Status Messages (LST: Syslog - Symantec ICDX CEF)
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Status Messages | Base Rule | General Status Information | Information |
Logged Status Messages | Sub Rule | General User Logged Event | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
Version | N/A | N/A | N/A |
Vendor | N/A | N/A | N/A |
Device Product | N/A | N/A | N/A |
Device Version | <version> | Numbers | N/A |
Device Event Class_ID | <vmid> | Text/String | The number representing the type of the event. If translation is used, the type enum name is defined by the ICD Schema. |
Name | <vendorinfo> | Text/String | The description of the event. If the message attribute is missing and translation is used, the name is generated using the type_id and id enum names. |
Severity | <severity> | Numbers | The severity of the event, mapped as follows:
|
act | <result>, <tag1> | Text/String | The outcome of the event. It is either a numeric value or text when translation is used. |
cat | <objecttype> | Text/String | The event type category. It is either a numeric value or text when translation is used. |
deviceExternalId | N/A | N/A | The unique identifier of the device. |
dtz | N/A | N/A | The time zone of the event’s Device Time, converted from minutes ahead or behind UTC to a standard time zone identifier. |
dvc | <sip> | IP Address | The IP address that pertains to the event, if in IPv4 format (otherwise, placed in c6a1). |
dvchost | <sname> | Text/String | The name of the device originating the event. |
rt | N/A | N/A | The time that the ICDx system collected the event, expressed as the number of milliseconds since 01/01/1970 00:00:00 UTC. |
deviceCustomDate1 | N/A | N/A | N/A |
deviceCustomDate1Label | N/A | N/A | N/A |
start | N/A | N/A | The number of milliseconds since 01/01/1970 00:00:00 UTC. |
agt | N/A | N/A | The IP address of the collector device, if in IPv4 format. |
ahost | N/A | N/A | The host name of the collector device. |
aid | N/A | N/A | The unique identifier of the collector. |
cs6 | N/A | N/A | N/A |
cs6Label | N/A | N/A | N/A |
cs4 | <group> | Text/String | N/A |
cs4Label | N/A | N/A | N/A |
cs5 | N/A | N/A | N/A |
cs5Label | N/A | N/A | N/A |
suser | <login> | Text/String | The source user by name. |
symcICDxLogName | <object> | Text/String | The ICDx archive name (log_name). |
symcICDxUUID | N/A | N/A | The JSON-encoded event data that was not mapped to any CEF attributes. |
symcICDxData | <subject> | Text/String | N/A |