Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0: System Events |
Base Rule |
General System Event |
Information |
|
V 2.0: User Logged In |
Sub Rule |
User Logon |
Authentication Success |
|
V 2.0: Agent Status Changed |
Sub Rule |
Service Status Change |
Other Audit Success |
|
V 2.0: Audit Error |
Sub Rule |
Audit Record Error |
Error |
|
V 2.0: Agent Disk Quota Exceeded |
Sub Rule |
Limit Exceeded |
Warning |
|
V 2.0: User Logged Out |
Sub Rule |
User Logoff |
Authentication Success |
|
V 2.0: Gateway Throughput |
Sub Rule |
Gateway Message |
Information |
|
V 2.0: Policy Changed |
Sub Rule |
General Policy Change |
Other Audit |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
CEF:Version |
N/A |
N/A |
N/A |
|
N/A |
N/A |
N/A |
Device Vendor |
|
N/A |
N/A |
N/A |
Device Product |
|
N/A |
<version> |
Text/String |
Device Version |
|
N/A |
<vmid>
|
Text/String |
deviceEventClassId |
|
N/A |
<subject> |
Text/String |
Name |
|
<tag2> |
Text/String |
||
|
<sname> |
Text/String |
||
|
<sip> |
IP Address |
||
|
<action> |
Text/String |
||
|
<policy> |
Text/String |
||
|
<status> |
Text/String |
||
|
N/A |
<severity> |
Text/String |
Severity |
|
suser |
<login> |
Text/String |
The system user who caused the event. It can
|
|
rt |
N/A |
N/A |
The system event time |
|
cat |
<objecttype> |
Text/String |
The type of the event |