Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 : UTM : DNS |
Base Rule |
General DNS Information |
Information |
|
V 2.0 : Log_Id_Dns_Url_Filter_Allow |
Sub Rule |
General DNS Information |
Information |
|
V 2.0 : Log_Id_Dns_Botnet_Ip |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : Log_Id_Dns_Botnet_Domain |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : Log_Id_Dns_Ftgd_Warning |
Sub Rule |
Rating Error |
Error |
|
V 2.0 : Log_Id_Dns_Ftgd_Error |
Sub Rule |
Rating Error |
Error |
|
V 2.0 : Log_Id_Dns_Ftgd_Cat_Allow |
Sub Rule |
General DNS Information |
Information |
|
V 2.0 : Log_Id_Dns_Ftgd_Cat_Block |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : LOG_ID_DNS_QUERY |
Sub Rule |
DNS Query |
Information |
|
V 2.0 : LOG_ID_DNS_RESOLV_ERROR |
Sub Rule |
General DNS Error |
Error |
|
V 2.0 : LOG_ID_DNS_URL_FILTER_BLOCK |
Sub Rule |
Blocked Message |
Failed Activity |
|
V 2.0 : LOG_ID_DNS_SAFE_SEARCH |
Sub Rule |
Redirected For Safe Search |
Information |
|
V 2.0 : LOG_ID_DNS_LOCAL |
Sub Rule |
DNS Query |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
date |
N/A |
N/A |
The date of the log entry. |
|
time |
N/A |
N/A |
The time of the log entry. |
|
logid |
<vmid> |
Number |
The unique identifier for the log entry. |
|
type |
<vendorinfo> |
Text/String |
The type of log event. |
|
subtype |
N/A |
N/A |
The subtype of the log event. |
|
eventtype |
N/A |
N/A |
The type of DNS event (DNS response in this case). |
|
level |
<severity> |
Text/String |
The severity level of the log event. |
|
vd |
<sessiontype> |
Text/String |
The virtual domain associated with the log event. |
|
eventtime |
N/A |
N/A |
The timestamp of the event. |
|
policyid |
<policy> |
Number |
The ID of the policy associated with the log event. |
|
sessionid |
<session> |
Number |
The ID of the session associated with the log event. |
|
srcip |
<sip> |
IP Address |
The source IP address of the communication. |
|
srcport |
<sport> |
Number |
The source port number. |
|
srcintf |
<sinterface> |
Text/String |
The source interface. |
|
srcintfrole |
N/A |
N/A |
The role of the source interface. |
|
dstip |
<dip> |
IP Address |
The destination IP address of the communication. |
|
dstport |
<dport> |
Number |
The destination port number. |
|
dstintf |
<dinterface> |
Text/String |
The destination interface. |
|
dstintfrole |
N/A |
N/A |
The role of the destination interface. |
|
proto |
<protnum> |
Number |
The protocol number (UDP in this case). |
|
profile |
N/A |
N/A |
The profile applied to the log event. |
|
srcmac |
<smac> |
Text/String |
The source MAC address. |
|
xid |
N/A |
N/A |
The transaction ID of the DNS query. |
|
qname |
N/A |
N/A |
The queried domain name. |
|
qtype |
N/A |
N/A |
The queried record type (AAAA in this case). |
|
qtypeval |
N/A |
N/A |
The numerical value of the queried record type. |
|
qclass |
N/A |
N/A |
The queried record class. |
|
ipaddr |
N/A |
N/A |
The resolved IP address for the queried domain. |
|
msg |
<subject> |
Text/String |
Additional message or description of the log event. |
|
action |
<action> |
Text/String |
The action taken by the system (pass in this case). |
|
cat |
<object> |
Number |
The ID of the category associated with the log event. |
|
catdesc |
<objectname> |
Text/String |
The description of the category. |