| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|
| virtuallogsource | N/A | N/A | N/A |
| subproduct | N/A | N/A | Sub Product |
| Product | <vmid> | Text/String | Product name |
| Originip | N/A | N/A | IP of the log origin |
| Origin | N/A | N/A | Name of the first Security Gateway that reported this event |
| Action | <action>
<tag1> | Text/String | N/A |
| SIP | <sip> | IP Address | Source IP |
| Sport | <sport> | Number | Source host port number |
| DIP | <dip> | IP Address | Destination IP |
| dport | <dport> | Number | Destination host port number |
| protocol | <protnum> | Number | Protocol detected on the connection |
| ifname | N/A | N/A | The name of the Security Gateway interface, through which a connection traverses |
| ifdirection | N/A | N/A | Connection direction |
| Reason | <reason> | Text/String | Description of log's reason |
| Rule | N/A | N/A |
|
| Info | N/A | N/A | Special log message |
| XlateSIP | N/A | N/A | Source ipv4 after applying NAT |
| XlateSport | N/A | N/A | Source host port number after applying NAT |
| XlateDIP | N/A | N/A | Destination ipv4 after applying NAT |
| XlateDPort | N/A | N/A | Destination host port number after applying NAT |
| User | <login> | Text/String | Source user name |
| alert | N/A | N/A | Alert level of matched rule (for connection logs) |
| icmp-code | N/A | N/A | In case a connection is ICMP, ICMP code info will be added to the log |
| icmp-type | N/A | N/A | In case a connection is ICMP, type info will be added to the log |
| matched_category | N/A | N/A | Name of matched category |
| rule_name | N/A | N/A | Access rule name |
| Url | N/A | N/A | Matched URL |
| time | N/A | N/A | The time stamp when the log was created. |
| proxy_src | <snatip> | IP Address | Sender source IP (even when using proxy) |
| auth_method | N/A | N/A | Password authentication protocol used |
| client_name | N/A | N/A | Client Application or Software Blade that detected the event |
| status | <result> | Text/String | Ok, Warning, Error |
| flags | N/A | N/A | N/A |
| loguid | N/A | N/A | UUID of unified logs |
| originsicname | N/A | N/A | Machine SIC |
| sequencenum | N/A | N/A | Number added to order logs with the same linux timestamp and origin |
| version | N/A | N/A | N/A |
| auth_method2 | N/A | N/A | Password authentication protocol used |
| auth_method3 | N/A | N/A | Password authentication protocol used |
| browser | N/A | N/A | N/A |
| certificate_issue | N/A | N/A | N/A |
| certificate_serial_number | N/A | N/A | N/A |
| client_build | N/A | N/A | N/A |
| client_version | N/A | N/A | Build version of SandBlast Agent client installed on the computer |
| cvpn_category | N/A | N/A | Mobile Access application type |
| device_identification | N/A | N/A | N/A |
| event_type | N/A | N/A | N/A |
| failed_login_factor | N/A | N/A | N/A |
| failed_login_factor_num | N/A | N/A | N/A |
| fingerprint | N/A | N/A | N/A |
| hardware_model | N/A | N/A | N/A |
| host_ip | N/A | N/A | N/A |
| host_type | N/A | N/A | N/A |
| latitude | N/A | N/A | N/A |
| license | N/A | N/A | N/A |
| login_option | N/A | N/A | N/A |
| login_timestamp | N/A | N/A | N/A |
| longitude | N/A | N/A | N/A |
| methods | N/A | N/A | IPSEc methods |
| office_mode_ip | N/A | N/A | N/A |
| os_bits | N/A | N/A | N/A |
| os_build | N/A | N/A | N/A |
| os_edition | N/A | N/A | N/A |
| os_name | N/A | N/A | Name of the OS installed on the source endpoint computer |
| os_service_pack | N/A | N/A | N/A |
| os-version | N/A | N/A | Build version of the OS installed on the source endpoint computer |
| session_timeout | N/A | N/A | N/A |
| session_uid | N/A | N/A | Mobile Access session identification |
| suppressed_logs | N/A | N/A | Aggregated connections for five minutes on the same source, destination and port |
| tunnel_protocol | N/A | N/A | N/A |
| user_dn | N/A | N/A | User distinguished name connected to source IP |
| user_group | <group> | Text/String | The group which the user belongs to, upon login |
