Skip to main content
Skip table of contents

Syslog - Linux Host

The Syslog - Linux Host log source and its processing rules are provided as a template to accommodate a plethora of applications. Customers are advised to modify this log source to suit their specific needs. Using this log source without modifications will cause performance issues, including slower log collection and suboptimal log parsing.

For information on modifying this template and optimizing log parsing, see Optimize Linux Host Processing below.

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

TypeProduct VersionSupported Schema Fields
Above Message RepeatsN/A<severity>, <quantity>, <tag1>
ABRT MessagesN/A<severity>, <sname>, <process>, <object>, <subject>, <recipient>
Accepted PasswordN/A<sip>, <sport>
Accepted PublickeyN/A<severity>, <sport>, <sip>, <sname>, <dname>, <process>, <processid>, <protname>, <hash>
Accepting ConnectionN/A<dname>, <process>, <sip>, <sport>
Account Added To GroupN/A<severity>, <process>, <processid>, <account>, <login>, <group>
Account InformationN/A<dname>, <process>, <object>, <account>, <tag1>, <tag2>, <tag3>
Agent Appeared Dead But Responded To PingN/A<severity>, <process>, <object>
Agent InformationN/A<severity>, <process>, <processid>, <dname>
Aide.wrapper MessageN/A<process>, <processid>, <parentprocesspath>, <tag1>, <action>
Allowed Clients ConfigN/A<vmid>, <login>, <subject>, <sip>, <object>, <tag1>
Anacron Job TerminatedN/A<process>, <object>
Anvil StatisticsN/A<Severity>, <dname>, <process>, <processid>, <size>, <rate>, <sip>
Arpwatch ProcessN/A<severity>, <sip>, <sname>, <dname>, <smac>, <dmac>, <process>, <tag1>
Attempting To Validate Locked AccountN/A<process>, <account>
Audispd ActivityN/A<severity>, <dip>, <dname>, <processid>, <object>, <objectname>, <command>, <status>
Audispd OperationsN/A<severity>, <dname>, <process>, <processid>, <object>, <command>, <amount>, <tag1>
Audit Daemon Low On Disk SpaceN/A<severity>, <sname>, <process>, <processid>, <tag1>
Audit Event Multiplexor MessagesN/A<severity>, <session>, <dname>, <login>, <processid>, <object>, <subject>, <result>, <command>, <tag1>, <tag2>
Auditd Status MessagesN/A<severity>, <dname>, <process>, <processid>, <object>, <command>, <subject>, <tag1>
Authenticated Mount RequestN/A<severity>, <dip>, <processid>, <tag1>, <sip>, <sname>, <sport>, <object>, <subject>
Authentication FailedN/A<severity>, <process>, <processid>, <dname>, <login>
Authentication FailureN/A<login>
Authentication Failures On AccountN/A<severity>, <process>, <quantity>, <account>
Authentication InformationN/A<severity>, <domainorigin>, <dname>, <process>, <processid>, <object>, <objectname>, <command>
Authentication MessagesN/A<vmid>, <sip>, <login>, <subject>, <object>, <tag2>
Automatic Root Authorization BypassN/A<severity>, <process>, <processid>, <object>, <command>, <login>
AutomountN/A<severity>, <dname>, <process>, <processid>, <object>, <objectname>, <command>, <subject>, <tag2>
Automount MessagesN/A<severity>, <process>, <processid>, <quantity>, <objectname>, <tag1>, <object>, <subject>
AVAHI Daemon WarningN/A<severity>, <sip>, <process>, <processid>, <subject>, <tag1>
Avahi Host DNS NameN/A<session>, <process>, <dname>
Avahi Hostname ConflictN/A<severity>, <process>, <processid>, <sname>, <dname>
Avahi RegistrationN/A<severity>, <sname>, <dname>, <sip>, <sinterface>, <session>, <subject>, <processid>, <tag1>
AXIS MessagesN/A<severity>, <login>, <group>, <sname>, <subject>, <process>, <processid>, <tag2>, <sip>, <tag3>
Batch Order DetailsN/A<severity>, <process>, <processid>, <object>, <objectname>, <subject>
Be2net MessagesN/A<severity>, <dinterface>, <object>, <command>, <process>, <tag2>, <tag1>, <tag3>
Booting ProcessorN/A<object>
Callbacks SuppressedN/A<severity>, <quantity>
Calling Function IDN/A<severity>, <dname>, <process>, <processid>, <object>
Can't Get HostnameN/A<sip>, <dip>
Cannot Load ModuleN/A<severity>, <process>, <processid>, <vmid>, <object>, <subject>
Cannot Locate URL From FileN/A<severity>, <process>, <object>, <url>, <command>, <duration>
Cannot Open Reserved PortN/A<process>, <vmid>, <object>
Catch All : Crond General MessagesN/A<severity>, <process>, <processid>, <subject>, <tag1>
Catch All : General MessagesN/A<severity>, <tag1>
Catch All Level 1N/A<severity>, <tag1>
Catch All : Level 2 (General Information)N/A<dname>, <object>, <process>
Catch All : Level 2 (General Syslog Information)N/A<tag1>, <dname>, <process>
Catch All : Level 3N/A<severity>, <dip>, <dname>, <process>, <processid>, <quantity>, <tag1>
Catch All : Level 3 - Syslog Protocol And SeverityN/A<sport>, <sip>, <process>, <tag1>
Catch All : Solaris 10 AuditN/A<vmid>, <sip>, <sname>, <login>, <session>, <tag1>
Catch All : SSHD General MessagesN/A<severity>, <process>, <processid>, <subject>, <tag1>
Catch All : Xinetd MessagesN/A<severity>, <sip>, <process>, <processid>, <command>, <object>, <duration>, <tag1>
Centrify MessagesN/A<severity>, <parentprocessname>, <parentprocessid>, <dname>, <subject>, <tag1>, <domain>, <process>, <version>, <login>, <vmid>, <result>, <processid>, <reason>, <object>
Checker Reports Path Is DownN/A<severity>, <process>, <object>, <objectname>
Checkout PassedN/A<severity>, <sname>.<object>, <tag1>
Chef Client MessagesN/A<severity>, <dname>, <parentprocessname>, <subject>, <sname>, <login>, <sport>, <process>, <group>, <url>, <responsecode>
Child ExistsN/A<severity>, <dname>, <process>, <processid>
Clamd Scan OperationsN/A<severity>, <dname>, <session>, <process>, <processid>, <object>, <command>, <tag1>
Cleanup MessagesN/A<Severity>, <dname>, <process>, <session>, <recipient>, <Action>
Client Not Found In Kerberos DatabaseN/A<vmid>, <severity>
Client UnknownN/A<severity>, <dname>, <reason>
CLISH Messages : Login Logout Cmd ExecutedN/A<login>, <process>, <processid>, <object>, <tag1>
CLISH User InformationN/A<sname>, <login>, <session>, <process>, <processid>.<object>
Clock ErrorsN/A<sip>, <process>, <tag1>, <tag2>
CLUSTER-TLS Connection ClosedN/A<dname>, <process>, <sip>, <object>, <sport>
Command CompleteN/A<severity>, <dname>, <process>, <processid>, <object>, <subject>, <objectname>, <size>
Command ExecutionN/A<severity>, <dname>, <sinterface>, <login>, <process>, <processid>, <object>
Command InformationN/A<severity>, <dname>, <process>, <processid>, <command>, <sname>
Command StringN/A<severity>, <dname>, <process>, <command>
CommissioningN/A<vmid>, <sip>, <login>, <subject>, <tag1>, <tag2>
Common Information Model Server MessageN/A<dname>, <process>, <tag1>, <vmid>, <object>, <sport>, <login>
Comparing Current Cluster DataN/A<severity>, <sname>, <object>
Comparing Current DataN/A<severity>, <sname>.<object>
ConfigFileN/A<vmid>, <sip>, <login>, <subject>, <tag1>, <tag2>
Configuration StatusN/A<severity>, <dname>, <object>, <objectname>, <tag1>
Connecting To Data Layer Service RemotelyN/A<dname>, <process>
Connection ClosedN/A<dname>, <process>, <dip>, <dport>
Connection EstablishedN/A<dname>, <process>, <dip>, <dport>, <sname>, <object>
Connection FailedN/A<dip>, <dname>, <protname>, <dport>, <tag1>
Connection InformationN/A<sip>, <dip>, <dname>, <sport>, <dport>, <session>, <process>, <tag1>, <tag2>, <tag3>
Connection Lost While Receiving Server GreetingN/A<protname>, <session>, <dname>, <dip>
Connection MessageN/A<sip>, <dip>, <dport>, <sport>, <sname>, <process>, <processid>, <tag1>, <protname>
Connection NotificationN/A<dip>, <sip>, <session>, <dname>, <process>, <processid>, <object>, <objectname>, <command>, <subject>
Connection RefusedN/A<severity>, <sip>, <process>, <processid>, <object>, <command>, <duration>
Connection RefusedN/A<dname>, <process>, <processid>, <sip>, <sport>
Connection Timed OutN/A<severity>, <dname>, <process>, <dip>
Control Network Tracing And Logging MessageN/A<dname>, <process>, <tag1>
CORBA Connection To Data LayerN/A<dname>, <process>
Could Not Authenticate UserN/A<severity>, <sname>, <process>
Could Not Complete SSL HandshakeN/A<dname>, <process>, <protname>, <object>
Could Not Fork Ident IPC HandlerN/A<severity>, <sname>, <process>, <object>
Could Not Resolve IPN/A<severity>, <process>, <processid>, <dip>
Could Not Sent Message To License ServerN/A<severity>, <subject>, <process>, <processid>
Cron Daemon Messages -RetiredN/A<severity>, <dname>, <process>, <object>, <commadf> , <tag1>, <objectname>
Cron Job ExecutionN/A<severity>, <login>, <process>, <processid>, <object>, <command>, <tag1>
Cron Job ExecutionN/A<severity>, <login>, <process>, <processid>, <object>, <tag1>, <dname>
Crond OperationsN/A<severity>, <dname>, <login>, <process>, <processid>, <subject>, <command>, <tag1>, <tag2>
Ctasd MessagesN/A<severity>, <vmid>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <objectname><tag1>, <tag2>, <tag3>
Ctipd MessaagesN/A<severity>, <dname>, <subject>, <process>, <processid>, <command>, <tag1>, <tag2>
CUPS InformationN/A<sip>, <sname>, <process>, <dname>, <object>, <tag1>
Daemon ConnectionsN/A<severity>, <process>, <processid>, <tag1>, <object>, <size>,
Daemon Process Messages -retiredN/A<severity>, <dname>, <process>, <tag1>
Daemon Processing InformationN/A<dname>, <process>, <object>, <tag1>
Daemon/Version Startup And ShutdownN/A<severity>, <dname>, <process>, <processid>, <tag1>, <command>, <version>
Data Domain Logging MessagesN/A<severity>, <vmid>, <process>, <sname>, <account>, <command>, <object>, <tag1>
Database Is Older Than Source FileN/A<proess>, <object>
DataDog MessagesN/A<severity>, <parentprocessname>, <parentprocessid>, <dname>, <dport>, <subject>, <serialnumber>, <seconds>
DateTimeN/A<vmid>, <sip>, <login>, <severity>, <tag1>
DateTimeConfigN/A<vmid>, <sip>, <login>, <subject>, <tag1>
D-Bus Audit FailureN/A<sip>, <login>, <process>, <object>, <tag1>
DBUS Service MessageN/A<severity>, <sname>, <process>, <processid>, <subject>, <object>, <tag1>
DDFS MessagesN/A<severity>, <vmid>, <process>, <processid>, <command>, <object>, <size>, <tag1>
Device Failed Smart Self-Check: Backup Data NowN/A<severity>, <process>, <object>
Device Promiscuous ModeN/A<severity>, <dname>, <dinterface>, <process>, <tag1>
DHClient InformationN/A<process>, <processid>, <command>, <dinterface>, <dip>, <dport>, <quantity>
DHCP ACK/REQUEST MessagesN/A<sip>, <dip>, <process>, <sname>, <object>, <tag1>
DHCP AssignedN/A<severity>, <sip>, <dip>, <process>, <processid>
DHCP Binding NotificationN/A<severity>, <sip>, <process>, <processid>, <subject>, <duration>
DHCP RenewingN/A<tag1>
DHCP RequestN/A<severity>, <sip>, <dip>, <dport>, <sinterface>, <process>, <processid>, <tag1>
DHCPD MessagesN/A<tag1>, <sip>, <object>, <tag2>, <quanitity>, <dname>
DHCPD MessagesN/A<tag1>, <smac>, <dinterface>, <sip>, <dmac>, <sip>
Diagnostic Monitor Daemon MessageN/A<dname>, <process>, <tag1>
Did Not Use HELO ProtocolN/A<severity>, <process>, <processid>, <object>, <sname>, <dname>, <dip>, <protname>
Directory Not SecuredN/A<dname>, <object>
Dispatch Protocol ErrorN/A<severity>, <process>, <processid>, <object>, <objectname>
DNSMASQ DHCPN/A<severity>, <dname>, <process>, <processid>, <tag1>, <command>, <dinterface>, <dip>, <dmac>
Docker Log InformationN/A<severity>, <dip>, <dname>, <dport>, <login>, <parentprocessname>, <processid>, <subject>, <quantity>, <command>
Dropped PacketN/A<sname>, <protname>, <sip>, <dip>, <dport>, <process>, <object>, <size>, <tag1>
Email Header WarningN/A<process>, <Session>, <subject>, <sname>, <sip>, <Sender>, <reciepient>, <protname>
EMC Filesystem MountN/A<severity>, <dname>, <process>, <command>, <subject>, <object>
End Of FileN/A<dname>, <process>, <sip>, <sport>
Environment Daemon MessageN/A<dname>, <process>, <tag1>
Error Deleting Journal FileN/A<severity>, <dname>, <process>, <processid>, <object>, <objectname>
Error MessagesN/A<dname>, <sip>, <dip>, <sport>, <protname>, <object>, <quantity>, <tag1>
Error Reading KeytabN/A<severity>, <process>, <processid>, <object>
Error Retrieving User InformationN/A<severity>, <process>, <processid>, <login>
Ethernet Link StatusN/A<object>, <rate>, <tag1>
Catch All : Level 1_N/A<subject>, <tag1>, <status>, <sip>, <dip>, <sinterface>, <dinterface>, <severity>, <session>
Event MessagesN/A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <protname>, <object>, <command>
Executing ObjectN/A<dname>, <process>, <object>
Exim MessagesN/A<severity>, <sip>, <sname>, <dip>, <dname>, <process>, <processid>, <login>, <subject>, <sport>, <dport>, <command>, <tag1>
Extended Internet Daemon ExitingN/A<process>
eXtended InterNET Daemon MessagesN/A<severity>, <tag1>, <process>, <status>, <processid>, <sipn>, <seconds>
Failed LoginN/A<sip>, <sport>, <sname>, <login>
Failed LoginN/A<severity>, <login>, <sip>, <sport>, <protname>
Failed Login AttemptN/A<login>, <sip>
Failed PacketN/A<protnum>, <sip>, <dip>, <sport>, <dport>
Failed Parse Inline TemplateN/A<severity>, <dname>, <dinterface>, <process>, <processid>, <object>, <objectname>, <tag1>
Failed To Accept SocketN/A<severity>, <dname>, <process>, <processid>, <tag1>
Failed To Change Host PasswordN/A<vmid>, <severity>, <sname>, <dname>, <login>, <account>, <domainorigin>, <process>, <object>, <command>, <reason>
Failed To Create PipesN/A<severity>, <process>, <object>
Failed To Map Consumer To A DirectoryN/A<dname>, <process>, <protname>, <object>, <account>
Failed To Mount FilesystemN/A<severity>, <sname>, <process>, <processid>, <object>, <reason>
Fake Hostname - Forward Lookup Doesn't ExistN/A<dip>, <object>, <sip>
Fetching FTP FilesN/A<severity>, <process>, <processid>, <object>, <domainorigin>, <subject>
File ConflictN/A<severity>, <process>, <processid>, <object>, <objectname>, <subject>
File Or Directory Monitor MessagesN/A<severity>, <sname>, <process>, <processid>, <subject>, <object>, <tag1>
File System Checkout ErrorN/A<severity>, <sname>
File System FullN/A<vmid>, <object>
File System Health Check PassedN/A<severity>, <object>
File Transfer Protocol MessageN/A<dname>, <process>, <processid>, <tag1>, <protname>, <snmae>, <sip>, <login>, <object>, <tag2>
Finished Catalog RunN/A<severity>, <process>, <processid>, <object>, <duration>
Firewall MessageN/A<tag1>, <action>, <sinterface>, <dip>, <sip>, <processid>, <sport>, <dport>, <protname>
FireWallConfig Messages 1N/A<vmid>, <severity>, <sip>, <login>, <object>, <tag1>
FirewallConfig Messages 2N/A<vmid>, <subject>, <sip>, <login>, <object>, <tag1>
FTP Daemon : Transfer LogN/A<severity>, <dname>, <process>, <processid>, <object>, <tag1>
Gconfd ProcessN/A<severity>, <dname>, <process>, <account>, <session>, <tag1>, <object>, <subject>, <objectname>, <vmid>
GDM LoginN/A<login>, <account>, <process>
GDM Superuser Denied LoginN/A<session>, <process>
GDM Unable To Log SessionN/A<process>
General Audit EventsN/A<severity>, <login>, <tag2>, <tag3>
General AuthenticationN/A<severity>, <process>, <tag1>, <login>, <tag2>, <sip>, <sname>
General Authentication 2N/A<dname>, <process>, <sname>, <tag1>, <login>, <sip>, <sport>
General Authentication 3N/A<severity>, <sname>, <process>, <tag1>, <object>, <sip>, <login>, <subject>
General Authentication EventN/A<sip>, <sname>, <login>, <tag1>, <tag2>
General Cache MessagesN/A<severity>, <dname>, <process>, <processid>, <subject>, <object>, <version>, <parentprocessname>
General Connection InformationN/A<dname>, <process>, <tag1>, <sip>, <sname>
General Debug MessagesN/A<severity>, <process>, <processid>, <command>, <object>, <subject>, <sname>
General Failed Authentication MessagesN/A<dname>, <process>, <processid>, <dinterface>, <tag1>, <login>, <sip>, <sname>, <sport>, <seconds>, <Account>
General Failed Login AttemptN/A<severity>, <sip>, <sname>, <login>
General Failed Login Attempt 2N/A-
General FTP InformationN/A<dname>, <tag1>, <sip>, <login>, <object>, <sname>
General FTP MsgN/A<severity>, <sip>, <login>, <tag1>
General Information Log MessagesN/A<severity>, <process>, <processid>, <object>, <domainorigin>, <subject>, <recipient>
General Kernel MessagesN/A<severity>, <vmid>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <amount>, <quantity>, <size>, <tag1>, <tag2>, <tag3>
General Messages 2N/A<login>, <tag1>, <tag2>, <tag3>
General Network ErrorN/A<vmid>, <severity>, <tag1>
General Postgres MessagesN/A<severity>, <login>, <object>, <objectname>, <command>
General Robot Daemon MessageN/A<severity>, <process>, <processid>, <command>, <object>
General SendmailN/A<dname>
General SNMPD MessagesN/A<severity>, <process>, <processid>, <tag1>, <object>, <sip>, <protname>, <sport>
General Switch User (su)N/A<dname>, <login>, <account>, <tag1>
Generic Client Creation FailedN/A<vmid>, <dname>, <tag1>
Get Key By Key ID FailedN/A<dname>, <process>, <object>, <tag1>
GIS Disk ErrorN/A<severity>, <sname>, <tag1>
GIS OPEN SYS Check PassedN/A<severity>, <tag1>, <object>, <sinterface>, <sip>
Github General MessagesN/A<severity>, <process>, <subject>
Gpasswd MessagesN/A<login>, <account>, <process>, <group>, <tag1>
Group Entry MessagesN/A<severity>, <dname>, <process>, <object>, <objectname>, <group>, <domain>, <tag1>
Group Policy AppliedN/A<process>, <processid>, <severity>, <object>
Groupdel Deleted GroupN/A<process>, <group>
Groupmod Changed GIDN/A<process>, <group>, <tag1>
GSSAPI AcceptedN/A<severity>, <process>, <processid>, <object>, <login>, <sip>, <sport>, <protname
Handling ConnectionN/A<severity>, <dname>, <process>, <processid>
Hardware Management Console MessagesN/A<dname>, <object>, <session>, <tag1>
Host Address InformationN/A<severity>, <dname>, <process>, <processid>, <object>
Host Communication MessageN/A<severity>, <sname>, <process>, <processid>, <result>
Host Not Allowed To TalkN/A<severity>, <process>, <processid>, <dip>
Host Not Entitled To Run ProgramN/A<vmid>, <severity>, <process>, <object>, <url>, <command>, <duration>
Host OfflineN/A<severity>, <process>, <dname>, <object>, <objectname>, <status>, <tag1>
Host Refused To Talk : Message Temp DeferredN/A<vmid>, <sip>, <dip>, <dname>, <protname>, <session>, <responsecode>, <url>
HostsConfig MessagesN/A<vmid>, <sip>, <dname>, <login>, <subject>, <tag1>
HP System Health MessagesN/A<process>, <object>, <tag1>, <tag2>
HTTPD ErrorN/A<dname>, <process>, <processid>, <severity>, <sip>, <tag1>, <object>, <url>
ID Respawning Too FastN/A<severity>, <dname>, <process>, <object>, <subject>, <minutes>
Ignoring Extra Unique IndexN/A<dname>, <process>, <object>
Illegal Addess Syntax In CommandN/A<dip>, <dname>, <process>, <object>, <recipient>
Illegal Port ConnectionN/A<severity>, <sname>, <process>, <processid>, <tag1>, <sip>, <sport>
Illegal UserN/A<sip>, <sname>, <login>
Incorrect Authentication SourceN/A<severity>, <dip>, <sip>, <account>, <dname>, <process>, <processid>
Init Respawning ErrorN/A<severity>, <process>, <object>, <duration>
Input/Output ErrorN/A<severity>, <process>, <processid>, <command>, <object>
Installation OutdatedN/A<severity>, <dname>, <process>, <processid>, <object>
Interactive AuthenticationN/A<dname>, <process>, <tag1>, <tag2>, <login>, <sipn>, <sport>, <dip>, <sessiontype>
Interactive Authentication 2N/A<login>, <dname>, <object>, <sport>, <sip>, <protname>, <process>, <processid>, <tag3>
Internet Daemon MessageN/A<dname>, <process>, <tag2>, <protname>, <tag1>, <object>
Internet Daemon No Such File Or DirectoryN/A<severity>, <process>, <processid>, <object>
Invalid Domain MappingN/A<severity>, <sname>, <process>, <processid>, <command>, <subject>, <login>, <domain>, <dname>
Invalid FlagN/A<severity>, <process>, <object>
Invalid UserN/A<severity>, <login>, <sip>
Invalid User.N/A<severity>, <dname>, <sip>, <process>, <processid>, <login>, <command>
IP Chains Firewall LogN/A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <protname>, <command>
IPsecConfig MessagesN/A<vmid>, <sip>, <login>, <subject>, <tag2>
JSCAPE FTP Account ModifiedN/A<severity>, <dname>, <login>, <command>, <account>
JScape FTP MessagesN/A<severity>, <dname>, <sip>, <sport>, <dip>, <dport>, <login>, <tag1>, <command>, <object>, <bytesin>, <bytesout>
JSCAPE FTP Trigger MessageN/A<severity>, <dname>, <tag1>, <command>, <action>, <object>, <vmid>, <subject>
K Desktop Manager ErrorsN/A<sip>, <process>, <tag1>, <object>
KDM Authentication FailureN/A<vmid>, <severity>, <dname>, <login>, <process>, <processid>
Keep-Alive Informational MessagesN/A<severity>, <sname>, <process>, <processid>, <subject>, <dip>, <tag1>, <dport>
Kernel File System MessagesN/A<severity>, <dinterface>, <dname>, <process>, <processid>, <command>, <vmid>, <tag1>, <tag2>
Kernel Header InformationN/A<severity>, <smac>, <dmac>, <dname>, <command>, <process>
Kernel Information MessagesN/A<severity>, <sip>, <dip>, <dinterface>, <object>, <processid>, <command>, <subject>
Kernel MessagesN/A<login>, <dname>, <vmid>, <tag1>, <tag2>
Kernel Out Of Memory Kill ProcessN/A<severity>, <process>, <session>, <subject>, <processid>, <object>, <amount>
Kernel Registry Services Daemon MessageN/A<dname>, <process>, <tag1>
Kernel USB MessagesN/A<severity>, <dinterface>, <dname>, <process>, <processid>, <object>, <objectname>, <quantity>, <command>, <tag1>, <serialnumber>
Last Message RepeatedN/A<tag1>, <sname>, <quantity>
LastLog MessagesN/A<sip>, <login>, <object>, <tag1>
LDAP Connection FailureN/A<severity>, <sname>, <process>, <processid>, <reason>, <subject>, <result>, <object>
LDAP Failed ConnectionN/A<severity>, <sname>, <sport>, <object>, <objectname>, <tag1>
LDAP Failed Connection MessageN/A<vmid>, <severity>, <sname>, <sport>, <session>, <processid><object>, <objectname>, <tag1>
LDAP MessagesN/A<severity>, <sname>, <process>, <processid>, <command>, <tag1>, <login>, <result>, <tag2>, <reason>
LDAP Monitor MessagesN/A<vmid>, <severity>, <sip>, <sname>, <sport>, <session>, <process>, <processid>, <object>, <objectname>, <command>, <tag1>
LDAP Query Lookup FailureN/A<severity>, <process>, <processid>, <object>, <objectname>, <subject>
LDAPConfig MessagesN/A<vmid>, <sip>, <dname>, <login>, <subject>, <tag1>
LDAPGroupMap MessagesN/A<subject>, <vmid>, <tag1>, <login>, <sip>
Linux : Password ChangedN/A<account>, <processid>, <action>, <tag1>
Linux Permission DeniedN/A<dname>, <process>, <processid>, <object>, <objectname>, <dip>, <vmid>
Linux User And Group Addition Or DeletionN/A<severity>, <sname>, <login>, <account>, <process>, <processid>, <object>, <objectname>, <group>, <tag1>, <tag2>
LMTP Messages 2N/A<process>, <Session>, <dname>, <dip>, <responsecode>, <vmid>, <sender>, <recipient>, <protname>, <status>
Local Mail Transfer Protocol MessagesN/A<severity>, <process>, <protname>, <processid>, <session>, <recipient>, <dname>, <dip>, <dport>, <milliseconds>, <vmid>, <status>, <responsecode>
Log Manager Login AttemptN/A<login>, <tag1>
Log StatisticsN/A<severity>, <process>, <processid>, <object>
Logging Lost MessagesN/A<severity>, <dname>, <command>, <vmid>, <process>, <tag1>, <amount>, <processid>, <object>
Logical Volume Manager MessageN/A<dname>, <process>, <tag1> , <object>
Login SuccessfulN/A<severity>, <dname>, <process>, <login>, <sip>, <sipv6e>, <sname>, <sinterface>
Lookup FailedN/A<severity>, <sname>, <process>, <object>, <tag1>
Lost Input ChannelN/A<severity>, <process>, <processid>, <object>, <sname>, <sip>, <objectname>
Mail Info DovecotN/A<severity>, <sname>, <login>, <tag1>, <action>, <dip>, <sip>, <processid>, <session>
Mail Information MessagesN/A<dname>, <process>, <recipient>, <object>, <duration>, <quantity>, <tag1>
Martian MessageN/A<severity>, <sip>, <dip>, <dname>, <dinterface>, <process>
Matching DSA KeyN/A<severity>, <dname>, <process>, <processid>, <object>
Memory For Crash Kernel Outside Of RangeN/A<object>
Message Content RejectedN/A<process>, <Session>, <sname>, <sip>, <Sender>, <reciepient>, <protname>, <vmid>
Message Delivery ErrorN/A<sname>, <process>, <sip>, <object>, <tag1>
Message ExpiredN/A<process>, <Session>, <sender>, <status>, <object>
Message Temporarily DeferredN/A<dip>, <dname>, <protname>, <session>, <responsecode>
MKUser Sudo CommandN/A<severity>, <dname>, <account>, <login>, <session>, <process>, <object>, <objectname>, <command>, <group>, <amount>, <tag2>
Module Location ErrorN/A<object>
Mount : Lookup And ParseN/A<process>, <object>, <tag1>
Mount AttemptN/A<sip>, <object>, <dname>, <tag1>
Mount Failed : Permission DeniedN/A<severity>, <sname>, <process>, <processid>.<object>
Mount Still ActiveN/A<dip>, <object>
Mounting Filesystem FailedN/A<dip>, <object>
Multipathd : Path Is DownN/A<severity>, <login>, <subject>, <object>
Multiple Login FailuresN/A<severity>, <sip>, <login>, <process>, <quantity>, <tag1>
Nagios MessagesN/A<severity>, <vmid>, <sname>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <tag2>, <tag1>, <tag3>
Network Firewall Flow LogsN/A<severity>, <policy>, <command>, <sinterface>, <dinterface>, <smac>, <sip>, <dip>, <protname>, <sport>, <dport>
Network Manager InformationN/A<severity>, <object>, <process>, <processid>, <dname>, <dinterface>, <subject>
Network Time Protocol MessagesN/A<severity>, <sname>, <dname>, <dip>, <tag1>, <tag2>
NetworkConfig MessagesN/A<subject>, <vmid>, <object>, <tag1>, <tag2>, <login>, <sip>, <dip>
New USB Device FoundN/A<severity>, <process>, <object>, <objectname>, <subject>
NFS Mount FailureN/A<process>, <object>
No Address Found For Root NSN/A<sname>, <process>, <processid>, <object>
No Filesystem Type SpecifiedN/A<dip>, <object>, <account>
No Idle ConnectionsN/A<severity>, <dname>, <process>, <processid>, <quantity>
No Route To HostN/A<dip>, <dname>, <dport>, <protname>
No Servers FoundN/A<severity>, <dname>, <process>, <processid>, <object>
No SessionN/A<severity>, <dname>, <process>, <processid>, <object>, <account>, <sname>
No Such UserN/A<severity>, <sname>, <process>, <object>, <command>
Non-DMZ Link ConnectedN/A<sip>, <dname>, <sport>, <process>, <object>
Not Being JournaledN/A<severity>, <dname>, <process>, <processid>, <object>, <objectname>, <quantity>
Not Sending Tagmail ReportN/A<severity>, <process>, <processid>
NRPE CommandN/A<severity>, <object>, <process>, <processid>, <command>, <tag1>
NRPE ConnectionN/A<severity>, <dname>, <process>, <processid>, <sip>, <sport>, <tag1>, <command>
NRPE Start/StopN/A<severity>, <process>, <processid>, <command>, <tag1>, <session>, <sip>, <sipv6e>, <duration>
NSLCD MessagesN/A<severity>, <dname>, <process>, <tag1>, <version>, <object>, <objectname>
NSS Authentication ErrorN/A<severity>, <process>, <processid>, <subject>, <dname>
NTP Listener MessagesN/A<severity>, <dname>, <process>, <object>, <tag1>, <sinterface>, <sip>, <protname>, <sport>
NTP MessagesN/A<severity>, <dname>, <process>, <tag2>, <dip>, <tag1>, <duration>, <version>, <object>, <dinterface>
NTPD Time Reset/SynchronizationN/A<severity>, <dname>, <process>, <tag1>, <seconds>, <object>
NTPD_INTRES MessagesN/A<severity>, <process>, <objectname>, <subject>, <tag1>
Number Of Certificate Reminders To Process TodayN/A<dname>, <process>, <object>, <quantity>
Number Of Messages DeletedN/A<dname>, <process>, <quantity>
Object Access LogsN/A<dname>, <login>, <account>, <domainorigin>, <session>, <process>, <object>, <tag1>, <tag4>
Odd Number Of ElementsN/A<severity>, <process>, <processid>, <object>, <domainorigin>, <subject>
Operation CompletedN/A<dname>, <session>, <process>, <object>, <tag1>, <tag2>
Organizer : Shard ErrorN/A<severity>, <dname>, <dinterface>, <process>, <processid>, <object>, <objectname>, <command>, <subject>
Packet ReceivedN/A<severity>, <dname>, <process>, <sip>, <sport>, <subject>, <objectname>
Packet Too Short Or Invalid While Reading ResponseN/A<severity>, <process>, <object>
PAM Adding Faulty ModuleN/A<severity>, <process>, <object>, <sname>
PAM LDAP Authentication ErrorN/A<process>, <login>, <group>, <domain>, <tag1>
PAM LoginN/A<severity>, <process>, <processid>, <subject>, <login>, <sip>, <sport>
PAM Unable To Load Dynamic Library FileN/A<severity>, <process>, <object>, <sname>, <command>
Pam Unix AuthenticationN/A<severity>, <sip>, <sname><login>, <account>, <session>, <process>, <processid>, <object>, <tag1>
PAM UNIX User Check PassN/A<severity>, <process>, <processid>, <subject>, <login>
PAM User AuthenticationN/A<severity>, <process>, <processid>, <tag1>, <login>, <account>
Pam_Tally: No Such UserN/A<login>
PAM_Unix : General MessagesN/A<sip>, <login>, <sessiontype>, <project>, <object>, <tag1>, <tag2>
Password Daemon MessageN/A<dname>, <tag1>, <process>
Password Read Timed OutN/A<severity>, <dname>, <process>, <sinterface>, <tag1>
Passwordless Authentication MessageN/A<severity>, <process>, <object>, <command>, <processid>, <tag1>, <group>, <login>, <account>, <domain>
Patt 5 : SMTP Session MessagesN/A<processid>, <subject>, <sname>, <sip>, <sport>, <tag1>, <session>, <sender>, <recipient>, <protname>, <vendorinfo>, <dip>, <dport>
Pattern 1 : General MessagesN/A<vmid>, <sip>, <login>, <subject>, <tag1>, <tag2>
Pattern 1 : PGP Backup MessagesN/A<severity>, <dname>, <process>, <processid>, <tag2>, <tag3>, <object>
Pattern 1 : Sendmail Mail To MessagesN/A<vmid>, <dip>, <object>, <recipient>, <duration>, <quantity>, <tag1>
Pattern 2 : General Messages 2N/A<vmid>, <severity>, <tag1>, <tag2>
Pattern 2 : PGP Datalayer MessagesN/A<tag1>, <dname>, <process>, <tag2>, <object>
Pattern 2 : Sendmail NotificationN/A<process>, <object>, <vmid>, <tag3>, <hours>, <tag1>, <tag2>, <dname>, <domain>
Pattern 3 : General Audit EventsN/A<login>, <tag1>
Pattern 3 : PGP Client MessagesN/A<severity>, <dname>, <process>, <processid>, <sname>, <tag3>, <quantity>, <amount>, <tag5>, <account>, <login>, <tag4>, <sport>, <sip>, <object>
Pattern 3 : SELinux Preventing Access To ObjectN/A<severity>, <dname>, <process>, <object>, <tag1>, <tag2>
Pattern 4 : Failed LoginN/A<sip>, <login>, <tag1>
Pattern 4 : PGP Admin MessagesN/A<severity>, <sip>, <sname>, <dname>, <sport>, <login>, <process>, <processid>, <object>, <tag1>, <tag2>, <tag3>
Pattern 4 : Qmanager MessagesN/A<severity>, <process>, <processid>, <session>, <tag1>, <sender>, <size>
Pattern 5 : PGP Cluster MessagesN/A<severity>, <sip>, <dname>, <sport>, <processid>, <process>, <object>, <quantity>, <packetsin>, <seconds>, <tag2>, <tag3>
Pattern 5 : Solaris 10 Object AccessN/A<vmid>, <sip>, <sname>, <login>, <session>, <object>, <tag1>
Pattern 6 : Password AcceptedN/A<severity>, <sip>, <dname>, <sport>, <login>, <sessiontype>, <process>, <processid>, <object>, <objectname>, <tag1>, <tag2>
Pattern 6 : SMTP Connection MessagesN/A<severity>, <process>, <processid>, <tag1>, <sname>, <sip>
Pattern 7 : Authentication FailureN/A<severity>, <dname>, <process>, <processid>, <account>, <sip>, <sname>, <login>, <tag1>
Pattern 8 : Public Key AuthenticationN/A<severity>, <process>, <processid>, <sip>, <sport>, <login>, <tag1>, <protname>
Pattern 9 : Filesystem MountN/A<dip>, <object>, <tag1>, <tag2>
Pattern 10 : User ModificationsN/A<account>, <object>, <group>, <tag1>
Pattern 11 : General InformationN/A<dip>, <tag1>, <tag2>, <tag3>, <quantity>
Pattern 12 : User/Group DeletedN/A<group>, <account>, <tag1>
Pattern 13 : General Linux Host MessagesN/A<severity>, <dname>, <process>, <tag1>, <login>, <sname>, <account>, <object> , <processid>, <group>, <domain>, <sip>, <sport>, <domainorigin>
Pattern 14 : SSH ConnectionsN/A<vmid>, <login,>, <session>, <sname>, <dname>, <object>, <reason>, <tag1>, <tag2>, <sip>, <dip>, <sport>, <dport>, <responsecode>
Pattern 15 : Specific Errors And WarningsN/A<severity>, <login>, <object>, <subject>, <process>, <processid>, <protname>, <sender>, <quantity>, <recipient>, <tag3>
Pattern 17 : Reset InformationN/A<login>, <tag1>
Pattern 17 : Various Linux Host LogsN/A<object>, <url>, <dname>, <tag1>
Pattern 19 : Informational MessagesN/A<severity>, <login,>, <protname>, <sname>, <dname>, <object>, <subject>, <process>, <processid>, <tag3>, <tag2>, <sip>, <sport>, <tag4>
Pattern 20 : Informational Messages 2N/A<severity>, <dip>, <dname>, <process>, <processid>, <subject>, <object>, <command>, <amount>, <tag1>, <tag2>
Pattern 21 : Su PAM ErrorsN/A<dname>, <tag1>, <tag2>, <object>
Pattern 22 : CPU MessageN/A<size>, <quantity>, <object>, <tag1>, <tag2>
Pattern 23 : Crontab File EditingN/A<object>, <login>, <tag1>
Pattern 24 : Informational Messages 2N/A<dname>, <process>, <processid>, <object>, <tag1>, <tag2>, <tag3>
Pattern 25 : VAS Daemon MessagesN/A<process>, <object>, <tag1>, <tag2>
Pattern 26 : PAM VAS Authentication MessageN/A<login>, <account>, <process>, <object>, <group>, <tag1>
Pattern 27 : Group Policy MessageN/A<sname>, <dname>, <sport>, <object>, <tag1>, <tag2>
Pattern 28 : Anacron Job MessageN/A<severity>, <process>, <processid>, <quantity>, <duration>, <object>, <tag1>, <tag2>
Pattern 29 : Automount ErrorN/A<process>, <object>, <tag1>, <tag2>
Pattern 30 : Kernel MessagesN/A<vmid>, <severity>, <process>, <processid>, <command>, <dip>, <dinterface>, <object>, <subject>, <tag1>, <tag2>, <sip>,
Pattern 31 : Secure Access Unit MessagesN/A<severity>, <login>, <process>, <processid>, <object>, <sport>, <tag1>, <tag3>, <sip>,
Pattern Accepted Public Key Or PasswordN/A<vmid>, <sip>, <sport>, <login>
Pattern FTP SessionN/A<severity>, <sip>, <sname>, <dname>, <protname>, <login>, <process>, <processid>, <object>, <bytesout>, <rate>, <tag1>, <tag2>
Pattern IMSYSMENUN/A<vmid>
Pattern Linux : Session EventsN/A<dname>, <process>, <processid>, <tag1>, <login>, <account>
Pattern remshdN/A<vmid>, <object>
Permission DeniedN/A<dname>, <process>, <processid>, <command>, <subject>
Permission Denied To HostN/A<severity>, <sip>, <process>
PGP Tcpwrapper MessagesN/A<severity>, <dname>, <process>, <processid>, <object>, <tag3>, <sip>, <sport>, <dip>, <dport>
PGP Universal Group Daemon InformationN/A<dname>, <process>, <object>, <tag1>, <tag2>
PGP VKD MessagesN/A<dname>, <process>, <tag2>, <object>, <tag3>
Pickup MessageN/A<severity>, <dname>, <process>, <processid>, <session>, <object>, <sender>, <subject>, <objectname>
PlayBack Stream Failed ConnectionN/A<vmid>, <severity>, <sname>, <sport>, <account>, <session>, <processid><object>, <objectname>, <url>, <command>, <tag1>
Pluto ProcessN/A<severity>, <dname>, <process>, <objectname>, <subject>, <sip>, <object>
Pluto Process.N/A<severity>, <dname>, <tag1>, <object>, <dip>, <sip>
Polkit Authorization GrantedN/A<login>, <account>, <process>, <session>, <object>
PortMapping And Firewall Config MessagesN/A<subject>, <vmid>, <object>, <tag1>, <login>, <sip>
PortMapping MessagesN/A<vmid>, <sip>, <dip>, <login>, <subject>, <object>, <tag1>, <tag3>
PortMappingConfig MessagesN/A<vmid>, <sip>, <group>, <login>, <subject>, <object>, <tag1>
Possible Break-In AttemptN/A<seveirty>, <process>, <sname>, <sip>, <tag1>, <threatname>
Postfix Error MessagesN/A<severity>, <dname>, <process>, <processid>, <command>, <tag1>
Postfix Mail OperationsN/A<severity>, <account>, <sinterface>, <dname>, <subject>, <process>, <processid>, <command>, <session>, <version>, <duration>, <action>, <recipient>, <tag1>
Postfix/Local MessagesN/A<severity>, <domain>, <process>, <processid>, <object>
Postgres : Incomplete Startup PacketN/A<severity>, <process>, <processid>, <object>
PostgreSQL MessagesN/A<severity>, <dip>, <dname>, <login>, <session>, <process>, <processid>, <command>, <vmid>, <tag1>
Process InformationN/A<severity>, <dip>, <sip>, <protname>, <session>, <process>, <processid>, <object>, <objectname>, <command>, <tag1>
Process MessagesN/A<severity>, <dname>, <process>, <object>, <command>, <tag1>, <dport>, <objectname>
Process RequestsN/A<severity>, <process>, <processid>, <object>, <objectname>, <subject>
Process StartedN/A<severity>, <dname>, <process>, <processid>, <object>
Processing Batch Log MessagesN/A<severity>, <process>, <object>, <objectname>, <processid>
Processing Log MessagesN/A<severity>, <process>, <processid>, <object>, <subject>
ProxyServices MessagesN/A<severity>, <sip>, <dip>, <dport>, <protname>, <login>, <process>, <processid>, <subject>, <object>, <version>, <url>, <command>, <result>, <tag1>
Pseudo Random Number Generator Daemon MessageN/A<dname>, <process>, <tag1>, <login>
Puppet Agent Command Executed SuccessfullyN/A<dname>, <process>, <processid>, <command>
Puppet Agent ErrorsN/A<severity>, <object>, <dname>, <process>, <processid>, <command>, <reason>, <tag1>
Puppet Agent WarningsN/A<severity>, <object>, <dname>, <process>, <processid>, <command>, <tag1>
Puppet Error MessagesN/A<severity>, <sname>, <dname>, <subject>, <process>, <processid>, <command>, <session>, <duration>, <tag1>, <tag2>
Puppet-Master : Not Sending Tagmail ReportN/A<severity>, <process>, <processid>
Puppet Master VersionN/A<severity>, <process>, <processid>, <version>
Puppet Process Executed SuccessfullyN/A<severity>, <process>, <processid>, <object>
Purging Old PDF Messenger Secure Reply DataN/A<dname>, <process>, <object>
RAID InformationN/A<tag1>, <severity>, <process>, <processid>, <tag2>, <command>, <tag3>, <vmid>, <subject>
Received RequestN/A<severity>, <sip>, <dname>, <object>, <objectname>, <tag1>
Received SignalN/A<severity>, <dname>, <process>, <processid>, <object>
Received SNMP PacketsN/A<dip>, <sip>, <sport>
Recipient Address RejectedN/A<vmid>, <object>, <recipient>, <dip>, <dname>, <protname>, <session>, <responsecode>
Recommended Version Over Current VersionN/A<severity>, <dname>, <process>, <processid>, <version>, <object>
Reconnected To LDAP ServerN/A<severity>, <process>, <processid>, <object>
RedHat Network Checked For Updates And ActionsN/A<process>
Remote ConnectionN/A<vmid>, <sip>, <sname>, <protname>, <tag1>
Replicator Process OnlineN/A<dname>, <process>
Repository Update ErrorN/A<sip>, <object>
Request DeniedN/A<severity>, <sname>, <process>, <processid>, <command>, <objectname>, <result>
Requirement Not Met By UserN/A<severity>, <process>, <processid>, <login>, <object>
Resource Group Manager MessageN/A<severity>, <sname>, <dname>, <dip>, <process>, <processid>, <object>, <objectname>, <tag1>, <subject>
Resource MIBN/A<severity>, <process>, <processid>, <object>
Resources Temporarily UnavailableN/A<dip>, <dname>, <protname>, <session>, <responsecode>
Restricted Shell ConfigurationN/A<object>, <group>, <tag1>
RHSMD/SSSD Authentication EventsN/A<sname>, <process>, <processid>, <subject>
Robot Daemon Process InformationN/A<severity>, <process>, <processid>, <tag1>, <command>
Root LoginN/A<object>, <login>
Root Shell Command MessagesN/A<severity>, <session>, <quantity>, <process>, <object>, <objectname>, <command>, <tag1>, <vmid>
RouteConfig MessagesN/A<subject>, <vmid>, <object>, <tag1>, <login>, <sip>
RPC Bind MessageN/A<dname>, <tag1>, <tag2>, <object>
RSA Key GeneratedN/A<dname>, <process>, <login>, <domain>, <account>, <severity>, <object>, <processid>, <tag1>
Rsyslog ProcessN/A<severity>, <version>, <process>, <processid>, <url>, <command>, <tag1>
Rule2N/A<tag1>, <tag2>
Run-Parts Status MessagesN/A<severity>, <object>, <objectname>, <dname>, <tag1>
Script Run StatusN/A<severity>, <object>, <command>, <process>, <session>, <tag1>, <dname>
SCSI Subsystem InitializedN/A<object>
Secrets/Key InformationN/A<severity>, <processid>, <dname>, <parentprocessname>, <process>, <dip>, <sip>, <tag1>, <object>, <subject>
Secure Reply Records DeletedN/A<dname>, <process>, <object>, <quantity>
Secure Shell MessageN/A<dname>, <process>, <processid>, <command>, <sip>, <sport>, <tag1>, <tag2>, <tag3>, <login>, <sname>, <subject>
SEL Catch All : Level 2N/A<subject>, <vmid>, <tag1>, <tag2>
Selinux ModeN/A<severity>, <process>, <processid>, <object>, <command>
Sender Non-Delivery NotificationN/A<severity>, <process>, <processid>, <session>, <object>, <subject>
Sendmail : Mail FromN/A<processid>, <object>, <sender>, <protname>, <sname>, <sip>, <bytesin>
Sendmail Administrator InfoN/A<severity>, <process>, <processid>, <login>, <object>
Sendmail Alias InformationN/A<severity>, <process>, <processid>, <object>, <login>, <quantity>, <size>, <amount>
Sendmail ForwardN/A<severity>, <subject>, <process>, <processid>, <object>, <objectname>
Sendmail OperationsN/A<severity>, <sip>, <sname>, <dname>, <session>, <subject>, <process>, <processid>, <command>, <object>, <objectname>, <amount>, <version>, <quantity>, <duration>, <tag1>, <tag2>
Sendmail ProcessN/A<severity>, <process>, <processid>, <objectname>, <object>, <sender>, <dname>, <dip>, <subject>
SerialConfig MessagesN/A<subject>, <vmid>, <object>, <tag1>, <login>, <sip>
SerialPortProfile MessagesN/A<subject>, <vmid>, <object>, <tag1>, <login>, <sip>
Server Not RespondingN/A<dip>
Service Name InformationN/A<object>, <tag1>
Service Not Discoverable via DNSN/A<severity>, <parentprocessname>, <parentprocessid>, <process>, <reason>
Session ActivityN/A<severity>, <sessiontype>, <login>, <process>, <processid>, <object>, <tag1>, <tag2>
Session State ChangedN/A<dname>, <process>, <processid>, <login>, <tag1>
Set User IdentityN/A<dname>, <tag1>, <session>, <login>, <domainorigin>, <account>
Shell AccessN/A<severity>, <dname>, <login>, <account>, <process>, <processid>, <tag1>
SmokePing Network Latency MessagesN/A<dname>, <process>, <object>, <duration>, <tag1>, <tag2>
SMTP & RPC Failure WarningN/A<severity>, <dname>, <process>, <processid>, <subject>, <tag1>, <responsecode>
Snapshot Bash ActivityN/A<severity>, <dname>, <sname>, <dip>, <dport>, <object>, <subject>, <tag1>
SNMP Informational MessagesN/A<tag1>, <process>, <tag2>, <sip>, <protname>, <sport>
SNMPD Error MessageN/A<severity>, <vmid>, <bytesin>, <bytesout>, <subject>
SNMPD Operational MessagesN/A<severity>, <sip>, <dip>, <dname>, <sport>, <protname>, <process>, <processid>, <subject>, <command>, <tag1>, <tag2>
SNMPD ResponseN/A<severity>, <process>, <processid>, <object>
Software Status MessagesN/A<severity>, <sname>, <process>, <processid>, <tag1>, <action>, <object>
SQueue EmptyN/A<severity>, <dname>, <process>, <processid>, <object>, <objectname>
SSH AuthenticationN/A<protname>, <tag1>, <login>, <sip>, <sport>
SSH Authentication FailureN/A<sname>, <login>
SSH Login AuditN/A<severity>, <dip>, <dport>, <login>, <process>, <processid>, <object>, <objectname>, <version>, <bytesin>, <bytesout>, <duration>, <tag1>
SSH Reverse Lookup ErrorN/A<sip>, <sname>, <process>, <object>
SSH Server MessagesN/A<vmid>, <login,>, <session>, <sname>, <dname>, <object>, <reason>, <tag1>, <tag2>, <sip>, <dip>, <sport>, <dport>, <responsecode>
SSH SessionN/A<login>, <tag1>
SSHD Account AuthorizedN/A<severity>, <process>, <processid>, <login>, <account>, <object>
SSHD ConnectionN/A<severity>, <dname>, <process>, <processid>, <tag1>, <sip>, <sport>, <login>
SSHD ID String Not ReceivedN/A<severity>, <dname>, <process>, <sname>, <subject>, <sip>
SSHD MessagesN/A<severity>, <dname>, <sname>, <sip>, <dip>, <sport>, <dport>, <protname>, <login>, <session>, <process>, <processid>, <object>, <subject>, <command>, <tag1>, <tag2>
SSHD Startup FailureN/A<process>, <sport>, <sip>
SSHD TerminatedN/A<process>, <tag1>
SSL Connect Return MessageN/A<severity>, <process>, <processid>, <protname>, <tag1>
Stale PDF Messenger Secure Reply Data PurgedN/A<dname>, <process>, <object>
Starting AgentN/A<severity>, <dname>, <process>, <object>, <subject>, <serialnumber>
Starting ScanN/A<dname>, <process>, <sip>, <sport>
Startup CompletedN/A<severity>, <process>, <processid>, <object>, <objectname>
SU Command CompletedN/A<sip>, <dname>, <account>, <tag1>, <login>, <object>
SU Command Completed2N/A<severity>, <sname>, <tag1>, <result>, <login>, <object>, <account>
Su Session Opened/ClosedN/A<severity>, <dname>, <login>, <account>, <process>, <parentprocessname><parentprocessid>, <object>, <subject>, <tag1>
Su SuccessfulN/A<login>, <account>, <process>
Su User AllowedN/A<account>, <session>, <process>
Sudo General MessagesN/A<severity>, <dname>, <login>, <account>, <session>, <process>, <object>, <command>, <amount>, <tag2>
Sudo MessageN/A<sname>, <dname>, <account>, <login>, <object>, <tag1>, <tag2>
Sudo MessagesN/A<tag1>, <login>, <account>, <object>
Sudo PAM ErrorsN/A<severity>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <tag1>
Switch UserN/A<login>, <account>, <tag1>, <tag2>
Switch User CommandN/A<login>, <dname>, <account>, <object>, <sip>, <tag3>
Syslog Binding ErrorN/A<vmid>, <sip>, <sport>, <dip>, <protname>
Syslog ConnectionN/A<severity>, <dname>, <dip>, <dport>, <process>, <processid>, <tag1>
Syslog MessageN/A<dname>, <tag1>
Syslog-Ng ErrorN/A<severity>, <process>, <processid>, <subject>, <tag1>, <quantity>, <object>
Syslogd Invalid SendtoN/A<process>
Syslogd RestartedN/A<process>
Sysmon MessagesN/A<object>, <tag1>, <tag2>
System Initialized ImproperlyN/A<dname>, <process>, <object>
System StatisticsN/A<process>, <object>, <rate>, <quantity>
System Time Out Of SyncN/A<vmid>, <severity>, <sname>, <dname>, <domainorigin>, <tag1>, <process>
Systemd MessagesN/A<severity>, <parentprocessname>, <dname>, <process>, <subject>, <tag2>, <tag1>, <login>, <result>
Tape Status InformationN/A<object>, <tag1>
Telnet ConnectionN/A<severity>, <subject>, <dname>, <sname>, <process>, <processid>, <sip>, <sipv6e>, <sinterface>
TextImport Log MessagesN/A<severity>, <process>, <object>, <size>, <processid>, <subject>
TGT VerifiedN/A<severity>, <process>, <processid>
TGT Verified Using KeyN/A<severity>, <process>, <processid>, <dname>, <account>
THTTPD StatisticsN/A<severity>, <dname>, <process>, <object>, <quantity>, <amount>, <bytes>, <size>
Timeout Before AuthenticationN/A<severity>, <sip>, <process>, <object>, <subject>
TLS Connection EstablishedN/A<dname>, <process>, <dip>, <object>
Traceback ErrorN/A<severity>, <object>
Traffic LogN/A<severity>, <dname>, <sip>, <dip>, <command>, <object>, <protname>, <vmid>, <responsecode>, <bytesin>
Trap Divide ErrorN/A<severity>, <process>, <processid>, <object>
Trying Mount Of FilesystemN/A<dip>, <object>, <tag1>
UDP ConnectionN/A<severity>, <dname>, <sip>, <sport>, <protname>, <process>, <processid>
Unable To Establish Cred For IDN/A<vmid>, <severity>, <sname>, <dname>, <login>,,<account>, <domainorigin>, <process>, <object>
Unable To Open Log FileN/A<severity>, <dname>, <process>, <processid>, <object>, <tag1>
Unable To Resolve User's Primary GIDN/A<severity>, <process>, <object>, <command>
Undefined SymbolN/A<severity>, <sname>, <process>, <object>.<command>
Unicorn Rails WorkerN/A<dname>, <process>, <processid>, <command>, <object>, <objectname>
Unix_Chkpwd AuthenticationN/A<login>, <process>
Unknown HostN/A<dname>
Unknown HostN/A<sip>, <process>, <dname>, <tag1>, <tag2>
Unlocked System AccountsN/A<severity>, <process>, <processid>, <object>, <objectname>
Untrusted Certificate RejectedN/A<dname>, <protname>, <process>, <object>, <threatname>
Up To DateN/A<severity>, <dname>, <process>, <processid>, <version>, <object>, <login>
USB Hub MessagesN/A<severity>, <dinterface>, <dname>, <process>, <processid>, <command>, <amount>, <tag1>
User Added To GroupN/A<severity>, <process>, <processid>, <group>, <account>, <object>
User State ChangeN/A<severity>, <dname>, <tag1>, <command>
UserConfig MessagesN/A<subject>, <vmid>, <tag2>, <account>, <group>, <tag1>, <login>, <sip>
Userhelper And ShutdownN/A<login>, <tag1>
Userhelper MessagesN/A<login>, <account>, <session>, <process>, <processid>, <object>
Usermod MessagesN/A<login>, <tag1>, <tag2>, <tag3>
Usermod Messages:N/A<process>, <account>, <tag1>, <tag2>
Using Cached CatalogN/A<severity>, <process>, <processid>, <object>
Using NFS VersionN/A<tag1>, <protname>, <dname>
Validating MessagesN/A<severity>, <process>, <processid>, <object>, <domainorigin>, <subject>
Variable Access DeprecatedN/A<severity>, <process>, <processid>, <object>, <objectname>
VASD Daemon State InformationN/A<severity>, <subject>, <duration>, <process>, <processid>, <object>, <objectname>, <command>, <tag1>
VCS Clean Completed SuccessfullyN/A<severity>, <session>, <process>, <object>
VCS CPU Usage CriticalN/A<severity>, <sname>, <process>, <object>, <rate>
VitalQIP InformationN/A<sip>, <dip>, <dport>, <process>, <dname>, <object>, <tag1>
VMUnix Critical MessagesN/A<process>, <object>, <tag1>
VMUNIX Memory ErrorN/A<severity>, <process>, <object>
Waiting Certificate RequestN/A<severity>, <process>, <processid>, <object>
WBS Reply MessagesN/A<severity>, <process>, <processid>, <object>, <objectname>, <subject>
Web LoginN/A<login>
Will Not Restore FileN/A<severity>, <dname>, <process>, <object>
Winbind Daemon : Exceeding Client Connection LimitN/A<severity>, <process>, <processid>, <quantity>, <objectname>
Winbind Daemon : Socket Accept FailureN/A<severity>, <process>, <processid>, <command>, <subject>
Winbind Daemon : Unable To Open New Log FileN/A<severity>, <process>, <processid>, <object>, <subject>
Winbind: Denied AccessN/A<severity>, <login>, <session>, <process>, <processid>, <object>, <command>, <subject>
Winbindd Process InformationN/A<severity>, <dname>, <process>, <processid>, <object>, <command>
X.509Config MessagesN/A<subject>, <vmid>, <object>, <tag1>, <login>, <sip>

Optimize Linux Host Processing

The sheer number of Linux Host log messages can cause system processing issues if incoming logs are not matching beyond the Catch-All level rules. This section details the process to optimize the Linux Host log processing policies when performance is poor and causing an MPE performance constraint.


  • The lps_detail.log from affected data processors. This log can be found by default at C:\Program Files\LogRhythm\LogRhythm Mediator Server\logs.

Step 1: Find Non-Matching Parent Rules

  1. Open the lps_detail.log file and locate the target MPE policy.
    The most important columns here are Total Compares, Attempts, and % Match.

    Parent rules not matching display 0.00% under the Match column. Refer to the screenshot below as an example.

Step 2: Clone the Existing MPE Policy

From the LogRhythm Client Console:

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Processing Policies tab.
  3. Right-click within the grid and select New.
  4. Search for the target log source type (e.g., Syslog - Linux Host), and then click OK.
    The MPE Policy Editor window appears.

Step 3: Create the New Policy with Only Matching Rules

The lps_detail.log file is referenced frequently during this step.

From the MPE Policy Editor window:

  1. Enter a new, unique policy name.
  2. Paste a parent rule from the lps_detail.log file into the Parent Rule Name column as shown below:

    This filters the list to show all sub-rules within the parent rule.

    Ensure only the parent rule chosen displays in the Parent Rule Name column.

  3. Right-click and select Check All Displayed.
  4. Right-click and select Properties.
  5. Click Enable.
    All sub-rules are checked in the Enabled column.
  6. Repeat steps 2 through 5 in this section for all matching parent rules.
  7. Once all parent rules are enabled, repeat steps 2 through 5 in this section for all Catch-All level rules by searching for "Catch All:" under the Parent Rule Name filter.
  8. Once complete, click OK.

Step 4: Apply the New Processing Policy to all Syslog - Linux Host Log Sources

From the LogRhythm Client Console:

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Sources tab.
  3. Filter the lower grid so that all Syslog - Linux Host log sources display.
  4. Right-click in the lower grid and select Uncheck All, then right-click again and select Check All Displayed.
  5. Right-click in the lower grid and select Actions, and then Edit Properties.
    The Log Message Source Properties window appears.
  6. Change the Log Message Processing Engine (MPE) Policy to the log processing policy created in the Step 3 section above.

Allow Changes to Take Effect

Once the steps above are completed, the Data Processor will implement the changes in its next cycle. A restart of the Mediator service is not typically required.

To confirm the updated policy is in place, review the updated lps_detail.log file to see the custom policy performance listed.

A manual restart of the Mediator can be performed if the lps_detail.log file doesn't reflect the new policy after about five minutes.

Revision History

KB VersionLog TypeChange TypeDetails
KB 7.1.577.0N/ADevice DocumentationN/A
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.