RPC Data Messages
Vendor Documentation
The following log sample format should be followed:
date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
-, -, <process>, <dname>, <dip>, <command>, <url>, <object>, <dport>, <login>, <sip>, <version>, <useragent>, -, -, -, <responsecode>, -, -, <bytesin>, <bytesout>, -
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
---|---|---|
N/A | <bytesin> | <bytesin> |
N/A | <bytesout> | <bytesout> |
N/A | <command> | <command> |
N/A | <dip> | <dip> |
N/A | <domain> | N/A |
N/A | N/A | <dname> |
N/A | <login> | <login> |
N/A | N/A | <dport> |
N/A | <object> | <object> |
N/A | N/A | <process> |
N/A | <objectname> | N/A |
N/A | <responsecode> | <responsecode> |
N/A | <sip> | <sip> |
N/A | <tag1> | <tag1> |
N/A | <tag2> | <tag2> |
N/A | <url> | <url> |
N/A | <sport> | N/A |
N/A | <useragent> | <useragent> |
N/A | <version> | <version> |
N/A | <vmid> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1012178 | RPC Data Messages | Base Rule | General Message Information | Information |
POST Request | Sub Rule | HTTP POST Method Event | Information | |
RPC_OUT_DATA: 200: OK | Sub Rule | HTTP 200 : Success Reply - OK | Information | |
RPC_IN_DATA 404-Not Found | Sub Rule | HTTP 404 : Not Found | Error | |
RPC_OUT_DATA 404-Not Found | Sub Rule | HTTP 404 : Not Found | Error | |
RPC_IN_DATA: 200: OK | Sub Rule | HTTP 200 : Success Reply - OK | Information |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1013065 | V 2.0 : IIS W3C Events | Base Rule | General IIS Activity | Information |
V 2.0 : HTTP POST 400 : Bad Request | Sub Rule | HTTP 400 : Bad Request | Error | |
V 2.0 : HTTP POST 401 : Unauthorized | Sub Rule | HTTP 401 : Unauthorized | Error | |
V 2.0 : HTTP POST 402 : Request Err - Payment Req | Sub Rule | HTTP 402 : Request Error - Payment Required | Error | |
V 2.0 : HTTP POST 403 : Forbidden | Sub Rule | HTTP 403 : Forbidden | Error | |
V 2.0 : HTTP POST 404 : Not Found | Sub Rule | HTTP 404 : Not Found | Error | |
V 2.0 : HTTP POST 405 : Method Not Allowed | Sub Rule | HTTP 405 : Method Not Allowed | Error | |
V 2.0 : HTTP POST 406 : Not Acceptable | Sub Rule | HTTP 406 : Not Acceptable | Error | |
V 2.0 : HTTP POST 407 : Proxy Authentication Req | Sub Rule | HTTP 407 : Proxy Authentication Required | Error | |
V 2.0 : HTTP POST 408 : Request Timeout | Sub Rule | HTTP 408 : Request Timeout | Error | |
V 2.0 : HTTP POST 409 : Conflict | Sub Rule | HTTP 409 : Conflict | Error | |
V 2.0 : HTTP POST 410 : Gone | Sub Rule | HTTP 410 : Gone | Error | |
V 2.0 : HTTP POST 411 : Length Required | Sub Rule | HTTP 411 : Length Required | Error | |
V 2.0 : HTTP POST 412 : Precondition Failed | Sub Rule | HTTP 412 : Precondition Failed | Error | |
V 2.0 : HTTP POST 413 : Request Entity Too Large | Sub Rule | HTTP 413 : Request Entity Too Large | Error | |
V 2.0 : HTTP POST 414 : Request-URI Too Long | Sub Rule | HTTP 414 : Request-URI Too Long | Error | |
V 2.0 : HTTP POST 415 : Unsupported Media Type | Sub Rule | HTTP 415 : Unsupported Media Type | Error | |
V 2.0 : HTTP POST 416 : Requested Range Not Satisf | Sub Rule | HTTP 416 : Requested Range Not Satisfiable | Error | |
V 2.0 : HTTP POST 417 : Expectation Failed | Sub Rule | HTTP 417 : Expectation Failed | Error | |
V 2.0 : HTTP POST 440 : Req Error - Login Timeout | Sub Rule | HTTP 440 : Request Error - Login Timeout | Error | |
V 2.0 : HTTP POST 500 : Server Err - Int Server Err | Sub Rule | HTTP 500 : Server Error - Internal Server Error | Error | |
V 2.0 : HTTP POST 501 : Server Err - Not Implement | Sub Rule | HTTP 501 : Server Error - Not Implemented | Error | |
V 2.0 : HTTP POST 502 : Server Error - Bad Gateway | Sub Rule | HTTP 502 : Server Error - Bad Gateway | Error | |
V 2.0 : HTTP POST 503 : Service Unavailable | Sub Rule | HTTP 503 : Service Unavailable | Error | |
V 2.0 : HTTP POST 504 : Server Err -Gateway Timeout | Sub Rule | HTTP 504 : Server Error - Gateway Time-Out | Error | |
V 2.0 : HTTP POST 505 : Server Err -HTTP Ver Unsupp | Sub Rule | HTTP 505 : Server Error - HTTP Ver Unsupported | Error | |
V 2.0 : HTTP POST 995 : SSL Operation Aborted | Sub Rule | HTTP 995 : Request Error - SSL Operation Aborted | Error | |
V 2.0 : HTTP POST 100 : Continue | Sub Rule | HTTP 100 : Continue | Information | |
V 2.0 : HTTP POST 101 : Transition Status- Protocol | Sub Rule | HTTP 101 : Transition Status - Protocol Switch | Information | |
V 2.0 : HTTP POST 200 : Success Reply - OK | Sub Rule | HTTP 200 : Success Reply - OK | Information | |
V 2.0 : HTTP POST 201 : Success Reply - Created | Sub Rule | HTTP 201 : Success Reply - Created | Information | |
V 2.0 : HTTP POST 202 : Success Reply - Accepted | Sub Rule | HTTP 202 : Success Reply - Accepted | Information | |
V 2.0 : HTTP POST 203 : Success Reply - Non-auth | Sub Rule | HTTP 203 : Success Reply - Nonauthoritative Info | Information | |
V 2.0 : HTTP POST 204 : Success Reply - No Content | Sub Rule | HTTP 204 : Success Reply - No Content | Information | |
V 2.0 : HTTP POST 205 : Success Reply-Reset Content | Sub Rule | HTTP 205 : Success Reply - Reset Content | Information | |
V 2.0 :HTTP POST 206 : Success Rep -Partial Content | Sub Rule | HTTP 206 : Success Reply - Partial Content | Information | |
V 2.0 : HTTP POST 207 : Success - Multistatus Resp | Sub Rule | HTTP 207 : Success - Multistatus Response | Information | |
V 2.0 : HTTP POST 300 : Redirect - Multiple Choice | Sub Rule | HTTP 300 : Redirect - Multiple Choices | Information | |
V 2.0 : HTTP POST 301 : Redirect - Moved Permanent | Sub Rule | HTTP 301 : Redirect - Moved Permanently | Information | |
V 2.0 : HTTP POST 302 : Redirect - Moved Temporary | Sub Rule | HTTP 302 : Redirect - Moved Temporarily | Information | |
V 2.0 : HTTP POST 303 : Redirect - See Other | Sub Rule | HTTP 303 : Redirect - See Other | Information | |
V 2.0 : HTTP POST 304 : Redirect - Not Modified | Sub Rule | HTTP 304 : Redirect - Not Modified | Information | |
V 2.0 : HTTP POST 305 : Redirect - Use Proxy | Sub Rule | HTTP 305 : Redirect - Use Proxy | Information | |
V 2.0 : HTTP POST 306 : Redirect - Unused | Sub Rule | HTTP 306 : Redirect - Unused | Information | |
V 2.0 :HTTP POST 307 : Redirect -Temporary Redirect | Sub Rule | HTTP 307 : Redirect - Temporary Redirect | Information | |
V 2.0 : HTTP GET 100 : Transitional - Continue | Sub Rule | HTTP 100 : Continue | Information | |
V 2.0 : HTTP GET 101 : Transitional - Proto Switch | Sub Rule | HTTP 101 : Transition Status - Protocol Switch | Information | |
V 2.0 : HTTP GET 200 : Success - OK | Sub Rule | HTTP 200 : Success Reply - OK | Information | |
V 2.0 : HTTP GET 201 : Success - Created | Sub Rule | HTTP 201 : Success Reply - Created | Information | |
V 2.0 : HTTP GET 202 : Success - Accepted | Sub Rule | HTTP 202 : Success Reply - Accepted | Information | |
V 2.0 : HTTP GET 203 : Success - Nonauthoritative | Sub Rule | HTTP 203 : Success Reply - Nonauthoritative Info | Information | |
V 2.0 : HTTP GET 204 : Success - No Content | Sub Rule | HTTP 204 : Success Reply - No Content | Information | |
V 2.0 : HTTP GET 205 : Success - Reset Content | Sub Rule | HTTP 205 : Success Reply - Reset Content | Information | |
V 2.0 : HTTP GET 206 : Success - Partial Content | Sub Rule | HTTP 206 : Success Reply - Partial Content | Information | |
V 2.0 : HTTP GET 207 : Success - Mult Response | Sub Rule | HTTP 207 : Success - Multistatus Response | Information | |
V 2.0 : HTTP GET 300 : Redirect - Multiple Choices | Sub Rule | HTTP 300 : Redirect - Multiple Choices | Information | |
V 2.0 : HTTP GET 301 : Redirect - Moved Permanentl | Sub Rule | HTTP 301 : Redirect - Moved Permanently | Information | |
V 2.0 : HTTP GET 302 : Redirect- Moved Temporarily | Sub Rule | HTTP 302 : Redirect - Moved Temporarily | Information | |
V 2.0 : HTTP GET 303 : Redirect - See Other | Sub Rule | HTTP 303 : Redirect - See Other | Information | |
V 2.0 : HTTP GET 304 : Redirect - Not Modified | Sub Rule | HTTP 304 : Redirect - Not Modified | Information | |
V 2.0 : HTTP GET 305 : Redirect - Use Proxy | Sub Rule | HTTP 305 : Redirect - Use Proxy | Information | |
V 2.0 : HTTP GET 306 : Redirect - Unused | Sub Rule | HTTP 306 : Redirect - Unused | Information | |
V 2.0 : HTTP GET 307 : Redirect-Temporary Redirect | Sub Rule | HTTP 307 : Redirect - Temporary Redirect | Information | |
V 2.0 : HTTP GET 400 : Req Error - Bad Request | Sub Rule | HTTP 400 : Bad Request | Error | |
V 2.0 : HTTP GET 401 : Req Error - Unauthorized | Sub Rule | HTTP 401 : Unauthorized | Error | |
V 2.0 : HTTP GET 402 : Req Error-Payment Required | Sub Rule | HTTP 402 : Request Error - Payment Required | Error | |
V 2.0 : HTTP GET 403 : Req Error - Forbidden | Sub Rule | HTTP 403 : Forbidden | Error | |
V 2.0 : HTTP GET 404 : Req Error - Not Found | Sub Rule | HTTP 404 : Not Found | Error | |
V 2.0 : HTTP GET 405 : Req Error-Method Not Allowed | Sub Rule | HTTP 405 : Request Error - Method Not Allowed | Error | |
V 2.0 : HTTP GET 406 : Req Error - Not Acceptable | Sub Rule | HTTP 406 : Not Acceptable | Error | |
V 2.0 : HTTP GET 407 : Req Error-Proxy Auth Request | Sub Rule | HTTP 407 : Request Error - Proxy Auth Required | Error | |
V 2.0 : HTTP GET 408 : Req Error -Request Time Out | Sub Rule | HTTP 408 : Request Error - Request Time-Out | Error | |
V 2.0 : HTTP GET 409 : Req Error - Conflict | Sub Rule | HTTP 409 : Request Error - Conflict | Error | |
V 2.0 : HTTP GET 410 : Req Error - Gone | Sub Rule | HTTP 410 : Request Error - Gone | Error | |
V 2.0 : HTTP GET 411 : Req Error - Length Required | Sub Rule | HTTP 411 : Request Error - Length Required | Error | |
V 2.0 :HTTP GET 412 : Req Error-Precondition Failed | Sub Rule | HTTP 412 : Request Error - Precondition Failed | Error | |
V 2.0 : HTTP GET 413 : Req Error-Req Item Too Big | Sub Rule | HTTP 413 : Request Error - Request Item Too Big | Error | |
V 2.0 : HTTP GET 414 : Req Error-Req URL Too Large | Sub Rule | HTTP 414 : Request-URI Too Long | Error | |
V 2.0 : HTTP GET 415 : Req Error -Unsupported Type | Sub Rule | HTTP 415 : Request Error - Unsupported Type | Error | |
V 2.0 :HTTP GET 416 : Req Error-Req Rng Unfillable | Sub Rule | HTTP 416 : Request Error - Range Unfillable | Error | |
V 2.0 : HTTP GET 417 : Req Error -Expectation Failed | Sub Rule | HTTP 417 : Request Error - Expectation Failed | Error | |
V 2.0 : HTTP GET 440 : Client Error -Login Timeout | Sub Rule | HTTP 440 : Request Error - Login Timeout | Error | |
V 2.0 : HTTP GET 500 : Svr Err -Internal Server Err | Sub Rule | HTTP 500 : Server Error - Internal Server Error | Error | |
V 2.0 : HTTP GET 501 : Svr Error - Not Implemented | Sub Rule | HTTP 501 : Server Error - Not Implemented | Error | |
V 2.0 : HTTP GET 502 : Svr Error - Bad Gateway | Sub Rule | HTTP 502 : Server Error - Bad Gateway | Error | |
V 2.0 : HTTP GET 503 : Svr Err-Service Unavailable | Sub Rule | HTTP 503 : Server Error - Service Unavailable | Error | |
V 2.0 : HTTP GET 504 : Svr Error -Gateway Time Out | Sub Rule | HTTP 504 : Server Error - Gateway Time-Out | Error | |
V 2.0 :HTTP GET 505 : Svr Error-HTTP Ver Unsupported | Sub Rule | HTTP 505 : Server Error - HTTP Ver Unsupported | Error | |
V 2.0 : GET Request | Sub Rule | HTTP GET Method Event | Information | |
V 2.0 : POST Request | Sub Rule | HTTP POST Method Event | Information | |
V 2.0 : RPC_OUT_DATA: 200 - OK | Sub Rule | HTTP 200 : Success Reply - OK | Information | |
V 2.0 : RPC_IN_DATA: 404 - Not Found | Sub Rule | HTTP 404 : Not Found | Error | |
V 2.0 : RPC_OUT_DATA: 404 - Not Found | Sub Rule | HTTP 404 : Not Found | Error | |
V 2.0 : RPC_IN_DATA: 200 - OK | Sub Rule | HTTP 200 : Success Reply - OK | Information | |
V 2.0 : PROPFIND Request | Sub Rule | Webdav Protocol PROPFIND Method | Activity | |
V 2.0 : HEAD Request | Sub Rule | HTTP Head | Activity | |
V 2.0 : HTTP 440 : Client Error - Login Timeout | Sub Rule | HTTP 440 : Request Error - Login Timeout | Error | |
V 2.0 : HTTP 207 : Success - Multistatus Response | Sub Rule | HTTP 207 : Success - Multistatus Response | Information | |
V 2.0 : HTTP 100 : Transitional - Continue | Sub Rule | HTTP 100 : Transition Status - Continue | Information | |
V 2.0 : HTTP 101 : Transitional - Protocol Switch | Sub Rule | HTTP 101 : Transition Status - Protocol Switch | Information | |
V 2.0 : HTTP 200 : Success - OK | Sub Rule | HTTP 200 : Success Reply - OK | Information | |
V 2.0 : HTTP 201 : Success - Created | Sub Rule | HTTP 201 : Success Reply - Created | Information | |
V 2.0 : HTTP 202 : Success - Accepted | Sub Rule | HTTP 202 : Success Reply - Accepted | Information | |
V 2.0 : HTTP 203 : Success - Nonauthoritative Info | Sub Rule | HTTP 203 : Success Reply - Nonauthoritative Info | Information | |
V 2.0 : HTTP 204 : Success - No Content | Sub Rule | HTTP 204 : Success Reply - No Content | Information | |
V 2.0 : HTTP 205 : Success - Reset Content | Sub Rule | HTTP 205 : Success Reply - Reset Content | Information | |
V 2.0 : HTTP 206 : Success - Partial Content | Sub Rule | HTTP 206 : Success Reply - Partial Content | Information | |
V 2.0 : HTTP 300 : Redirect - Multiple Choices | Sub Rule | HTTP 300 : Redirect - Multiple Choices | Information | |
V 2.0 : HTTP 301 : Redirect - Moved Permanently | Sub Rule | HTTP 301 : Redirect - Moved Permanently | Information | |
V 2.0 : HTTP 302 : Redirect - Moved Temporarily | Sub Rule | HTTP 302 : Redirect - Moved Temporarily | Information | |
V 2.0 : HTTP 303 : Redirect - See Other | Sub Rule | HTTP 303 : Redirect - See Other | Information | |
V 2.0 : HTTP 304 : Redirect - Not Modified | Sub Rule | HTTP 304 : Redirect - Not Modified | Information | |
V 2.0 : HTTP 305 : Redirect - Use Proxy | Sub Rule | HTTP 305 : Redirect - Use Proxy | Information | |
V 2.0 : HTTP 306 : Redirect - Unused | Sub Rule | HTTP 306 : Redirect - Unused | Information | |
V 2.0 : HTTP 307 : Redirect - Temporary Redirect | Sub Rule | HTTP 307 : Redirect - Temporary Redirect | Information | |
V 2.0 : HTTP 400 : Req Error - Bad Request | Sub Rule | HTTP 400 : Request Error - Bad Request | Error | |
V 2.0 : HTTP 401 : Req Error - Unauthorized | Sub Rule | HTTP 401 : Request Error - Unauthorized | Error | |
V 2.0 : HTTP 402 : Req Error - Payment Required | Sub Rule | HTTP 402 : Request Error - Payment Required | Error | |
V 2.0 : HTTP 403 : Req Error - Forbidden | Sub Rule | HTTP 403 : Request Error - Forbidden | Error | |
V 2.0 : HTTP 404 : Req Error - Not Found | Sub Rule | HTTP 404 : Request Error - Not Found | Error | |
V 2.0 : HTTP 405 : Req Error - Method Not Allowed | Sub Rule | HTTP 405 : Request Error - Method Not Allowed | Error | |
V 2.0 : HTTP 406 : Req Error - Not Acceptable | Sub Rule | HTTP 406 : Request Error - Not Acceptable | Error | |
V 2.0 : HTTP 407 : Req Error -Proxy Auth Requested | Sub Rule | HTTP 407 : Request Error - Proxy Auth Required | Error | |
V 2.0 : HTTP 408 : Req Error - Request Time Out | Sub Rule | HTTP 408 : Request Error - Request Time-Out | Error | |
V 2.0 : HTTP 409 : Req Error - Conflict | Sub Rule | HTTP 409 : Request Error - Conflict | Error | |
V 2.0 : HTTP 410 : Req Error - Gone | Sub Rule | HTTP 410 : Request Error - Gone | Error | |
V 2.0 : HTTP 411 : Req Error - Length Required | Sub Rule | HTTP 411 : Request Error - Length Required | Error | |
V 2.0 : HTTP 412 : Req Error - Precondition Failed | Sub Rule | HTTP 412 : Request Error - Precondition Failed | Error | |
V 2.0 : HTTP 413 : Req Error - Req Item Too Big | Sub Rule | HTTP 413 : Request Error - Request Item Too Big | Error | |
V 2.0 : HTTP 414 : Req Error - Req URL Too Large | Sub Rule | HTTP 414 : Request Error - Request-URL Too Large | Error | |
V 2.0 : HTTP 415 : Req Error - Unsupported Type | Sub Rule | HTTP 415 : Request Error - Unsupported Type | Error | |
V 2.0 : HTTP 416 : Req Error - Req Rng Unfillable | Sub Rule | HTTP 416 : Request Error - Range Unfillable | Error | |
V 2.0 : HTTP 417 : Req Error - Expectation Failed | Sub Rule | HTTP 417 : Request Error - Expectation Failed | Error | |
V 2.0 : HTTP 500 : Svr Error - Internal Server Err | Sub Rule | HTTP 500 : Server Error - Internal Server Error | Error | |
V 2.0 : HTTP 501 : Svr Error - Not Implemented | Sub Rule | HTTP 501 : Server Error - Not Implemented | Error | |
V 2.0 : HTTP 502 : Svr Error - Bad Gateway | Sub Rule | HTTP 502 : Server Error - Bad Gateway | Error | |
V 2.0 : HTTP 503 : Svr Error - Service Unavailable | Sub Rule | HTTP 503 : Server Error - Service Unavailable | Error | |
V 2.0 : HTTP 504 : Svr Error - Gateway Time Out | Sub Rule | HTTP 504 : Server Error - Gateway Time-Out | Error | |
V 2.0 : HTTP 505 : Svr Error - HTTP Ver Unsupporte | Sub Rule | HTTP 505 : Server Error - HTTP Ver Unsupported | Error |