sub Rule

File Write

Other Audit Success

NM Configuration Change

Sub Rule

Configuration Modified: System

Configuration

Security Configuration Change

Sub Rule

Configuration Modified: Security

Configuration

User Created

Sub Rule

User Account Created

Account Created

User Deleted

Sub Rule

User Account Deleted

Account Deleted

User Setting Changed

Sub Rule

User Account Attribute Modified

Account Modified

PCAP Reconstruction

Sub Rule

PCAP File Written

Information

Session Expired

Sub Rule

Session Expired

Information

License Change

Sub Rule

License Warning

Warning

Logout

Sub Rule

User Logoff

Authentication Success

NM Upgrade

Sub Rule

Upgrade Complete

Information

Password Change

Sub Rule

Performing Password Change

Information

Reboot

Sub Rule

Process/Service Restarted

Startup and Shutdown

Restart Services

Sub Rule

Process/Service Restarted

Startup and Shutdown

Search Performed

Sub Rule

Search

Information

Service Start

Sub Rule

Process/Service Started

Startup and Shutdown

Service Terminate

Sub Rule

Process/Service Stopped

Startup and Shutdown

Shutdown

Sub Rule

Process/Service Stopped

Startup and Shutdown

Drive Capacity Low

Sub Rule

Drive Space Low

Critical

LogRhythm Default v2.0

Regex ID

Rule Name

Rule Type

Common Event

Classification

1013933

V 2.0: General Diagnostics Event

Base Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: NOT SET Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: SERVICE START Messages

Sub Rule

Service Started

Information

V 2.0: SERVICE TERMINATE Messages

Sub Rule

Process/Service Stopped

Startup and Shutdown

V 2.0: ELASTIC SEARCH HEALTH Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: DRIVE 50 PERCENT Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: DRIVE 90 PERCENT Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: SEARCH Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: AUTHENTICATION SUCCESS Messages

Sub Rule

General Authentication Information

Information

V 2.0: AUTHENTICATION FAILURE Messages

Sub Rule

General Authentication Information

Information

V 2.0: LOGOUT Messages

Sub Rule

Logout Request

Information

V 2.0: EXPIRED SESSION Messages

Sub Rule

Session Message

Information

V 2.0: NM CONFIG CHANGE Messages

Sub Rule

Configuration Information

Information

V 2.0: SECURITY CONFIG CHANGE Messages

Sub Rule

Configuration Information

Information

V 2.0: PASSWORD CHANGE Messages

Sub Rule

Performing Password Change

Information

V 2.0: USER CREATED Messages

Sub Rule

User Account Created

Account Created

V 2.0: USER SETTING CHANGED Messages

Sub Rule

Object Modified

Access Success

V 2.0: FILE RECONSTRUCTION Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: PCAP RECONSTRUCTION Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: USER DELETED Messages

Sub Rule

User Account Deleted

Account Deleted

V 2.0: RESTART SERVICES Messages

Sub Rule

Process/Service Restarting

Startup and Shutdown

V 2.0: SHUTDOWN Messages

Sub Rule

System Shutdown

Startup and Shutdown

V 2.0: REBOOT Messages

Sub Rule

Process/Service Restarting

Startup and Shutdown

V 2.0: LICENSE CHANGE Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: NM UPGRADE Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: DPA RULE ADDED Messages

Sub Rule

Object Added

Access Success

V 2.0: DPA RULE ENABLED Messages

Sub Rule

Object Modified

Access Success

V 2.0: DPA RULE DISABLED Messages

Sub Rule

Object Modified

Access Success

V 2.0: DPA RULE MODIFIED Messages

Sub Rule

Object Modified

Access Success

V 2.0: DPA RULE UPLOADED Messages

Sub Rule

Object Modified

Access Success

V 2.0: DPA RULE DELETED Messages

Sub Rule

Object Deleted/Removed

Access Success

V 2.0: NM UPGRADE FAILURE Messages

Sub Rule

Object Update Failed

Error

V 2.0: NM UPGRADE SUCCES Messages

Sub Rule

Object Modified

Access Success

V 2.0: FILE DOWNLOADED Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: FILE UPLOADED Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

V 2.0: DPA RULES RELOADED Messages

Sub Rule

LogRhythm Diagnostics Event

Other Operations

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.