Syslog Zscaler Nano - V 2.0 DNS Log Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 DNS Log Events | Base Rule | General DNS Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
datetimeA41:A54B10A41:A52A4A41:A49 | N/A | N/A | Time and date of the transaction. This excludes the time zone. |
user | <login>, <domainorigin> | Text/String | User's login name in email address format. |
dept | N/A | N/A | Department of the user. |
location | N/A | N/A | Gateway location or sublocation of the source. |
reqaction | <action> | Text/String | Name of the action that was applied to the DNS request. |
resaction | N/A | N/A | Name of the action that was applied to the DNS response. |
reqrulelabel | <policy> | Text/String | Name of the rule that was applied to the DNS request. |
resrulelabel | N/A | N/A | Name of the rule that was applied to the DNS response. |
dns_reqtype | N/A | N/A | N/A |
dns_req | <url> | Text/String | N/A |
dns_resp | N/A | N/A | N/A |
srv_dport | <dport> | Number | N/A |
durationms | <milliseconds> | Number | Duration of the DNS request in milliseconds. |
clt_sip | <sip> | IP Address | Server IP address of the request. |
srv_dip | <dip> | IP Address | The IP address of the user. This can be the internal IP address if it is visible; for example, traffic sent through a GRE tunnel or an internal IP address indicated using XFF. Otherwise, it's the client Internet (NATted Public) IP address. |
category | <subject> | Text/String | URL Category of the FQDN in the DNS request. |
deviceowner | N/A | N/A | Device owner |
devicehostname | <dname> | Text/String | Device host name |