Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Provider |
<tag1>, <objectname>, <process> |
N/A |
|
EventID Qualifiers |
<vmid> |
N/A |
|
Version |
N/A |
N/A |
|
Level |
<severity> |
N/A |
|
Task |
N/A |
N/A |
|
Opcode |
N/A |
N/A |
|
Keywords |
N/A |
N/A |
|
TimeCreated |
N/A |
N/A |
|
EventRecordID |
N/A |
N/A |
|
Correlation |
N/A |
N/A |
|
Execution ProcessID |
<processid> |
N/A |
|
ThreadID |
<session> |
N/A |
|
Channel |
N/A |
N/A |
|
Computer |
<dname> |
N/A |
|
Security |
<domain>
|
N/A |
|
Data |
<vendorinfo> |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1008171 |
Pattern Catch All : Level 3 |
Base Rule |
General Information |
Information |
|
EVID 57: Failed To Flush Data To Transaction Log |
Sub Rule |
General Maintenance Warning |
Warning |
|
|
EVID 6005: Event Log Service Started |
Sub Rule |
General Logging Information |
Information |
|
|
EVID 6006: Event Log Service Stopped |
Sub Rule |
General Logging Information |
Information |
|
|
EVID 6008: Previous Shutdown Unexpected |
Sub Rule |
Unclean Shutdown |
Warning |
|
|
EVID 6009: System Boot Info |
Sub Rule |
System Started |
Startup and Shutdown |
|
|
Microsoft-Windows-WinRM |
Sub Rule |
General Administration Server Information |
Information |
|
|
EVID 133: Optical Drive Locked - Exclusive Access |
Sub Rule |
Access Object Failure |
Access Failure |
|
|
EVID 1001: SNMP Service Started Successfully |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 13: System Shutting Down |
Sub Rule |
System Shutting Down |
Startup and Shutdown |
|
|
EVID 27: Windows Automatic Update Service Paused |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 51046: DHCPv6 Client Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 50036: DHCP Client Service Starting |
Sub Rule |
Process/Service Starting |
Startup and Shutdown |
|
|
EVID 10016: COM Access Denied |
Sub Rule |
Initialize Object Failure |
Access Failure |
|
|
EVID 12: OS Started At Time |
Sub Rule |
System Starting |
Startup and Shutdown |
|
|
EVID 129: NTPClient Unable To Set Domain Peer |
Sub Rule |
NTP Server Unreachable |
Error |
|
|
EVID 1500: SNMP Traps Not Configured |
Sub Rule |
General SNMPTRAP Error |
Error |
|
|
EVID 20001: Driver Install Process Completed |
Sub Rule |
Software Installed |
Configuration |
|
|
EVID 20003: Service Install Process Complete |
Sub Rule |
Software Installed |
Configuration |
|
|
EVID 20010: PnP Service State Change |
Sub Rule |
Process/Service Startup Or Shutdown Activity |
Startup and Shutdown |
|
|
EVID 2242: Patrol Read Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 2243: Patrol Read Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 26: Application Popup |
Sub Rule |
General Application Popup Information |
Information |
|
|
EVID 26: Processor State |
Sub Rule |
Processor Information |
Information |
|
|
EVID 3: Virtual Disk Service Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 4: Virtual Disk Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 36885: Too Many Trusted Cert Authorities |
Sub Rule |
Certificate Services Denied Certificate Request |
Warning |
|
|
EVID 36888: Schannel Fatal Alert |
Sub Rule |
General Schannel Error |
Error |
|
|
EVID 50037: DHCPv4 Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 50037: DHCPv6 Service Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5074: Worker Process Recycle Request |
Sub Rule |
Process/Service Startup Or Shutdown Activity |
Startup and Shutdown |
|
|
EVID 5186: Inactive Worker Process Shutdown |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
EVID 5719: No DC Available For Domain |
Sub Rule |
Domain Controller Unreachable |
Error |
|
|
EVID 10010: Server Registration With DCOM Timeout |
Sub Rule |
Device Timeout |
Error |
|
|
EVID 10020: Dynamic IPv6 Assigned To Server |
Sub Rule |
General DHCPServer Warning |
Warning |
|
|
EVID 10149: WinRM Is Not Listening |
Sub Rule |
Listener Failed |
Error |
|
|
EVID 1: CBA Filter Disk Info |
Sub Rule |
General Disk Information |
Information |
|
|
EVID 103: MSISCSI Timeout |
Sub Rule |
General iSCSI Error |
Error |
|
|
EVID 41: System Did Not Shutdown Properly |
Sub Rule |
Unclean Shutdown |
Warning |
|
|
EVID 14531: DFS Finished Initialization |
Sub Rule |
Process/Service Starting |
Startup and Shutdown |
|
|
EVID 14533: DFS Finished Building Name Space |
Sub Rule |
Process/Service Starting |
Startup and Shutdown |
|
|
EVID 14550: DFS Cross Forest Initialization Error |
Sub Rule |
General DfsSvc Error |
Error |
|
|
EVID 14551: DFS Cross Forest Initialization |
Sub Rule |
General DfsSvc Information |
Information |
|
|
EVID 1: DataKeeper Driver Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
EVID 144: Error Locking Volume |
Sub Rule |
Error Locking Volume |
Error |
|
|
EVID 146: Volume Has Been Locked |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 147: Volume Has Been Unlocked |
Sub Rule |
Object Modified |
Access Success |
|
|
EVID 149: Open Handled Detected On Volume |
Sub Rule |
Open Handles Detected On Volume |
Warning |
|
|
EVID 150: Invalid Attempt To Establish Mirror |
Sub Rule |
Create Object Failure |
Access Failure |
|
|
EVID 152: Media Is Now Write Protected |
Sub Rule |
Media Is Now Write Protected |
Information |
|
|
EVID 167 :Unable To Connect To Volume |
Sub Rule |
Unable To Connect To Volume Port |
Error |
|
|
EVID 23: Mirror Role Changed |
Sub Rule |
Mirror Role Changed |
Information |
|
|
EVID 58: Error Writing Keep-Alive Packet |
Sub Rule |
Error Writing Keep-Alive Packet |
Error |
|
|
Microsoft-Windows-Kernel-Boot Message |
Sub Rule |
Process/Service Startup Or Shutdown Activity |
Startup and Shutdown |
|
|
EVID 1030: Username Or Password Incorrect |
Sub Rule |
Windows Group Policy Problem |
Error |
|
|
EVID 1: Power Setup |
Sub Rule |
Power Info Msg |
Information |
|
|
EVID 10001: Unable To Start DCOM Server |
Sub Rule |
Server Timed Out |
Information |
|
|
EVID 10006: Unable To Start DCOM Server |
Sub Rule |
Server Timed Out |
Information |
|
|
EVID 10009: Unable To Start DCOM Server |
Sub Rule |
Server Timed Out |
Information |
|
|
EVID 101: Group Policy |
Sub Rule |
Windows Group Policy Problem |
Error |
|
|
EVID 103: Group Policy |
Sub Rule |
Windows Group Policy Problem |
Error |
|
|
EVID 105: Group Policy |
Sub Rule |
Install Failed |
Error |
|
|
EVID 107: Group Policy |
Sub Rule |
Install Failed |
Error |
|
|
EVID 108: Group Policy |
Sub Rule |
Install Failed |
Error |
|
|
EVID 10028: DCOM Unable To Communicate |
Sub Rule |
Unable To Create Connection |
Error |
|
|
EVID 10029: DCOM Unable To Communicate |
Sub Rule |
Update Stopped |
Information |
|
|
EVID 10036: DCOM Unable To Communicate |
Sub Rule |
Update Stopped |
Information |
|
|
EVID 1129: Group Policy |
Sub Rule |
ICMP Flow Events |
Network Traffic |
|
|
EVID 1130: Group Policy |
Sub Rule |
Policy Notification |
Information |
|
|
EVID 13: Group Policy |
Sub Rule |
Windows Group Policy Problem |
Error |
|
|
EVID 130: Power Setup |
Sub Rule |
Power Failure Detected In Other Failover Device |
Error |
|
|
EVID 131: Power Setup |
Sub Rule |
Power Failure Detected In Other Failover Device |
Error |
|
|
EVID 137: Power Setup |
Sub Rule |
Power Info Msg |
Information |
|
|
EVID 15: General Information |
Sub Rule |
General Information Log Message |
Information |
|
|
EVID 1500: Group Policy |
Sub Rule |
Successfully Loaded Policy From Policy Server |
Information |
|
|
EVID 1501: Group Policy |
Sub Rule |
Successfully Loaded Policy From Policy Server |
Information |
|
|
EVID 16: Hardware Issue |
Sub Rule |
Hardware Problem |
Warning |
|
|
EVID 187: Power Setup |
Sub Rule |
Power Info Msg |
Information |
|
|
EVID 44: Windows Update |
Sub Rule |
General Windows Update Agent Warning |
Warning |
|
|
EVID 7016: Windows Service |
Sub Rule |
Service Stop Failed |
Error |
|
|
EVID 2004: Windows Memory |
Sub Rule |
System Memory Low |
Warning |
|
|
EVID 23: Power Setup |
Sub Rule |
Power Failure Detected In Other Failover Device |
Error |
|
|
EVID 24: Power Setup |
Sub Rule |
Power Failure Detected In Other Failover Device |
Error |
|
|
EVID 292: Power Setup |
Sub Rule |
Power Notification |
Warning |
|
|
EVID 33: Ethernet Info |
Sub Rule |
Ethernet Port Down |
Warning |
|
|
EVID 34: Ethernet Info |
Sub Rule |
Ethernet Port Down |
Warning |
|
|
EVID 35: Group Policy |
Sub Rule |
General Policy |
Other Audit |
|
|
EVID 36874: Connection Request |
Sub Rule |
Connection Request |
Network Traffic |
|
|
EVID 36876: Certificate Error |
Sub Rule |
Server Certificate Issued |
Information |
|
|
EVID 36882: Certificate Error |
Sub Rule |
Unknown Certificate |
Information |
|
|
EVID 36887: Certificate Error |
Sub Rule |
SSL/VPN Warning |
Warning |
|
|
EVID 37: Security Check |
Sub Rule |
General System Warning |
Warning |
|
|
EVID 40: Power Setup |
Sub Rule |
Power Failure Detected In Other Failover Device |
Error |
|
|
EVID 42: Kerberos KDC Lacks Strong Account Key |
Sub Rule |
General Kerberos Error |
Error |
|
|
EVID 43: Installation Of Updated KB |
Sub Rule |
KB Auto Sync Completed |
Information |
|
|
EVID 4321: NBT Over TCP |
Sub Rule |
General NetBIOS Error |
Error |
|
|
EVID 5002: Wireless |
Sub Rule |
Wireless Activity |
Information |
|
|
EVID 5009: SSD Not Working |
Sub Rule |
General TermServSessDir Information |
Information |
|
|
EVID 506: Power Setup |
Sub Rule |
Display Page Failure |
Warning |
|
|
EVID 507: Power Setup |
Sub Rule |
Power Info Msg |
Information |
|
|
EVID 566: Power Setup |
Sub Rule |
Power Failure Detected In Other Failover Device |
Error |
|
|
EVID 6062: Wireless |
Sub Rule |
Wireless Activity |
Information |
|
|
EVID 610: Smart Card |
Sub Rule |
General SCardSvr Error |
Error |
|
|
EVID 7003: Wireless |
Sub Rule |
Wireless Activity |
Information |
|
|
EVID 7012: Wireless |
Sub Rule |
Wireless Activity |
Information |
|
|
EVID 7021: Wireless |
Sub Rule |
Wireless Activity |
Information |
|
|
EVID 7023: Wireless |
Sub Rule |
Wireless Activity |
Information |
|
|
EVID 7024: Service Control |
Sub Rule |
Service Stop Failed |
Error |
|
|
EVID 7025: Power Setup |
Sub Rule |
Power Failure Detected In Other Failover Device |
Error |
|
|
EVID 8012: DNS Client Events |
Sub Rule |
DNS Information-Only Event |
Information |
|
|
EVID 308: App Mgmt Group Policy |
Sub Rule |
Policy Notification |
Information |
|
|
EVID 57: Failed To Flush Data To Transaction Log |
Sub Rule |
General Maintenance Warning |
Warning |
|
|
General: Service Control Manager Information |
Sub Rule |
General Service Control Manager Information |
Information |
|
|
General: DfsSvc Information |
Sub Rule |
General DfsSvc Information |
Information |
|
|
EVID 23: Change Password |
Sub Rule |
Password Reminder |
Information |
|
|
EVID 23: Update |
Sub Rule |
Update Event |
Information |
LogRhythm Default v2.0
N/A