Pattern Catch All : Level 3
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| Provider | <tag1>, <objectname>, <process> | N/A |
| EventID Qualifiers | <vmid> | N/A |
| Version | N/A | N/A |
| Level | <severity> | N/A |
| Task | N/A | N/A |
| Opcode | N/A | N/A |
| Keywords | N/A | N/A |
| TimeCreated | N/A | N/A |
| EventRecordID | N/A | N/A |
| Correlation | N/A | N/A |
| Execution ProcessID | <processid> | N/A |
| ThreadID | <session> | N/A |
| Channel | N/A | N/A |
| Computer | <dname> | N/A |
| Security | <domain> <login> | N/A |
| Data | <vendorinfo> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1008171 | Pattern Catch All : Level 3 | Base Rule | General Information | Information |
| EVID 57: Failed To Flush Data To Transaction Log | Sub Rule | General Maintenance Warning | Warning | |
| EVID 6005: Event Log Service Started | Sub Rule | General Logging Information | Information | |
| EVID 6006: Event Log Service Stopped | Sub Rule | General Logging Information | Information | |
| EVID 6008: Previous Shutdown Unexpected | Sub Rule | Unclean Shutdown | Warning | |
| EVID 6009: System Boot Info | Sub Rule | System Started | Startup and Shutdown | |
| Microsoft-Windows-WinRM | Sub Rule | General Administration Server Information | Information | |
| EVID 133: Optical Drive Locked - Exclusive Access | Sub Rule | Access Object Failure | Access Failure | |
| EVID 1001: SNMP Service Started Successfully | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 13: System Shutting Down | Sub Rule | System Shutting Down | Startup and Shutdown | |
| EVID 27: Windows Automatic Update Service Paused | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 51046: DHCPv6 Client Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 50036: DHCP Client Service Starting | Sub Rule | Process/Service Starting | Startup and Shutdown | |
| EVID 10016: COM Access Denied | Sub Rule | Initialize Object Failure | Access Failure | |
| EVID 12: OS Started At Time | Sub Rule | System Starting | Startup and Shutdown | |
| EVID 129: NTPClient Unable To Set Domain Peer | Sub Rule | NTP Server Unreachable | Error | |
| EVID 1500: SNMP Traps Not Configured | Sub Rule | General SNMPTRAP Error | Error | |
| EVID 20001: Driver Install Process Completed | Sub Rule | Software Installed | Configuration | |
| EVID 20003: Service Install Process Complete | Sub Rule | Software Installed | Configuration | |
| EVID 20010: PnP Service State Change | Sub Rule | Process/Service Startup Or Shutdown Activity | Startup and Shutdown | |
| EVID 2242: Patrol Read Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 2243: Patrol Read Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 26: Application Popup | Sub Rule | General Application Popup Information | Information | |
| EVID 26: Processor State | Sub Rule | Processor Information | Information | |
| EVID 3: Virtual Disk Service Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 4: Virtual Disk Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 36885: Too Many Trusted Cert Authorities | Sub Rule | Certificate Services Denied Certificate Request | Warning | |
| EVID 36888: Schannel Fatal Alert | Sub Rule | General Schannel Error | Error | |
| EVID 50037: DHCPv4 Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 50037: DHCPv6 Service Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 5074: Worker Process Recycle Request | Sub Rule | Process/Service Startup Or Shutdown Activity | Startup and Shutdown | |
| EVID 5186: Inactive Worker Process Shutdown | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| EVID 5719: No DC Available For Domain | Sub Rule | Domain Controller Unreachable | Error | |
| EVID 10010: Server Registration With DCOM Timeout | Sub Rule | Device Timeout | Error | |
| EVID 10020: Dynamic IPv6 Assigned To Server | Sub Rule | General DHCPServer Warning | Warning | |
| EVID 10149: WinRM Is Not Listening | Sub Rule | Listener Failed | Error | |
| EVID 1: CBA Filter Disk Info | Sub Rule | General Disk Information | Information | |
| EVID 103: MSISCSI Timeout | Sub Rule | General iSCSI Error | Error | |
| EVID 41: System Did Not Shutdown Properly | Sub Rule | Unclean Shutdown | Warning | |
| EVID 14531: DFS Finished Initialization | Sub Rule | Process/Service Starting | Startup and Shutdown | |
| EVID 14533: DFS Finished Building Name Space | Sub Rule | Process/Service Starting | Startup and Shutdown | |
| EVID 14550: DFS Cross Forest Initialization Error | Sub Rule | General DfsSvc Error | Error | |
| EVID 14551: DFS Cross Forest Initialization | Sub Rule | General DfsSvc Information | Information | |
| EVID 1: DataKeeper Driver Started | Sub Rule | Process/Service Started | Startup and Shutdown | |
| EVID 144: Error Locking Volume | Sub Rule | Error Locking Volume | Error | |
| EVID 146: Volume Has Been Locked | Sub Rule | Object Modified | Access Success | |
| EVID 147: Volume Has Been Unlocked | Sub Rule | Object Modified | Access Success | |
| EVID 149: Open Handled Detected On Volume | Sub Rule | Open Handles Detected On Volume | Warning | |
| EVID 150: Invalid Attempt To Establish Mirror | Sub Rule | Create Object Failure | Access Failure | |
| EVID 152: Media Is Now Write Protected | Sub Rule | Media Is Now Write Protected | Information | |
| EVID 167 :Unable To Connect To Volume | Sub Rule | Unable To Connect To Volume Port | Error | |
| EVID 23: Mirror Role Changed | Sub Rule | Mirror Role Changed | Information | |
| EVID 58: Error Writing Keep-Alive Packet | Sub Rule | Error Writing Keep-Alive Packet | Error | |
| Microsoft-Windows-Kernel-Boot Message | Sub Rule | Process/Service Startup Or Shutdown Activity | Startup and Shutdown | |
| EVID 1030: Username Or Password Incorrect | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 1: Power Setup | Sub Rule | Power Info Msg | Information | |
| EVID 10001: Unable To Start DCOM Server | Sub Rule | Server Timed Out | Information | |
| EVID 10006: Unable To Start DCOM Server | Sub Rule | Server Timed Out | Information | |
| EVID 10009: Unable To Start DCOM Server | Sub Rule | Server Timed Out | Information | |
| EVID 101: Group Policy | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 103: Group Policy | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 105: Group Policy | Sub Rule | Install Failed | Error | |
| EVID 107: Group Policy | Sub Rule | Install Failed | Error | |
| EVID 108: Group Policy | Sub Rule | Install Failed | Error | |
| EVID 10028: DCOM Unable To Communicate | Sub Rule | Unable To Create Connection | Error | |
| EVID 10029: DCOM Unable To Communicate | Sub Rule | Update Stopped | Information | |
| EVID 10036: DCOM Unable To Communicate | Sub Rule | Update Stopped | Information | |
| EVID 1129: Group Policy | Sub Rule | ICMP Flow Events | Network Traffic | |
| EVID 1130: Group Policy | Sub Rule | Policy Notification | Information | |
| EVID 13: Group Policy | Sub Rule | Windows Group Policy Problem | Error | |
| EVID 130: Power Setup | Sub Rule | Power Failure Detected In Other Failover Device | Error | |
| EVID 131: Power Setup | Sub Rule | Power Failure Detected In Other Failover Device | Error | |
| EVID 137: Power Setup | Sub Rule | Power Info Msg | Information | |
| EVID 15: General Information | Sub Rule | General Information Log Message | Information | |
| EVID 1500: Group Policy | Sub Rule | Successfully Loaded Policy From Policy Server | Information | |
| EVID 1501: Group Policy | Sub Rule | Successfully Loaded Policy From Policy Server | Information | |
| EVID 16: Hardware Issue | Sub Rule | Hardware Problem | Warning | |
| EVID 187: Power Setup | Sub Rule | Power Info Msg | Information | |
| EVID 44: Windows Update | Sub Rule | General Windows Update Agent Warning | Warning | |
| EVID 7016: Windows Service | Sub Rule | Service Stop Failed | Error | |
| EVID 2004: Windows Memory | Sub Rule | System Memory Low | Warning | |
| EVID 23: Power Setup | Sub Rule | Power Failure Detected In Other Failover Device | Error | |
| EVID 24: Power Setup | Sub Rule | Power Failure Detected In Other Failover Device | Error | |
| EVID 292: Power Setup | Sub Rule | Power Notification | Warning | |
| EVID 33: Ethernet Info | Sub Rule | Ethernet Port Down | Warning | |
| EVID 34: Ethernet Info | Sub Rule | Ethernet Port Down | Warning | |
| EVID 35: Group Policy | Sub Rule | General Policy | Other Audit | |
| EVID 36874: Connection Request | Sub Rule | Connection Request | Network Traffic | |
| EVID 36876: Certificate Error | Sub Rule | Server Certificate Issued | Information | |
| EVID 36882: Certificate Error | Sub Rule | Unknown Certificate | Information | |
| EVID 36887: Certificate Error | Sub Rule | SSL/VPN Warning | Warning | |
| EVID 37: Security Check | Sub Rule | General System Warning | Warning | |
| EVID 40: Power Setup | Sub Rule | Power Failure Detected In Other Failover Device | Error | |
| EVID 42: Kerberos KDC Lacks Strong Account Key | Sub Rule | General Kerberos Error | Error | |
| EVID 43: Installation Of Updated KB | Sub Rule | KB Auto Sync Completed | Information | |
| EVID 4321: NBT Over TCP | Sub Rule | General NetBIOS Error | Error | |
| EVID 5002: Wireless | Sub Rule | Wireless Activity | Information | |
| EVID 5009: SSD Not Working | Sub Rule | General TermServSessDir Information | Information | |
| EVID 506: Power Setup | Sub Rule | Display Page Failure | Warning | |
| EVID 507: Power Setup | Sub Rule | Power Info Msg | Information | |
| EVID 566: Power Setup | Sub Rule | Power Failure Detected In Other Failover Device | Error | |
| EVID 6062: Wireless | Sub Rule | Wireless Activity | Information | |
| EVID 610: Smart Card | Sub Rule | General SCardSvr Error | Error | |
| EVID 7003: Wireless | Sub Rule | Wireless Activity | Information | |
| EVID 7012: Wireless | Sub Rule | Wireless Activity | Information | |
| EVID 7021: Wireless | Sub Rule | Wireless Activity | Information | |
| EVID 7023: Wireless | Sub Rule | Wireless Activity | Information | |
| EVID 7024: Service Control | Sub Rule | Service Stop Failed | Error | |
| EVID 7025: Power Setup | Sub Rule | Power Failure Detected In Other Failover Device | Error | |
| EVID 8012: DNS Client Events | Sub Rule | DNS Information-Only Event | Information | |
| EVID 308: App Mgmt Group Policy | Sub Rule | Policy Notification | Information | |
| EVID 57: Failed To Flush Data To Transaction Log | Sub Rule | General Maintenance Warning | Warning | |
| General: Service Control Manager Information | Sub Rule | General Service Control Manager Information | Information | |
| General: DfsSvc Information | Sub Rule | General DfsSvc Information | Information | |
| EVID 23: Change Password | Sub Rule | Password Reminder | Information | |
| EVID 23: Update | Sub Rule | Update Event | Information |
LogRhythm Default v2.0
N/A