Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|
| product | <vmid> | <vmid> |
| action | <action> | <action> |
| sip | <sip> | <sip> |
| sport | <sport> | <sport> |
| dip | <dip> | <dip> |
| dport | <dport> | <dport> |
| protocol | <protnum> | <protnum> |
| ifname | <sinterface> | <sinterface> |
| reason | <reason> | <reason> |
| XlateSIP | <snatip> | <snatip> |
| XlateSport | <snatport> | <snatport> |
| XlateDIP | <dnatip> | <dnatip> |
| XlateDPort | <dnatport> | <dnatport> |
| User | <login> | <login> |
| url | <url> | <url> |
| severity | <severity> | <severity> |
| to | <recipient> | <recipient> |
| from | <sender> | <sender> |
| Protection_name | <threatname> | <threatname> |
| Email_Subject | <subject> | <subject> |
| file_md5 | <hash> | <hash> |
| file_name | <object> | <object> |
| file_type | <objecttype> | <objecttype> |
| file_size | <size> | <size> |
| policy | <policy> | N/A |
| __policy_id_tag | N/A | <policy> |
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
| Rule ID | Rule Name | Rule Type | Common Event | Classification |
| 1012144 | Threat Extraction Events | Base Rule | General Threat Message | Activity |
| Rule ID | Rule Name | Rule Type | Common Event | Classification |
| 1012199 | V 2.0 : Threat Extraction Events | Base Rule | General Threat Message | Activity |
