Syslog Zscaler Nano - V 2.0 Firewall Log Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 Firewall Log Events | Base Rule | General Firewall Log | Network Traffic |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
datetime | N/A | N/A | Time and date of the transaction. This excludes the time zone. |
user | <login>, | Text/String | User's login name in email address format. |
department | N/A | N/A | Department of the user. |
locationname | N/A | N/A | Location name. |
cdport | <dport> | Number | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. |
csport | <sport> | Number | Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate. |
sdport | N/A | N/A | Server destination port. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. |
ssport | N/A | N/A | Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. |
csip | <sip> | IP Address | Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate. |
cdip | <dip> | IP Address | Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. |
ssip | N/A | N/A | Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate. |
sdip | N/A | N/A | Server's destination IP. |
tsip | N/A | N/A | Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate. |
tunsport | N/A | N/A | N/A |
tuntype | N/A | N/A | N/A |
action | <action> | Text/String | Action that the service took on the transaction: Allowed or Blocked |
dnat | N/A | N/A | Indicates if the destination NAT policy was applied. |
stateful | N/A | N/A | N/A |
aggregate | N/A | N/A | N/A |
nwsvc | <object> | Text/String | The network service that was used. |
nwapp | N/A | N/A | The network application that was accessed. |
proto | <protname> | Text/String | Protocol in use. |
ipcat | <subject> | Text/String | URL category that corresponds to the server IP address. |
destcountry | N/A | N/A | Abbreviated code of the country of the destination IP address |
avgduration | N/A | N/A | Average session duration, in milliseconds, if the sessions were aggregated. |
rulelabel | N/A | N/A | Name of the the rule that was applied to the transaction. |
inbytes | <bytesin> | Number | Number of bytes sent from the server to the client. |
outbytes | <bytesout> | Number | Number of bytes sent from the client to the server. |
duration | N/A | N/A | Session or request duration in seconds. |
durationms | <milliseconds> | Number | Session or request duration in milliseconds. |
numsessions | <quantity> | Number | Number of sessions that were aggregated. |
ipsrulelabel | <policy> | Text/String | Name of the IPS policy that was applied to the Firewall session. |
threatcat | N/A | N/A | Category of the threat in the Firewall session by the IPS engine. |
threatname | <threatname> | Text/String | Name of the threat detected in the Firewall session by the IPS engine. |