Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
SSL VPN Events |
Base Rule |
General SSL/VPN Session Information |
Information |
|
VMID 39953 : Leave Conserve Mode |
Sub Rule |
Mode Changed |
Information |
|
VMID 39952 : Enter Conserve Mode |
Sub Rule |
Mode Changed |
Information |
|
VMID 39949 : Tunnel Statistics |
Sub Rule |
Session Transfer Statistics |
Information |
|
VMID 39948 : Tunnel Shutdown |
Sub Rule |
VPN Session Terminated |
Network Traffic |
|
VMID 39947 : Tunnel Established |
Sub Rule |
VPN Session Started |
Network Traffic |
|
VMID 39946 : Exit Error |
Sub Rule |
General SSLVPN Session Error |
Error |
|
VMID 39944 : Handshake Failure |
Sub Rule |
Handshake Failed |
Warning |
|
VMID 39943 : New Connection |
Sub Rule |
SSL Connection Created |
Information |
|
VMID 39940 : Web Application Closed |
Sub Rule |
Web Application Closed |
Information |
|
VMID 39938 : Web Application Activated |
Sub Rule |
Application Invoked |
Information |
|
VMID 39936 : Web Tunnel Statistics |
Sub Rule |
Session Transfer Statistics |
Information |
|
VMID 39426 : Failed User Login |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
VMID 39425 : Tunnel Shutdown |
Sub Rule |
VPN Session Terminated |
Network Traffic |
|
VMID 39424 : Tunnel Established |
Sub Rule |
Authentication Activity |
Authentication Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
logid |
<vmid> |
Number |
The ID (logid) is a 10-digit field. It is a unique identifier for that specific log. |
|
level |
<severity> |
Text\String |
Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry. |
|
remip
|
<sip> |
IP Address |
IP address of the traffic’s origin |
|
tunnelip |
<snatip> |
IP Address |
N/A |
|
tunneltype |
<protname> |
Text\String |
N/A |
|
user |
<login> |
Text\String |
N/A |
|
vd |
<domainorigin> |
Text\String |
Name of the virtual domain in which the log message was recorded. |
|
action |
<process> |
Text\String |
N/A |
|
logdesc |
<object> |
Text\String |
N/A |
|
reason |
<objectname> |
Text\String |
N/A |
|
msg |
<subject> |
Text\String |
N/A |
|
dst_host |
<url> |
Text\String |
N/A |
|
group |
<group> |
Text\String |
N/A |
|
rcvdbyte |
<bytesin> |
Number |
N/A |
|
sentbyte |
<bytesout> |
Number |
N/A |
|
duration |
<duration> |
Number |
N/A |