Syslog - Linux Host
The Syslog - Linux Host log source and its processing rules are provided as a template to accommodate a plethora of applications. Customers are advised to modify this log source to suit their specific needs. Using this log source without modifications will cause performance issues, including slower log collection and suboptimal log parsing.
For information on modifying this template and optimizing log parsing, see Optimize Linux Host Processing below.
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
| Type | Product Version | Supported Schema Fields |
|---|---|---|
| Above Message Repeats | N/A | <severity>, <quantity>, <tag1> |
| ABRT Messages | N/A | <severity>, <sname>, <process>, <object>, <subject>, <recipient> |
| Accepted Password | N/A | <sip>, <sport> |
| Accepted Publickey | N/A | <severity>, <sport>, <sip>, <sname>, <dname>, <process>, <processid>, <protname>, <hash> |
| Accepting Connection | N/A | <dname>, <process>, <sip>, <sport> |
| Account Added To Group | N/A | <severity>, <process>, <processid>, <account>, <login>, <group> |
| Account Information | N/A | <dname>, <process>, <object>, <account>, <tag1>, <tag2>, <tag3> |
| Agent Appeared Dead But Responded To Ping | N/A | <severity>, <process>, <object> |
| Agent Information | N/A | <severity>, <process>, <processid>, <dname> |
| Aide.wrapper Message | N/A | <process>, <processid>, <parentprocesspath>, <tag1>, <action> |
| Allowed Clients Config | N/A | <vmid>, <login>, <subject>, <sip>, <object>, <tag1> |
| Anacron Job Terminated | N/A | <process>, <object> |
| Anvil Statistics | N/A | <Severity>, <dname>, <process>, <processid>, <size>, <rate>, <sip> |
| Arpwatch Process | N/A | <severity>, <sip>, <sname>, <dname>, <smac>, <dmac>, <process>, <tag1> |
| Attempting To Validate Locked Account | N/A | <process>, <account> |
| Audispd Activity | N/A | <severity>, <dip>, <dname>, <processid>, <object>, <objectname>, <command>, <status> |
| Audispd Operations | N/A | <severity>, <dname>, <process>, <processid>, <object>, <command>, <amount>, <tag1> |
| Audit Daemon Low On Disk Space | N/A | <severity>, <sname>, <process>, <processid>, <tag1> |
| Audit Event Multiplexor Messages | N/A | <severity>, <session>, <dname>, <login>, <processid>, <object>, <subject>, <result>, <command>, <tag1>, <tag2> |
| Auditd Status Messages | N/A | <severity>, <dname>, <process>, <processid>, <object>, <command>, <subject>, <tag1> |
| Authenticated Mount Request | N/A | <severity>, <dip>, <processid>, <tag1>, <sip>, <sname>, <sport>, <object>, <subject> |
| Authentication Failed | N/A | <severity>, <process>, <processid>, <dname>, <login> |
| Authentication Failure | N/A | <login> |
| Authentication Failures On Account | N/A | <severity>, <process>, <quantity>, <account> |
| Authentication Information | N/A | <severity>, <domainorigin>, <dname>, <process>, <processid>, <object>, <objectname>, <command> |
| Authentication Messages | N/A | <vmid>, <sip>, <login>, <subject>, <object>, <tag2> |
| Automatic Root Authorization Bypass | N/A | <severity>, <process>, <processid>, <object>, <command>, <login> |
| Automount | N/A | <severity>, <dname>, <process>, <processid>, <object>, <objectname>, <command>, <subject>, <tag2> |
| Automount Messages | N/A | <severity>, <process>, <processid>, <quantity>, <objectname>, <tag1>, <object>, <subject> |
| AVAHI Daemon Warning | N/A | <severity>, <sip>, <process>, <processid>, <subject>, <tag1> |
| Avahi Host DNS Name | N/A | <session>, <process>, <dname> |
| Avahi Hostname Conflict | N/A | <severity>, <process>, <processid>, <sname>, <dname> |
| Avahi Registration | N/A | <severity>, <sname>, <dname>, <sip>, <sinterface>, <session>, <subject>, <processid>, <tag1> |
| AXIS Messages | N/A | <severity>, <login>, <group>, <sname>, <subject>, <process>, <processid>, <tag2>, <sip>, <tag3> |
| Batch Order Details | N/A | <severity>, <process>, <processid>, <object>, <objectname>, <subject> |
| Be2net Messages | N/A | <severity>, <dinterface>, <object>, <command>, <process>, <tag2>, <tag1>, <tag3> |
| Booting Processor | N/A | <object> |
| Callbacks Suppressed | N/A | <severity>, <quantity> |
| Calling Function ID | N/A | <severity>, <dname>, <process>, <processid>, <object> |
| Can't Get Hostname | N/A | <sip>, <dip> |
| Cannot Load Module | N/A | <severity>, <process>, <processid>, <vmid>, <object>, <subject> |
| Cannot Locate URL From File | N/A | <severity>, <process>, <object>, <url>, <command>, <duration> |
| Cannot Open Reserved Port | N/A | <process>, <vmid>, <object> |
| Catch All : Crond General Messages | N/A | <severity>, <process>, <processid>, <subject>, <tag1> |
| Catch All : General Messages | N/A | <severity>, <tag1> |
| Catch All Level 1 | N/A | <severity>, <tag1> |
| Catch All : Level 2 (General Information) | N/A | <dname>, <object>, <process> |
| Catch All : Level 2 (General Syslog Information) | N/A | <tag1>, <dname>, <process> |
| Catch All : Level 3 | N/A | <severity>, <dip>, <dname>, <process>, <processid>, <quantity>, <tag1> |
| Catch All : Level 3 - Syslog Protocol And Severity | N/A | <sport>, <sip>, <process>, <tag1> |
| Catch All : Solaris 10 Audit | N/A | <vmid>, <sip>, <sname>, <login>, <session>, <tag1> |
| Catch All : SSHD General Messages | N/A | <severity>, <process>, <processid>, <subject>, <tag1> |
| Catch All : Xinetd Messages | N/A | <severity>, <sip>, <process>, <processid>, <command>, <object>, <duration>, <tag1> |
| Centrify Messages | N/A | <severity>, <parentprocessname>, <parentprocessid>, <dname>, <subject>, <tag1>, <domain>, <process>, <version>, <login>, <vmid>, <result>, <processid>, <reason>, <object> |
| Checker Reports Path Is Down | N/A | <severity>, <process>, <object>, <objectname> |
| Checkout Passed | N/A | <severity>, <sname>.<object>, <tag1> |
| Chef Client Messages | N/A | <severity>, <dname>, <parentprocessname>, <subject>, <sname>, <login>, <sport>, <process>, <group>, <url>, <responsecode> |
| Child Exists | N/A | <severity>, <dname>, <process>, <processid> |
| Clamd Scan Operations | N/A | <severity>, <dname>, <session>, <process>, <processid>, <object>, <command>, <tag1> |
| Cleanup Messages | N/A | <Severity>, <dname>, <process>, <session>, <recipient>, <Action> |
| Client Not Found In Kerberos Database | N/A | <vmid>, <severity> |
| Client Unknown | N/A | <severity>, <dname>, <reason> |
| CLISH Messages : Login Logout Cmd Executed | N/A | <login>, <process>, <processid>, <object>, <tag1> |
| CLISH User Information | N/A | <sname>, <login>, <session>, <process>, <processid>.<object> |
| Clock Errors | N/A | <sip>, <process>, <tag1>, <tag2> |
| CLUSTER-TLS Connection Closed | N/A | <dname>, <process>, <sip>, <object>, <sport> |
| Command Complete | N/A | <severity>, <dname>, <process>, <processid>, <object>, <subject>, <objectname>, <size> |
| Command Execution | N/A | <severity>, <dname>, <sinterface>, <login>, <process>, <processid>, <object> |
| Command Information | N/A | <severity>, <dname>, <process>, <processid>, <command>, <sname> |
| Command String | N/A | <severity>, <dname>, <process>, <command> |
| Commissioning | N/A | <vmid>, <sip>, <login>, <subject>, <tag1>, <tag2> |
| Common Information Model Server Message | N/A | <dname>, <process>, <tag1>, <vmid>, <object>, <sport>, <login> |
| Comparing Current Cluster Data | N/A | <severity>, <sname>, <object> |
| Comparing Current Data | N/A | <severity>, <sname>.<object> |
| ConfigFile | N/A | <vmid>, <sip>, <login>, <subject>, <tag1>, <tag2> |
| Configuration Status | N/A | <severity>, <dname>, <object>, <objectname>, <tag1> |
| Connecting To Data Layer Service Remotely | N/A | <dname>, <process> |
| Connection Closed | N/A | <dname>, <process>, <dip>, <dport> |
| Connection Established | N/A | <dname>, <process>, <dip>, <dport>, <sname>, <object> |
| Connection Failed | N/A | <dip>, <dname>, <protname>, <dport>, <tag1> |
| Connection Information | N/A | <sip>, <dip>, <dname>, <sport>, <dport>, <session>, <process>, <tag1>, <tag2>, <tag3> |
| Connection Lost While Receiving Server Greeting | N/A | <protname>, <session>, <dname>, <dip> |
| Connection Message | N/A | <sip>, <dip>, <dport>, <sport>, <sname>, <process>, <processid>, <tag1>, <protname> |
| Connection Notification | N/A | <dip>, <sip>, <session>, <dname>, <process>, <processid>, <object>, <objectname>, <command>, <subject> |
| Connection Refused | N/A | <severity>, <sip>, <process>, <processid>, <object>, <command>, <duration> |
| Connection Refused | N/A | <dname>, <process>, <processid>, <sip>, <sport> |
| Connection Timed Out | N/A | <severity>, <dname>, <process>, <dip> |
| Control Network Tracing And Logging Message | N/A | <dname>, <process>, <tag1> |
| CORBA Connection To Data Layer | N/A | <dname>, <process> |
| Could Not Authenticate User | N/A | <severity>, <sname>, <process> |
| Could Not Complete SSL Handshake | N/A | <dname>, <process>, <protname>, <object> |
| Could Not Fork Ident IPC Handler | N/A | <severity>, <sname>, <process>, <object> |
| Could Not Resolve IP | N/A | <severity>, <process>, <processid>, <dip> |
| Could Not Sent Message To License Server | N/A | <severity>, <subject>, <process>, <processid> |
| Cron Daemon Messages -Retired | N/A | <severity>, <dname>, <process>, <object>, <commadf> , <tag1>, <objectname> |
| Cron Job Execution | N/A | <severity>, <login>, <process>, <processid>, <object>, <command>, <tag1> |
| Cron Job Execution | N/A | <severity>, <login>, <process>, <processid>, <object>, <tag1>, <dname> |
| Crond Operations | N/A | <severity>, <dname>, <login>, <process>, <processid>, <subject>, <command>, <tag1>, <tag2> |
| Ctasd Messages | N/A | <severity>, <vmid>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <objectname><tag1>, <tag2>, <tag3> |
| Ctipd Messaages | N/A | <severity>, <dname>, <subject>, <process>, <processid>, <command>, <tag1>, <tag2> |
| CUPS Information | N/A | <sip>, <sname>, <process>, <dname>, <object>, <tag1> |
| Daemon Connections | N/A | <severity>, <process>, <processid>, <tag1>, <object>, <size>, |
| Daemon Process Messages -retired | N/A | <severity>, <dname>, <process>, <tag1> |
| Daemon Processing Information | N/A | <dname>, <process>, <object>, <tag1> |
| Daemon/Version Startup And Shutdown | N/A | <severity>, <dname>, <process>, <processid>, <tag1>, <command>, <version> |
| Data Domain Logging Messages | N/A | <severity>, <vmid>, <process>, <sname>, <account>, <command>, <object>, <tag1> |
| Database Is Older Than Source File | N/A | <proess>, <object> |
| DataDog Messages | N/A | <severity>, <parentprocessname>, <parentprocessid>, <dname>, <dport>, <subject>, <serialnumber>, <seconds> |
| DateTime | N/A | <vmid>, <sip>, <login>, <severity>, <tag1> |
| DateTimeConfig | N/A | <vmid>, <sip>, <login>, <subject>, <tag1> |
| D-Bus Audit Failure | N/A | <sip>, <login>, <process>, <object>, <tag1> |
| DBUS Service Message | N/A | <severity>, <sname>, <process>, <processid>, <subject>, <object>, <tag1> |
| DDFS Messages | N/A | <severity>, <vmid>, <process>, <processid>, <command>, <object>, <size>, <tag1> |
| Device Failed Smart Self-Check: Backup Data Now | N/A | <severity>, <process>, <object> |
| Device Promiscuous Mode | N/A | <severity>, <dname>, <dinterface>, <process>, <tag1> |
| DHClient Information | N/A | <process>, <processid>, <command>, <dinterface>, <dip>, <dport>, <quantity> |
| DHCP ACK/REQUEST Messages | N/A | <sip>, <dip>, <process>, <sname>, <object>, <tag1> |
| DHCP Assigned | N/A | <severity>, <sip>, <dip>, <process>, <processid> |
| DHCP Binding Notification | N/A | <severity>, <sip>, <process>, <processid>, <subject>, <duration> |
| DHCP Renewing | N/A | <tag1> |
| DHCP Request | N/A | <severity>, <sip>, <dip>, <dport>, <sinterface>, <process>, <processid>, <tag1> |
| DHCPD Messages | N/A | <tag1>, <sip>, <object>, <tag2>, <quanitity>, <dname> |
| DHCPD Messages | N/A | <tag1>, <smac>, <dinterface>, <sip>, <dmac>, <sip> |
| Diagnostic Monitor Daemon Message | N/A | <dname>, <process>, <tag1> |
| Did Not Use HELO Protocol | N/A | <severity>, <process>, <processid>, <object>, <sname>, <dname>, <dip>, <protname> |
| Directory Not Secured | N/A | <dname>, <object> |
| Dispatch Protocol Error | N/A | <severity>, <process>, <processid>, <object>, <objectname> |
| DNSMASQ DHCP | N/A | <severity>, <dname>, <process>, <processid>, <tag1>, <command>, <dinterface>, <dip>, <dmac> |
| Docker Log Information | N/A | <severity>, <dip>, <dname>, <dport>, <login>, <parentprocessname>, <processid>, <subject>, <quantity>, <command> |
| Dropped Packet | N/A | <sname>, <protname>, <sip>, <dip>, <dport>, <process>, <object>, <size>, <tag1> |
| Email Header Warning | N/A | <process>, <Session>, <subject>, <sname>, <sip>, <Sender>, <reciepient>, <protname> |
| EMC Filesystem Mount | N/A | <severity>, <dname>, <process>, <command>, <subject>, <object> |
| End Of File | N/A | <dname>, <process>, <sip>, <sport> |
| Environment Daemon Message | N/A | <dname>, <process>, <tag1> |
| Error Deleting Journal File | N/A | <severity>, <dname>, <process>, <processid>, <object>, <objectname> |
| Error Messages | N/A | <dname>, <sip>, <dip>, <sport>, <protname>, <object>, <quantity>, <tag1> |
| Error Reading Keytab | N/A | <severity>, <process>, <processid>, <object> |
| Error Retrieving User Information | N/A | <severity>, <process>, <processid>, <login> |
| Ethernet Link Status | N/A | <object>, <rate>, <tag1> |
| Catch All : Level 1_ | N/A | <subject>, <tag1>, <status>, <sip>, <dip>, <sinterface>, <dinterface>, <severity>, <session> |
| Event Messages | N/A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <protname>, <object>, <command> |
| Executing Object | N/A | <dname>, <process>, <object> |
| Exim Messages | N/A | <severity>, <sip>, <sname>, <dip>, <dname>, <process>, <processid>, <login>, <subject>, <sport>, <dport>, <command>, <tag1> |
| Extended Internet Daemon Exiting | N/A | <process> |
| eXtended InterNET Daemon Messages | N/A | <severity>, <tag1>, <process>, <status>, <processid>, <sipn>, <seconds> |
| Failed Login | N/A | <sip>, <sport>, <sname>, <login> |
| Failed Login | N/A | <severity>, <login>, <sip>, <sport>, <protname> |
| Failed Login Attempt | N/A | <login>, <sip> |
| Failed Packet | N/A | <protnum>, <sip>, <dip>, <sport>, <dport> |
| Failed Parse Inline Template | N/A | <severity>, <dname>, <dinterface>, <process>, <processid>, <object>, <objectname>, <tag1> |
| Failed To Accept Socket | N/A | <severity>, <dname>, <process>, <processid>, <tag1> |
| Failed To Change Host Password | N/A | <vmid>, <severity>, <sname>, <dname>, <login>, <account>, <domainorigin>, <process>, <object>, <command>, <reason> |
| Failed To Create Pipes | N/A | <severity>, <process>, <object> |
| Failed To Map Consumer To A Directory | N/A | <dname>, <process>, <protname>, <object>, <account> |
| Failed To Mount Filesystem | N/A | <severity>, <sname>, <process>, <processid>, <object>, <reason> |
| Fake Hostname - Forward Lookup Doesn't Exist | N/A | <dip>, <object>, <sip> |
| Fetching FTP Files | N/A | <severity>, <process>, <processid>, <object>, <domainorigin>, <subject> |
| File Conflict | N/A | <severity>, <process>, <processid>, <object>, <objectname>, <subject> |
| File Or Directory Monitor Messages | N/A | <severity>, <sname>, <process>, <processid>, <subject>, <object>, <tag1> |
| File System Checkout Error | N/A | <severity>, <sname> |
| File System Full | N/A | <vmid>, <object> |
| File System Health Check Passed | N/A | <severity>, <object> |
| File Transfer Protocol Message | N/A | <dname>, <process>, <processid>, <tag1>, <protname>, <snmae>, <sip>, <login>, <object>, <tag2> |
| Finished Catalog Run | N/A | <severity>, <process>, <processid>, <object>, <duration> |
| Firewall Message | N/A | <tag1>, <action>, <sinterface>, <dip>, <sip>, <processid>, <sport>, <dport>, <protname> |
| FireWallConfig Messages 1 | N/A | <vmid>, <severity>, <sip>, <login>, <object>, <tag1> |
| FirewallConfig Messages 2 | N/A | <vmid>, <subject>, <sip>, <login>, <object>, <tag1> |
| FTP Daemon : Transfer Log | N/A | <severity>, <dname>, <process>, <processid>, <object>, <tag1> |
| Gconfd Process | N/A | <severity>, <dname>, <process>, <account>, <session>, <tag1>, <object>, <subject>, <objectname>, <vmid> |
| GDM Login | N/A | <login>, <account>, <process> |
| GDM Superuser Denied Login | N/A | <session>, <process> |
| GDM Unable To Log Session | N/A | <process> |
| General Audit Events | N/A | <severity>, <login>, <tag2>, <tag3> |
| General Authentication | N/A | <severity>, <process>, <tag1>, <login>, <tag2>, <sip>, <sname> |
| General Authentication 2 | N/A | <dname>, <process>, <sname>, <tag1>, <login>, <sip>, <sport> |
| General Authentication 3 | N/A | <severity>, <sname>, <process>, <tag1>, <object>, <sip>, <login>, <subject> |
| General Authentication Event | N/A | <sip>, <sname>, <login>, <tag1>, <tag2> |
| General Cache Messages | N/A | <severity>, <dname>, <process>, <processid>, <subject>, <object>, <version>, <parentprocessname> |
| General Connection Information | N/A | <dname>, <process>, <tag1>, <sip>, <sname> |
| General Debug Messages | N/A | <severity>, <process>, <processid>, <command>, <object>, <subject>, <sname> |
| General Failed Authentication Messages | N/A | <dname>, <process>, <processid>, <dinterface>, <tag1>, <login>, <sip>, <sname>, <sport>, <seconds>, <Account> |
| General Failed Login Attempt | N/A | <severity>, <sip>, <sname>, <login> |
| General Failed Login Attempt 2 | N/A | - |
| General FTP Information | N/A | <dname>, <tag1>, <sip>, <login>, <object>, <sname> |
| General FTP Msg | N/A | <severity>, <sip>, <login>, <tag1> |
| General Information Log Messages | N/A | <severity>, <process>, <processid>, <object>, <domainorigin>, <subject>, <recipient> |
| General Kernel Messages | N/A | <severity>, <vmid>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <amount>, <quantity>, <size>, <tag1>, <tag2>, <tag3> |
| General Messages 2 | N/A | <login>, <tag1>, <tag2>, <tag3> |
| General Network Error | N/A | <vmid>, <severity>, <tag1> |
| General Postgres Messages | N/A | <severity>, <login>, <object>, <objectname>, <command> |
| General Robot Daemon Message | N/A | <severity>, <process>, <processid>, <command>, <object> |
| General Sendmail | N/A | <dname> |
| General SNMPD Messages | N/A | <severity>, <process>, <processid>, <tag1>, <object>, <sip>, <protname>, <sport> |
| General Switch User (su) | N/A | <dname>, <login>, <account>, <tag1> |
| Generic Client Creation Failed | N/A | <vmid>, <dname>, <tag1> |
| Get Key By Key ID Failed | N/A | <dname>, <process>, <object>, <tag1> |
| GIS Disk Error | N/A | <severity>, <sname>, <tag1> |
| GIS OPEN SYS Check Passed | N/A | <severity>, <tag1>, <object>, <sinterface>, <sip> |
| Github General Messages | N/A | <severity>, <process>, <subject> |
| Gpasswd Messages | N/A | <login>, <account>, <process>, <group>, <tag1> |
| Group Entry Messages | N/A | <severity>, <dname>, <process>, <object>, <objectname>, <group>, <domain>, <tag1> |
| Group Policy Applied | N/A | <process>, <processid>, <severity>, <object> |
| Groupdel Deleted Group | N/A | <process>, <group> |
| Groupmod Changed GID | N/A | <process>, <group>, <tag1> |
| GSSAPI Accepted | N/A | <severity>, <process>, <processid>, <object>, <login>, <sip>, <sport>, <protname |
| Handling Connection | N/A | <severity>, <dname>, <process>, <processid> |
| Hardware Management Console Messages | N/A | <dname>, <object>, <session>, <tag1> |
| Host Address Information | N/A | <severity>, <dname>, <process>, <processid>, <object> |
| Host Communication Message | N/A | <severity>, <sname>, <process>, <processid>, <result> |
| Host Not Allowed To Talk | N/A | <severity>, <process>, <processid>, <dip> |
| Host Not Entitled To Run Program | N/A | <vmid>, <severity>, <process>, <object>, <url>, <command>, <duration> |
| Host Offline | N/A | <severity>, <process>, <dname>, <object>, <objectname>, <status>, <tag1> |
| Host Refused To Talk : Message Temp Deferred | N/A | <vmid>, <sip>, <dip>, <dname>, <protname>, <session>, <responsecode>, <url> |
| HostsConfig Messages | N/A | <vmid>, <sip>, <dname>, <login>, <subject>, <tag1> |
| HP System Health Messages | N/A | <process>, <object>, <tag1>, <tag2> |
| HTTPD Error | N/A | <dname>, <process>, <processid>, <severity>, <sip>, <tag1>, <object>, <url> |
| ID Respawning Too Fast | N/A | <severity>, <dname>, <process>, <object>, <subject>, <minutes> |
| Ignoring Extra Unique Index | N/A | <dname>, <process>, <object> |
| Illegal Addess Syntax In Command | N/A | <dip>, <dname>, <process>, <object>, <recipient> |
| Illegal Port Connection | N/A | <severity>, <sname>, <process>, <processid>, <tag1>, <sip>, <sport> |
| Illegal User | N/A | <sip>, <sname>, <login> |
| Incorrect Authentication Source | N/A | <severity>, <dip>, <sip>, <account>, <dname>, <process>, <processid> |
| Init Respawning Error | N/A | <severity>, <process>, <object>, <duration> |
| Input/Output Error | N/A | <severity>, <process>, <processid>, <command>, <object> |
| Installation Outdated | N/A | <severity>, <dname>, <process>, <processid>, <object> |
| Interactive Authentication | N/A | <dname>, <process>, <tag1>, <tag2>, <login>, <sipn>, <sport>, <dip>, <sessiontype> |
| Interactive Authentication 2 | N/A | <login>, <dname>, <object>, <sport>, <sip>, <protname>, <process>, <processid>, <tag3> |
| Internet Daemon Message | N/A | <dname>, <process>, <tag2>, <protname>, <tag1>, <object> |
| Internet Daemon No Such File Or Directory | N/A | <severity>, <process>, <processid>, <object> |
| Invalid Domain Mapping | N/A | <severity>, <sname>, <process>, <processid>, <command>, <subject>, <login>, <domain>, <dname> |
| Invalid Flag | N/A | <severity>, <process>, <object> |
| Invalid User | N/A | <severity>, <login>, <sip> |
| Invalid User. | N/A | <severity>, <dname>, <sip>, <process>, <processid>, <login>, <command> |
| IP Chains Firewall Log | N/A | <vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <protname>, <command> |
| IPsecConfig Messages | N/A | <vmid>, <sip>, <login>, <subject>, <tag2> |
| JSCAPE FTP Account Modified | N/A | <severity>, <dname>, <login>, <command>, <account> |
| JScape FTP Messages | N/A | <severity>, <dname>, <sip>, <sport>, <dip>, <dport>, <login>, <tag1>, <command>, <object>, <bytesin>, <bytesout> |
| JSCAPE FTP Trigger Message | N/A | <severity>, <dname>, <tag1>, <command>, <action>, <object>, <vmid>, <subject> |
| K Desktop Manager Errors | N/A | <sip>, <process>, <tag1>, <object> |
| KDM Authentication Failure | N/A | <vmid>, <severity>, <dname>, <login>, <process>, <processid> |
| Keep-Alive Informational Messages | N/A | <severity>, <sname>, <process>, <processid>, <subject>, <dip>, <tag1>, <dport> |
| Kernel File System Messages | N/A | <severity>, <dinterface>, <dname>, <process>, <processid>, <command>, <vmid>, <tag1>, <tag2> |
| Kernel Header Information | N/A | <severity>, <smac>, <dmac>, <dname>, <command>, <process> |
| Kernel Information Messages | N/A | <severity>, <sip>, <dip>, <dinterface>, <object>, <processid>, <command>, <subject> |
| Kernel Messages | N/A | <login>, <dname>, <vmid>, <tag1>, <tag2> |
| Kernel Out Of Memory Kill Process | N/A | <severity>, <process>, <session>, <subject>, <processid>, <object>, <amount> |
| Kernel Registry Services Daemon Message | N/A | <dname>, <process>, <tag1> |
| Kernel USB Messages | N/A | <severity>, <dinterface>, <dname>, <process>, <processid>, <object>, <objectname>, <quantity>, <command>, <tag1>, <serialnumber> |
| Last Message Repeated | N/A | <tag1>, <sname>, <quantity> |
| LastLog Messages | N/A | <sip>, <login>, <object>, <tag1> |
| LDAP Connection Failure | N/A | <severity>, <sname>, <process>, <processid>, <reason>, <subject>, <result>, <object> |
| LDAP Failed Connection | N/A | <severity>, <sname>, <sport>, <object>, <objectname>, <tag1> |
| LDAP Failed Connection Message | N/A | <vmid>, <severity>, <sname>, <sport>, <session>, <processid><object>, <objectname>, <tag1> |
| LDAP Messages | N/A | <severity>, <sname>, <process>, <processid>, <command>, <tag1>, <login>, <result>, <tag2>, <reason> |
| LDAP Monitor Messages | N/A | <vmid>, <severity>, <sip>, <sname>, <sport>, <session>, <process>, <processid>, <object>, <objectname>, <command>, <tag1> |
| LDAP Query Lookup Failure | N/A | <severity>, <process>, <processid>, <object>, <objectname>, <subject> |
| LDAPConfig Messages | N/A | <vmid>, <sip>, <dname>, <login>, <subject>, <tag1> |
| LDAPGroupMap Messages | N/A | <subject>, <vmid>, <tag1>, <login>, <sip> |
| Linux : Password Changed | N/A | <account>, <processid>, <action>, <tag1> |
| Linux Permission Denied | N/A | <dname>, <process>, <processid>, <object>, <objectname>, <dip>, <vmid> |
| Linux User And Group Addition Or Deletion | N/A | <severity>, <sname>, <login>, <account>, <process>, <processid>, <object>, <objectname>, <group>, <tag1>, <tag2> |
| LMTP Messages 2 | N/A | <process>, <Session>, <dname>, <dip>, <responsecode>, <vmid>, <sender>, <recipient>, <protname>, <status> |
| Local Mail Transfer Protocol Messages | N/A | <severity>, <process>, <protname>, <processid>, <session>, <recipient>, <dname>, <dip>, <dport>, <milliseconds>, <vmid>, <status>, <responsecode> |
| Log Manager Login Attempt | N/A | <login>, <tag1> |
| Log Statistics | N/A | <severity>, <process>, <processid>, <object> |
| Logging Lost Messages | N/A | <severity>, <dname>, <command>, <vmid>, <process>, <tag1>, <amount>, <processid>, <object> |
| Logical Volume Manager Message | N/A | <dname>, <process>, <tag1> , <object> |
| Login Successful | N/A | <severity>, <dname>, <process>, <login>, <sip>, <sipv6e>, <sname>, <sinterface> |
| Lookup Failed | N/A | <severity>, <sname>, <process>, <object>, <tag1> |
| Lost Input Channel | N/A | <severity>, <process>, <processid>, <object>, <sname>, <sip>, <objectname> |
| Mail Info Dovecot | N/A | <severity>, <sname>, <login>, <tag1>, <action>, <dip>, <sip>, <processid>, <session> |
| Mail Information Messages | N/A | <dname>, <process>, <recipient>, <object>, <duration>, <quantity>, <tag1> |
| Martian Message | N/A | <severity>, <sip>, <dip>, <dname>, <dinterface>, <process> |
| Matching DSA Key | N/A | <severity>, <dname>, <process>, <processid>, <object> |
| Memory For Crash Kernel Outside Of Range | N/A | <object> |
| Message Content Rejected | N/A | <process>, <Session>, <sname>, <sip>, <Sender>, <reciepient>, <protname>, <vmid> |
| Message Delivery Error | N/A | <sname>, <process>, <sip>, <object>, <tag1> |
| Message Expired | N/A | <process>, <Session>, <sender>, <status>, <object> |
| Message Temporarily Deferred | N/A | <dip>, <dname>, <protname>, <session>, <responsecode> |
| MKUser Sudo Command | N/A | <severity>, <dname>, <account>, <login>, <session>, <process>, <object>, <objectname>, <command>, <group>, <amount>, <tag2> |
| Module Location Error | N/A | <object> |
| Mount : Lookup And Parse | N/A | <process>, <object>, <tag1> |
| Mount Attempt | N/A | <sip>, <object>, <dname>, <tag1> |
| Mount Failed : Permission Denied | N/A | <severity>, <sname>, <process>, <processid>.<object> |
| Mount Still Active | N/A | <dip>, <object> |
| Mounting Filesystem Failed | N/A | <dip>, <object> |
| Multipathd : Path Is Down | N/A | <severity>, <login>, <subject>, <object> |
| Multiple Login Failures | N/A | <severity>, <sip>, <login>, <process>, <quantity>, <tag1> |
| Nagios Messages | N/A | <severity>, <vmid>, <sname>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <tag2>, <tag1>, <tag3> |
| Network Firewall Flow Logs | N/A | <severity>, <policy>, <command>, <sinterface>, <dinterface>, <smac>, <sip>, <dip>, <protname>, <sport>, <dport> |
| Network Manager Information | N/A | <severity>, <object>, <process>, <processid>, <dname>, <dinterface>, <subject> |
| Network Time Protocol Messages | N/A | <severity>, <sname>, <dname>, <dip>, <tag1>, <tag2> |
| NetworkConfig Messages | N/A | <subject>, <vmid>, <object>, <tag1>, <tag2>, <login>, <sip>, <dip> |
| New USB Device Found | N/A | <severity>, <process>, <object>, <objectname>, <subject> |
| NFS Mount Failure | N/A | <process>, <object> |
| No Address Found For Root NS | N/A | <sname>, <process>, <processid>, <object> |
| No Filesystem Type Specified | N/A | <dip>, <object>, <account> |
| No Idle Connections | N/A | <severity>, <dname>, <process>, <processid>, <quantity> |
| No Route To Host | N/A | <dip>, <dname>, <dport>, <protname> |
| No Servers Found | N/A | <severity>, <dname>, <process>, <processid>, <object> |
| No Session | N/A | <severity>, <dname>, <process>, <processid>, <object>, <account>, <sname> |
| No Such User | N/A | <severity>, <sname>, <process>, <object>, <command> |
| Non-DMZ Link Connected | N/A | <sip>, <dname>, <sport>, <process>, <object> |
| Not Being Journaled | N/A | <severity>, <dname>, <process>, <processid>, <object>, <objectname>, <quantity> |
| Not Sending Tagmail Report | N/A | <severity>, <process>, <processid> |
| NRPE Command | N/A | <severity>, <object>, <process>, <processid>, <command>, <tag1> |
| NRPE Connection | N/A | <severity>, <dname>, <process>, <processid>, <sip>, <sport>, <tag1>, <command> |
| NRPE Start/Stop | N/A | <severity>, <process>, <processid>, <command>, <tag1>, <session>, <sip>, <sipv6e>, <duration> |
| NSLCD Messages | N/A | <severity>, <dname>, <process>, <tag1>, <version>, <object>, <objectname> |
| NSS Authentication Error | N/A | <severity>, <process>, <processid>, <subject>, <dname> |
| NTP Listener Messages | N/A | <severity>, <dname>, <process>, <object>, <tag1>, <sinterface>, <sip>, <protname>, <sport> |
| NTP Messages | N/A | <severity>, <dname>, <process>, <tag2>, <dip>, <tag1>, <duration>, <version>, <object>, <dinterface> |
| NTPD Time Reset/Synchronization | N/A | <severity>, <dname>, <process>, <tag1>, <seconds>, <object> |
| NTPD_INTRES Messages | N/A | <severity>, <process>, <objectname>, <subject>, <tag1> |
| Number Of Certificate Reminders To Process Today | N/A | <dname>, <process>, <object>, <quantity> |
| Number Of Messages Deleted | N/A | <dname>, <process>, <quantity> |
| Object Access Logs | N/A | <dname>, <login>, <account>, <domainorigin>, <session>, <process>, <object>, <tag1>, <tag4> |
| Odd Number Of Elements | N/A | <severity>, <process>, <processid>, <object>, <domainorigin>, <subject> |
| Operation Completed | N/A | <dname>, <session>, <process>, <object>, <tag1>, <tag2> |
| Organizer : Shard Error | N/A | <severity>, <dname>, <dinterface>, <process>, <processid>, <object>, <objectname>, <command>, <subject> |
| Packet Received | N/A | <severity>, <dname>, <process>, <sip>, <sport>, <subject>, <objectname> |
| Packet Too Short Or Invalid While Reading Response | N/A | <severity>, <process>, <object> |
| PAM Adding Faulty Module | N/A | <severity>, <process>, <object>, <sname> |
| PAM LDAP Authentication Error | N/A | <process>, <login>, <group>, <domain>, <tag1> |
| PAM Login | N/A | <severity>, <process>, <processid>, <subject>, <login>, <sip>, <sport> |
| PAM Unable To Load Dynamic Library File | N/A | <severity>, <process>, <object>, <sname>, <command> |
| Pam Unix Authentication | N/A | <severity>, <sip>, <sname><login>, <account>, <session>, <process>, <processid>, <object>, <tag1> |
| PAM UNIX User Check Pass | N/A | <severity>, <process>, <processid>, <subject>, <login> |
| PAM User Authentication | N/A | <severity>, <process>, <processid>, <tag1>, <login>, <account> |
| Pam_Tally: No Such User | N/A | <login> |
| PAM_Unix : General Messages | N/A | <sip>, <login>, <sessiontype>, <project>, <object>, <tag1>, <tag2> |
| Password Daemon Message | N/A | <dname>, <tag1>, <process> |
| Password Read Timed Out | N/A | <severity>, <dname>, <process>, <sinterface>, <tag1> |
| Passwordless Authentication Message | N/A | <severity>, <process>, <object>, <command>, <processid>, <tag1>, <group>, <login>, <account>, <domain> |
| Patt 5 : SMTP Session Messages | N/A | <processid>, <subject>, <sname>, <sip>, <sport>, <tag1>, <session>, <sender>, <recipient>, <protname>, <vendorinfo>, <dip>, <dport> |
| Pattern 1 : General Messages | N/A | <vmid>, <sip>, <login>, <subject>, <tag1>, <tag2> |
| Pattern 1 : PGP Backup Messages | N/A | <severity>, <dname>, <process>, <processid>, <tag2>, <tag3>, <object> |
| Pattern 1 : Sendmail Mail To Messages | N/A | <vmid>, <dip>, <object>, <recipient>, <duration>, <quantity>, <tag1> |
| Pattern 2 : General Messages 2 | N/A | <vmid>, <severity>, <tag1>, <tag2> |
| Pattern 2 : PGP Datalayer Messages | N/A | <tag1>, <dname>, <process>, <tag2>, <object> |
| Pattern 2 : Sendmail Notification | N/A | <process>, <object>, <vmid>, <tag3>, <hours>, <tag1>, <tag2>, <dname>, <domain> |
| Pattern 3 : General Audit Events | N/A | <login>, <tag1> |
| Pattern 3 : PGP Client Messages | N/A | <severity>, <dname>, <process>, <processid>, <sname>, <tag3>, <quantity>, <amount>, <tag5>, <account>, <login>, <tag4>, <sport>, <sip>, <object> |
| Pattern 3 : SELinux Preventing Access To Object | N/A | <severity>, <dname>, <process>, <object>, <tag1>, <tag2> |
| Pattern 4 : Failed Login | N/A | <sip>, <login>, <tag1> |
| Pattern 4 : PGP Admin Messages | N/A | <severity>, <sip>, <sname>, <dname>, <sport>, <login>, <process>, <processid>, <object>, <tag1>, <tag2>, <tag3> |
| Pattern 4 : Qmanager Messages | N/A | <severity>, <process>, <processid>, <session>, <tag1>, <sender>, <size> |
| Pattern 5 : PGP Cluster Messages | N/A | <severity>, <sip>, <dname>, <sport>, <processid>, <process>, <object>, <quantity>, <packetsin>, <seconds>, <tag2>, <tag3> |
| Pattern 5 : Solaris 10 Object Access | N/A | <vmid>, <sip>, <sname>, <login>, <session>, <object>, <tag1> |
| Pattern 6 : Password Accepted | N/A | <severity>, <sip>, <dname>, <sport>, <login>, <sessiontype>, <process>, <processid>, <object>, <objectname>, <tag1>, <tag2> |
| Pattern 6 : SMTP Connection Messages | N/A | <severity>, <process>, <processid>, <tag1>, <sname>, <sip> |
| Pattern 7 : Authentication Failure | N/A | <severity>, <dname>, <process>, <processid>, <account>, <sip>, <sname>, <login>, <tag1> |
| Pattern 8 : Public Key Authentication | N/A | <severity>, <process>, <processid>, <sip>, <sport>, <login>, <tag1>, <protname> |
| Pattern 9 : Filesystem Mount | N/A | <dip>, <object>, <tag1>, <tag2> |
| Pattern 10 : User Modifications | N/A | <account>, <object>, <group>, <tag1> |
| Pattern 11 : General Information | N/A | <dip>, <tag1>, <tag2>, <tag3>, <quantity> |
| Pattern 12 : User/Group Deleted | N/A | <group>, <account>, <tag1> |
| Pattern 13 : General Linux Host Messages | N/A | <severity>, <dname>, <process>, <tag1>, <login>, <sname>, <account>, <object> , <processid>, <group>, <domain>, <sip>, <sport>, <domainorigin> |
| Pattern 14 : SSH Connections | N/A | <vmid>, <login,>, <session>, <sname>, <dname>, <object>, <reason>, <tag1>, <tag2>, <sip>, <dip>, <sport>, <dport>, <responsecode> |
| Pattern 15 : Specific Errors And Warnings | N/A | <severity>, <login>, <object>, <subject>, <process>, <processid>, <protname>, <sender>, <quantity>, <recipient>, <tag3> |
| Pattern 17 : Reset Information | N/A | <login>, <tag1> |
| Pattern 17 : Various Linux Host Logs | N/A | <object>, <url>, <dname>, <tag1> |
| Pattern 19 : Informational Messages | N/A | <severity>, <login,>, <protname>, <sname>, <dname>, <object>, <subject>, <process>, <processid>, <tag3>, <tag2>, <sip>, <sport>, <tag4> |
| Pattern 20 : Informational Messages 2 | N/A | <severity>, <dip>, <dname>, <process>, <processid>, <subject>, <object>, <command>, <amount>, <tag1>, <tag2> |
| Pattern 21 : Su PAM Errors | N/A | <dname>, <tag1>, <tag2>, <object> |
| Pattern 22 : CPU Message | N/A | <size>, <quantity>, <object>, <tag1>, <tag2> |
| Pattern 23 : Crontab File Editing | N/A | <object>, <login>, <tag1> |
| Pattern 24 : Informational Messages 2 | N/A | <dname>, <process>, <processid>, <object>, <tag1>, <tag2>, <tag3> |
| Pattern 25 : VAS Daemon Messages | N/A | <process>, <object>, <tag1>, <tag2> |
| Pattern 26 : PAM VAS Authentication Message | N/A | <login>, <account>, <process>, <object>, <group>, <tag1> |
| Pattern 27 : Group Policy Message | N/A | <sname>, <dname>, <sport>, <object>, <tag1>, <tag2> |
| Pattern 28 : Anacron Job Message | N/A | <severity>, <process>, <processid>, <quantity>, <duration>, <object>, <tag1>, <tag2> |
| Pattern 29 : Automount Error | N/A | <process>, <object>, <tag1>, <tag2> |
| Pattern 30 : Kernel Messages | N/A | <vmid>, <severity>, <process>, <processid>, <command>, <dip>, <dinterface>, <object>, <subject>, <tag1>, <tag2>, <sip>, |
| Pattern 31 : Secure Access Unit Messages | N/A | <severity>, <login>, <process>, <processid>, <object>, <sport>, <tag1>, <tag3>, <sip>, |
| Pattern Accepted Public Key Or Password | N/A | <vmid>, <sip>, <sport>, <login> |
| Pattern FTP Session | N/A | <severity>, <sip>, <sname>, <dname>, <protname>, <login>, <process>, <processid>, <object>, <bytesout>, <rate>, <tag1>, <tag2> |
| Pattern IMSYSMENU | N/A | <vmid> |
| Pattern Linux : Session Events | N/A | <dname>, <process>, <processid>, <tag1>, <login>, <account> |
| Pattern remshd | N/A | <vmid>, <object> |
| Permission Denied | N/A | <dname>, <process>, <processid>, <command>, <subject> |
| Permission Denied To Host | N/A | <severity>, <sip>, <process> |
| PGP Tcpwrapper Messages | N/A | <severity>, <dname>, <process>, <processid>, <object>, <tag3>, <sip>, <sport>, <dip>, <dport> |
| PGP Universal Group Daemon Information | N/A | <dname>, <process>, <object>, <tag1>, <tag2> |
| PGP VKD Messages | N/A | <dname>, <process>, <tag2>, <object>, <tag3> |
| Pickup Message | N/A | <severity>, <dname>, <process>, <processid>, <session>, <object>, <sender>, <subject>, <objectname> |
| PlayBack Stream Failed Connection | N/A | <vmid>, <severity>, <sname>, <sport>, <account>, <session>, <processid><object>, <objectname>, <url>, <command>, <tag1> |
| Pluto Process | N/A | <severity>, <dname>, <process>, <objectname>, <subject>, <sip>, <object> |
| Pluto Process. | N/A | <severity>, <dname>, <tag1>, <object>, <dip>, <sip> |
| Polkit Authorization Granted | N/A | <login>, <account>, <process>, <session>, <object> |
| PortMapping And Firewall Config Messages | N/A | <subject>, <vmid>, <object>, <tag1>, <login>, <sip> |
| PortMapping Messages | N/A | <vmid>, <sip>, <dip>, <login>, <subject>, <object>, <tag1>, <tag3> |
| PortMappingConfig Messages | N/A | <vmid>, <sip>, <group>, <login>, <subject>, <object>, <tag1> |
| Possible Break-In Attempt | N/A | <seveirty>, <process>, <sname>, <sip>, <tag1>, <threatname> |
| Postfix Error Messages | N/A | <severity>, <dname>, <process>, <processid>, <command>, <tag1> |
| Postfix Mail Operations | N/A | <severity>, <account>, <sinterface>, <dname>, <subject>, <process>, <processid>, <command>, <session>, <version>, <duration>, <action>, <recipient>, <tag1> |
| Postfix/Local Messages | N/A | <severity>, <domain>, <process>, <processid>, <object> |
| Postgres : Incomplete Startup Packet | N/A | <severity>, <process>, <processid>, <object> |
| PostgreSQL Messages | N/A | <severity>, <dip>, <dname>, <login>, <session>, <process>, <processid>, <command>, <vmid>, <tag1> |
| Process Information | N/A | <severity>, <dip>, <sip>, <protname>, <session>, <process>, <processid>, <object>, <objectname>, <command>, <tag1> |
| Process Messages | N/A | <severity>, <dname>, <process>, <object>, <command>, <tag1>, <dport>, <objectname> |
| Process Requests | N/A | <severity>, <process>, <processid>, <object>, <objectname>, <subject> |
| Process Started | N/A | <severity>, <dname>, <process>, <processid>, <object> |
| Processing Batch Log Messages | N/A | <severity>, <process>, <object>, <objectname>, <processid> |
| Processing Log Messages | N/A | <severity>, <process>, <processid>, <object>, <subject> |
| ProxyServices Messages | N/A | <severity>, <sip>, <dip>, <dport>, <protname>, <login>, <process>, <processid>, <subject>, <object>, <version>, <url>, <command>, <result>, <tag1> |
| Pseudo Random Number Generator Daemon Message | N/A | <dname>, <process>, <tag1>, <login> |
| Puppet Agent Command Executed Successfully | N/A | <dname>, <process>, <processid>, <command> |
| Puppet Agent Errors | N/A | <severity>, <object>, <dname>, <process>, <processid>, <command>, <reason>, <tag1> |
| Puppet Agent Warnings | N/A | <severity>, <object>, <dname>, <process>, <processid>, <command>, <tag1> |
| Puppet Error Messages | N/A | <severity>, <sname>, <dname>, <subject>, <process>, <processid>, <command>, <session>, <duration>, <tag1>, <tag2> |
| Puppet-Master : Not Sending Tagmail Report | N/A | <severity>, <process>, <processid> |
| Puppet Master Version | N/A | <severity>, <process>, <processid>, <version> |
| Puppet Process Executed Successfully | N/A | <severity>, <process>, <processid>, <object> |
| Purging Old PDF Messenger Secure Reply Data | N/A | <dname>, <process>, <object> |
| RAID Information | N/A | <tag1>, <severity>, <process>, <processid>, <tag2>, <command>, <tag3>, <vmid>, <subject> |
| Received Request | N/A | <severity>, <sip>, <dname>, <object>, <objectname>, <tag1> |
| Received Signal | N/A | <severity>, <dname>, <process>, <processid>, <object> |
| Received SNMP Packets | N/A | <dip>, <sip>, <sport> |
| Recipient Address Rejected | N/A | <vmid>, <object>, <recipient>, <dip>, <dname>, <protname>, <session>, <responsecode> |
| Recommended Version Over Current Version | N/A | <severity>, <dname>, <process>, <processid>, <version>, <object> |
| Reconnected To LDAP Server | N/A | <severity>, <process>, <processid>, <object> |
| RedHat Network Checked For Updates And Actions | N/A | <process> |
| Remote Connection | N/A | <vmid>, <sip>, <sname>, <protname>, <tag1> |
| Replicator Process Online | N/A | <dname>, <process> |
| Repository Update Error | N/A | <sip>, <object> |
| Request Denied | N/A | <severity>, <sname>, <process>, <processid>, <command>, <objectname>, <result> |
| Requirement Not Met By User | N/A | <severity>, <process>, <processid>, <login>, <object> |
| Resource Group Manager Message | N/A | <severity>, <sname>, <dname>, <dip>, <process>, <processid>, <object>, <objectname>, <tag1>, <subject> |
| Resource MIB | N/A | <severity>, <process>, <processid>, <object> |
| Resources Temporarily Unavailable | N/A | <dip>, <dname>, <protname>, <session>, <responsecode> |
| Restricted Shell Configuration | N/A | <object>, <group>, <tag1> |
| RHSMD/SSSD Authentication Events | N/A | <sname>, <process>, <processid>, <subject> |
| Robot Daemon Process Information | N/A | <severity>, <process>, <processid>, <tag1>, <command> |
| Root Login | N/A | <object>, <login> |
| Root Shell Command Messages | N/A | <severity>, <session>, <quantity>, <process>, <object>, <objectname>, <command>, <tag1>, <vmid> |
| RouteConfig Messages | N/A | <subject>, <vmid>, <object>, <tag1>, <login>, <sip> |
| RPC Bind Message | N/A | <dname>, <tag1>, <tag2>, <object> |
| RSA Key Generated | N/A | <dname>, <process>, <login>, <domain>, <account>, <severity>, <object>, <processid>, <tag1> |
| Rsyslog Process | N/A | <severity>, <version>, <process>, <processid>, <url>, <command>, <tag1> |
| Rule2 | N/A | <tag1>, <tag2> |
| Run-Parts Status Messages | N/A | <severity>, <object>, <objectname>, <dname>, <tag1> |
| Script Run Status | N/A | <severity>, <object>, <command>, <process>, <session>, <tag1>, <dname> |
| SCSI Subsystem Initialized | N/A | <object> |
| Secrets/Key Information | N/A | <severity>, <processid>, <dname>, <parentprocessname>, <process>, <dip>, <sip>, <tag1>, <object>, <subject> |
| Secure Reply Records Deleted | N/A | <dname>, <process>, <object>, <quantity> |
| Secure Shell Message | N/A | <dname>, <process>, <processid>, <command>, <sip>, <sport>, <tag1>, <tag2>, <tag3>, <login>, <sname>, <subject> |
| SEL Catch All : Level 2 | N/A | <subject>, <vmid>, <tag1>, <tag2> |
| Selinux Mode | N/A | <severity>, <process>, <processid>, <object>, <command> |
| Sender Non-Delivery Notification | N/A | <severity>, <process>, <processid>, <session>, <object>, <subject> |
| Sendmail : Mail From | N/A | <processid>, <object>, <sender>, <protname>, <sname>, <sip>, <bytesin> |
| Sendmail Administrator Info | N/A | <severity>, <process>, <processid>, <login>, <object> |
| Sendmail Alias Information | N/A | <severity>, <process>, <processid>, <object>, <login>, <quantity>, <size>, <amount> |
| Sendmail Forward | N/A | <severity>, <subject>, <process>, <processid>, <object>, <objectname> |
| Sendmail Operations | N/A | <severity>, <sip>, <sname>, <dname>, <session>, <subject>, <process>, <processid>, <command>, <object>, <objectname>, <amount>, <version>, <quantity>, <duration>, <tag1>, <tag2> |
| Sendmail Process | N/A | <severity>, <process>, <processid>, <objectname>, <object>, <sender>, <dname>, <dip>, <subject> |
| SerialConfig Messages | N/A | <subject>, <vmid>, <object>, <tag1>, <login>, <sip> |
| SerialPortProfile Messages | N/A | <subject>, <vmid>, <object>, <tag1>, <login>, <sip> |
| Server Not Responding | N/A | <dip> |
| Service Name Information | N/A | <object>, <tag1> |
| Service Not Discoverable via DNS | N/A | <severity>, <parentprocessname>, <parentprocessid>, <process>, <reason> |
| Session Activity | N/A | <severity>, <sessiontype>, <login>, <process>, <processid>, <object>, <tag1>, <tag2> |
| Session State Changed | N/A | <dname>, <process>, <processid>, <login>, <tag1> |
| Set User Identity | N/A | <dname>, <tag1>, <session>, <login>, <domainorigin>, <account> |
| Shell Access | N/A | <severity>, <dname>, <login>, <account>, <process>, <processid>, <tag1> |
| SmokePing Network Latency Messages | N/A | <dname>, <process>, <object>, <duration>, <tag1>, <tag2> |
| SMTP & RPC Failure Warning | N/A | <severity>, <dname>, <process>, <processid>, <subject>, <tag1>, <responsecode> |
| Snapshot Bash Activity | N/A | <severity>, <dname>, <sname>, <dip>, <dport>, <object>, <subject>, <tag1> |
| SNMP Informational Messages | N/A | <tag1>, <process>, <tag2>, <sip>, <protname>, <sport> |
| SNMPD Error Message | N/A | <severity>, <vmid>, <bytesin>, <bytesout>, <subject> |
| SNMPD Operational Messages | N/A | <severity>, <sip>, <dip>, <dname>, <sport>, <protname>, <process>, <processid>, <subject>, <command>, <tag1>, <tag2> |
| SNMPD Response | N/A | <severity>, <process>, <processid>, <object> |
| Software Status Messages | N/A | <severity>, <sname>, <process>, <processid>, <tag1>, <action>, <object> |
| SQueue Empty | N/A | <severity>, <dname>, <process>, <processid>, <object>, <objectname> |
| SSH Authentication | N/A | <protname>, <tag1>, <login>, <sip>, <sport> |
| SSH Authentication Failure | N/A | <sname>, <login> |
| SSH Login Audit | N/A | <severity>, <dip>, <dport>, <login>, <process>, <processid>, <object>, <objectname>, <version>, <bytesin>, <bytesout>, <duration>, <tag1> |
| SSH Reverse Lookup Error | N/A | <sip>, <sname>, <process>, <object> |
| SSH Server Messages | N/A | <vmid>, <login,>, <session>, <sname>, <dname>, <object>, <reason>, <tag1>, <tag2>, <sip>, <dip>, <sport>, <dport>, <responsecode> |
| SSH Session | N/A | <login>, <tag1> |
| SSHD Account Authorized | N/A | <severity>, <process>, <processid>, <login>, <account>, <object> |
| SSHD Connection | N/A | <severity>, <dname>, <process>, <processid>, <tag1>, <sip>, <sport>, <login> |
| SSHD ID String Not Received | N/A | <severity>, <dname>, <process>, <sname>, <subject>, <sip> |
| SSHD Messages | N/A | <severity>, <dname>, <sname>, <sip>, <dip>, <sport>, <dport>, <protname>, <login>, <session>, <process>, <processid>, <object>, <subject>, <command>, <tag1>, <tag2> |
| SSHD Startup Failure | N/A | <process>, <sport>, <sip> |
| SSHD Terminated | N/A | <process>, <tag1> |
| SSL Connect Return Message | N/A | <severity>, <process>, <processid>, <protname>, <tag1> |
| Stale PDF Messenger Secure Reply Data Purged | N/A | <dname>, <process>, <object> |
| Starting Agent | N/A | <severity>, <dname>, <process>, <object>, <subject>, <serialnumber> |
| Starting Scan | N/A | <dname>, <process>, <sip>, <sport> |
| Startup Completed | N/A | <severity>, <process>, <processid>, <object>, <objectname> |
| SU Command Completed | N/A | <sip>, <dname>, <account>, <tag1>, <login>, <object> |
| SU Command Completed2 | N/A | <severity>, <sname>, <tag1>, <result>, <login>, <object>, <account> |
| Su Session Opened/Closed | N/A | <severity>, <dname>, <login>, <account>, <process>, <parentprocessname><parentprocessid>, <object>, <subject>, <tag1> |
| Su Successful | N/A | <login>, <account>, <process> |
| Su User Allowed | N/A | <account>, <session>, <process> |
| Sudo General Messages | N/A | <severity>, <dname>, <login>, <account>, <session>, <process>, <object>, <command>, <amount>, <tag2> |
| Sudo Message | N/A | <sname>, <dname>, <account>, <login>, <object>, <tag1>, <tag2> |
| Sudo Messages | N/A | <tag1>, <login>, <account>, <object> |
| Sudo PAM Errors | N/A | <severity>, <dname>, <subject>, <process>, <processid>, <command>, <object>, <tag1> |
| Switch User | N/A | <login>, <account>, <tag1>, <tag2> |
| Switch User Command | N/A | <login>, <dname>, <account>, <object>, <sip>, <tag3> |
| Syslog Binding Error | N/A | <vmid>, <sip>, <sport>, <dip>, <protname> |
| Syslog Connection | N/A | <severity>, <dname>, <dip>, <dport>, <process>, <processid>, <tag1> |
| Syslog Message | N/A | <dname>, <tag1> |
| Syslog-Ng Error | N/A | <severity>, <process>, <processid>, <subject>, <tag1>, <quantity>, <object> |
| Syslogd Invalid Sendto | N/A | <process> |
| Syslogd Restarted | N/A | <process> |
| Sysmon Messages | N/A | <object>, <tag1>, <tag2> |
| System Initialized Improperly | N/A | <dname>, <process>, <object> |
| System Statistics | N/A | <process>, <object>, <rate>, <quantity> |
| System Time Out Of Sync | N/A | <vmid>, <severity>, <sname>, <dname>, <domainorigin>, <tag1>, <process> |
| Systemd Messages | N/A | <severity>, <parentprocessname>, <dname>, <process>, <subject>, <tag2>, <tag1>, <login>, <result> |
| Tape Status Information | N/A | <object>, <tag1> |
| Telnet Connection | N/A | <severity>, <subject>, <dname>, <sname>, <process>, <processid>, <sip>, <sipv6e>, <sinterface> |
| TextImport Log Messages | N/A | <severity>, <process>, <object>, <size>, <processid>, <subject> |
| TGT Verified | N/A | <severity>, <process>, <processid> |
| TGT Verified Using Key | N/A | <severity>, <process>, <processid>, <dname>, <account> |
| THTTPD Statistics | N/A | <severity>, <dname>, <process>, <object>, <quantity>, <amount>, <bytes>, <size> |
| Timeout Before Authentication | N/A | <severity>, <sip>, <process>, <object>, <subject> |
| TLS Connection Established | N/A | <dname>, <process>, <dip>, <object> |
| Traceback Error | N/A | <severity>, <object> |
| Traffic Log | N/A | <severity>, <dname>, <sip>, <dip>, <command>, <object>, <protname>, <vmid>, <responsecode>, <bytesin> |
| Trap Divide Error | N/A | <severity>, <process>, <processid>, <object> |
| Trying Mount Of Filesystem | N/A | <dip>, <object>, <tag1> |
| UDP Connection | N/A | <severity>, <dname>, <sip>, <sport>, <protname>, <process>, <processid> |
| Unable To Establish Cred For ID | N/A | <vmid>, <severity>, <sname>, <dname>, <login>,,<account>, <domainorigin>, <process>, <object> |
| Unable To Open Log File | N/A | <severity>, <dname>, <process>, <processid>, <object>, <tag1> |
| Unable To Resolve User's Primary GID | N/A | <severity>, <process>, <object>, <command> |
| Undefined Symbol | N/A | <severity>, <sname>, <process>, <object>.<command> |
| Unicorn Rails Worker | N/A | <dname>, <process>, <processid>, <command>, <object>, <objectname> |
| Unix_Chkpwd Authentication | N/A | <login>, <process> |
| Unknown Host | N/A | <dname> |
| Unknown Host | N/A | <sip>, <process>, <dname>, <tag1>, <tag2> |
| Unlocked System Accounts | N/A | <severity>, <process>, <processid>, <object>, <objectname> |
| Untrusted Certificate Rejected | N/A | <dname>, <protname>, <process>, <object>, <threatname> |
| Up To Date | N/A | <severity>, <dname>, <process>, <processid>, <version>, <object>, <login> |
| USB Hub Messages | N/A | <severity>, <dinterface>, <dname>, <process>, <processid>, <command>, <amount>, <tag1> |
| User Added To Group | N/A | <severity>, <process>, <processid>, <group>, <account>, <object> |
| User State Change | N/A | <severity>, <dname>, <tag1>, <command> |
| UserConfig Messages | N/A | <subject>, <vmid>, <tag2>, <account>, <group>, <tag1>, <login>, <sip> |
| Userhelper And Shutdown | N/A | <login>, <tag1> |
| Userhelper Messages | N/A | <login>, <account>, <session>, <process>, <processid>, <object> |
| Usermod Messages | N/A | <login>, <tag1>, <tag2>, <tag3> |
| Usermod Messages: | N/A | <process>, <account>, <tag1>, <tag2> |
| Using Cached Catalog | N/A | <severity>, <process>, <processid>, <object> |
| Using NFS Version | N/A | <tag1>, <protname>, <dname> |
| Validating Messages | N/A | <severity>, <process>, <processid>, <object>, <domainorigin>, <subject> |
| Variable Access Deprecated | N/A | <severity>, <process>, <processid>, <object>, <objectname> |
| VASD Daemon State Information | N/A | <severity>, <subject>, <duration>, <process>, <processid>, <object>, <objectname>, <command>, <tag1> |
| VCS Clean Completed Successfully | N/A | <severity>, <session>, <process>, <object> |
| VCS CPU Usage Critical | N/A | <severity>, <sname>, <process>, <object>, <rate> |
| VitalQIP Information | N/A | <sip>, <dip>, <dport>, <process>, <dname>, <object>, <tag1> |
| VMUnix Critical Messages | N/A | <process>, <object>, <tag1> |
| VMUNIX Memory Error | N/A | <severity>, <process>, <object> |
| Waiting Certificate Request | N/A | <severity>, <process>, <processid>, <object> |
| WBS Reply Messages | N/A | <severity>, <process>, <processid>, <object>, <objectname>, <subject> |
| Web Login | N/A | <login> |
| Will Not Restore File | N/A | <severity>, <dname>, <process>, <object> |
| Winbind Daemon : Exceeding Client Connection Limit | N/A | <severity>, <process>, <processid>, <quantity>, <objectname> |
| Winbind Daemon : Socket Accept Failure | N/A | <severity>, <process>, <processid>, <command>, <subject> |
| Winbind Daemon : Unable To Open New Log File | N/A | <severity>, <process>, <processid>, <object>, <subject> |
| Winbind: Denied Access | N/A | <severity>, <login>, <session>, <process>, <processid>, <object>, <command>, <subject> |
| Winbindd Process Information | N/A | <severity>, <dname>, <process>, <processid>, <object>, <command> |
| X.509Config Messages | N/A | <subject>, <vmid>, <object>, <tag1>, <login>, <sip> |
Optimize Linux Host Processing
The sheer number of Linux Host log messages can cause system processing issues if incoming logs are not matching beyond the Catch-All level rules. This section details the process to optimize the Linux Host log processing policies when performance is poor and causing an MPE performance constraint.
Prerequisites
- The lps_detail.log from affected data processors. This log can be found by default at C:\Program Files\LogRhythm\LogRhythm Mediator Server\logs.
Step 1: Find Non-Matching Parent Rules
Open the lps_detail.log file and locate the target MPE policy.
The most important columns here are Total Compares, Attempts, and % Match.Parent rules not matching display 0.00% under the Match column. Refer to the screenshot below as an example.
Step 2: Clone the Existing MPE Policy
From the LogRhythm Client Console:
- On the main toolbar, click Deployment Manager.
- Click the Log Processing Policies tab.
- Right-click within the grid and select New.
- Search for the target log source type (e.g., Syslog - Linux Host), and then click OK.
The MPE Policy Editor window appears.
Step 3: Create the New Policy with Only Matching Rules
The lps_detail.log file is referenced frequently during this step.
From the MPE Policy Editor window:
- Enter a new, unique policy name.
Paste a parent rule from the lps_detail.log file into the Parent Rule Name column as shown below:
This filters the list to show all sub-rules within the parent rule.Ensure only the parent rule chosen displays in the Parent Rule Name column.
- Right-click and select Check All Displayed.
- Right-click and select Properties.
- Click Enable.
All sub-rules are checked in the Enabled column. - Repeat steps 2 through 5 in this section for all matching parent rules.
- Once all parent rules are enabled, repeat steps 2 through 5 in this section for all Catch-All level rules by searching for "Catch All:" under the Parent Rule Name filter.
- Once complete, click OK.
Step 4: Apply the New Processing Policy to all Syslog - Linux Host Log Sources
From the LogRhythm Client Console:
- On the main toolbar, click Deployment Manager.
- Click the Log Sources tab.
- Filter the lower grid so that all Syslog - Linux Host log sources display.
- Right-click in the lower grid and select Uncheck All, then right-click again and select Check All Displayed.
- Right-click in the lower grid and select Actions, and then Edit Properties.
The Log Message Source Properties window appears.
- Change the Log Message Processing Engine (MPE) Policy to the log processing policy created in the Step 3 section above.
Allow Changes to Take Effect
Once the steps above are completed, the Data Processor will implement the changes in its next cycle. A restart of the Mediator service is not typically required.
To confirm the updated policy is in place, review the updated lps_detail.log file to see the custom policy performance listed.
A manual restart of the Mediator can be performed if the lps_detail.log file doesn't reflect the new policy after about five minutes.
Revision History
| KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.577.0 | N/A | Device Documentation | N/A |