SSL VPN Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| SSL VPN Events | Base Rule | General SSL/VPN Session Information | Information |
| VMID 39953 : Leave Conserve Mode | Sub Rule | Mode Changed | Information |
| VMID 39952 : Enter Conserve Mode | Sub Rule | Mode Changed | Information |
| VMID 39949 : Tunnel Statistics | Sub Rule | Session Transfer Statistics | Information |
| VMID 39948 : Tunnel Shutdown | Sub Rule | VPN Session Terminated | Network Traffic |
| VMID 39947 : Tunnel Established | Sub Rule | VPN Session Started | Network Traffic |
| VMID 39946 : Exit Error | Sub Rule | General SSLVPN Session Error | Error |
| VMID 39944 : Handshake Failure | Sub Rule | Handshake Failed | Warning |
| VMID 39943 : New Connection | Sub Rule | SSL Connection Created | Information |
| VMID 39940 : Web Application Closed | Sub Rule | Web Application Closed | Information |
| VMID 39938 : Web Application Activated | Sub Rule | Application Invoked | Information |
| VMID 39936 : Web Tunnel Statistics | Sub Rule | Session Transfer Statistics | Information |
| VMID 39426 : Failed User Login | Sub Rule | User Logon Failure | Authentication Failure |
| VMID 39425 : Tunnel Shutdown | Sub Rule | VPN Session Terminated | Network Traffic |
| VMID 39424 : Tunnel Established | Sub Rule | Authentication Activity | Authentication Success |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| logid | <vmid> | Number | The ID (logid) is a 10-digit field. It is a unique identifier for that specific log. |
| level | <severity> | Text\String | Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry. |
| remip | <sip> | IP Address | IP address of the traffic’s origin |
| tunnelip | <snatip> | IP Address | N/A |
| tunneltype | <protname> | Text\String | N/A |
| user | <login> | Text\String | N/A |
| vd | <domainorigin> | Text\String | Name of the virtual domain in which the log message was recorded. |
| action | <process> | Text\String | N/A |
| logdesc | <object> | Text\String | N/A |
| reason | <objectname> | Text\String | N/A |
| msg | <subject> | Text\String | N/A |
| dst_host | <url> | Text\String | N/A |
| group | <group> | Text\String | N/A |
| rcvdbyte | <bytesin> | Number | N/A |
| sentbyte | <bytesout> | Number | N/A |
| duration | <duration> | Number | N/A |