V 2.0 Configuration Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Configuration Messages | Base Rule | Configuration Modified : System | Configuration |
V 2.0 Configuration Apply Failure | Sub Rule | Failed Configuration | Warning |
V 2.0 Unauthorized Configuration Change Attempt | Sub Rule | Failed Configuration | Other Audit Failure |
V 2.0 Configuration Item Deleted | Sub Rule | Configuration Deleted : System | Configuration |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Type (type) | <vmid> | Text/String | Specifies the type of log; value is CONFIG. |
Threat/Content Type (subtype) | <vendorinfo> | Number | Subtype of the configuration log; unused. |
Host (host) | <sip> | IP Address | Hostname or IP address of the client machine |
Command (cmd) | <command> <tag1> | Text/String | Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set. |
Admin (admin) | <login> | Text/String | Username of the Administrator performing the configuration |
Client (client) | <sessiontype> | Text/String | Client used by the Administrator; values are Web and CLI |
Result (result) | <result> <tag2> | Text/String | Result of the configuration action; values are Submitted, Succeeded, Failed, and Unauthorized |
Configuration Path (path) | <object> | Text/String | The path of the configuration command issued; up to 512 bytes in length |
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged |