V 2.0 : Connectra Events | LogRhythm Documentation

Vendor Documentation

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 : Connectra Events	Base Rule	General VPN Information	Other Operations
V 2.0 : Connectra : Remote User Logged On	Sub Rule	User Logon	Authentication Success
V 2.0 : Connectra : Remote User Logged Off	Sub Rule	User Logoff	Authentication Success
V 2.0 : Connectra : Remote Logon Failure	Sub Rule	User Logon Failure	Authentication Failure
V 2.0 : Connectra : Host IP Changed	Sub Rule	IP Address Changed	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
virtuallogsource	N/A	N/A	N/A
subproduct	N/A	N/A	Sub Product
Product	<vmid>	Text/String	Product name
Originip	N/A	N/A	IP of the log origin
Origin	N/A	N/A	Name of the first Security Gateway that reported this event
Action	<action> <tag1>	Text/String	N/A
SIP	<sip>	IP Address	Source IP
Sport	<sport>	Number	Source host port number
DIP	<dip>	IP Address	Destination IP
dport	<dport>	Number	Destination host port number
protocol	<protnum>	Number	Protocol detected on the connection
ifname	N/A	N/A	The name of the Security Gateway interface, through which a connection traverses
ifdirection	N/A	N/A	Connection direction
Reason	<reason>	Text/String	Description of log's reason
Rule	N/A	N/A
Info	N/A	N/A	Special log message
XlateSIP	N/A	N/A	Source ipv4 after applying NAT
XlateSport	N/A	N/A	Source host port number after applying NAT
XlateDIP	N/A	N/A	Destination ipv4 after applying NAT
XlateDPort	N/A	N/A	Destination host port number after applying NAT
User	<login>	Text/String	Source user name
alert	N/A	N/A	Alert level of matched rule (for connection logs)
icmp-code	N/A	N/A	In case a connection is ICMP, ICMP code info will be added to the log
icmp-type	N/A	N/A	In case a connection is ICMP, type info will be added to the log
matched_category	N/A	N/A	Name of matched category
rule_name	N/A	N/A	Access rule name
Url	N/A	N/A	Matched URL
time	N/A	N/A	The time stamp when the log was created.
proxy_src	<snatip>	IP Address	Sender source IP (even when using proxy)
auth_method	N/A	N/A	Password authentication protocol used
client_name	N/A	N/A	Client Application or Software Blade that detected the event
status	<result>	Text/String	Ok, Warning, Error
flags	N/A	N/A	N/A
loguid	N/A	N/A	UUID of unified logs
originsicname	N/A	N/A	Machine SIC
sequencenum	N/A	N/A	Number added to order logs with the same linux timestamp and origin
version	N/A	N/A	N/A
auth_method2	N/A	N/A	Password authentication protocol used
auth_method3	N/A	N/A	Password authentication protocol used
browser	N/A	N/A	N/A
certificate_issue	N/A	N/A	N/A
certificate_serial_number	N/A	N/A	N/A
client_build	N/A	N/A	N/A
client_version	N/A	N/A	Build version of SandBlast Agent client installed on the computer
cvpn_category	N/A	N/A	Mobile Access application type
device_identification	N/A	N/A	N/A
event_type	N/A	N/A	N/A
failed_login_factor	N/A	N/A	N/A
failed_login_factor_num	N/A	N/A	N/A
fingerprint	N/A	N/A	N/A
hardware_model	N/A	N/A	N/A
host_ip	N/A	N/A	N/A
host_type	N/A	N/A	N/A
latitude	N/A	N/A	N/A
license	N/A	N/A	N/A
login_option	N/A	N/A	N/A
login_timestamp	N/A	N/A	N/A
longitude	N/A	N/A	N/A
methods	N/A	N/A	IPSEc methods
office_mode_ip	N/A	N/A	N/A
os_bits	N/A	N/A	N/A
os_build	N/A	N/A	N/A
os_edition	N/A	N/A	N/A
os_name	N/A	N/A	Name of the OS installed on the source endpoint computer
os_service_pack	N/A	N/A	N/A
os-version	N/A	N/A	Build version of the OS installed on the source endpoint computer
session_timeout	N/A	N/A	N/A
session_uid	N/A	N/A	Mobile Access session identification
suppressed_logs	N/A	N/A	Aggregated connections for five minutes on the same source, destination and port
tunnel_protocol	N/A	N/A	N/A
user_dn	N/A	N/A	User distinguished name connected to source IP
user_group	<group>	Text/String	The group which the user belongs to, upon login