Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Type (type) |
N/A |
<vmid> |
|
Threat/ContentType (subtype) |
N/A |
<vendorinfo> |
|
Source Address (src) |
N/A |
<sip> |
|
Destination Address (dst) |
N/A |
<dip> |
|
NAT Source IP (natsrc) |
N/A |
<snatip> |
|
NAT Destination IP (natdst) |
N/A |
<dnatip> |
|
Rule (rule) |
N/A |
<policy> |
|
Source User (srcuser) |
N/A |
<domainorigin>
|
|
Destination User (dstuser) |
N/A |
<domainimpacted>
|
|
Inbound Interface (inbound_if) |
N/A |
<sinterface> |
|
Outbound Interface (outbound_if) |
N/A |
<dinterface> |
|
Session ID (sessionid) |
N/A |
<session> |
|
Repeat Count (repeatcnt) |
N/A |
<quantity> |
|
Source Port (sport) |
N/A |
<sport> |
|
Destination Port (dport) |
N/A |
<dport> |
|
NAT Source Port (natsport) |
N/A |
<snatport> |
|
NAT Destination Port (natdport) |
N/A |
<dnatport> |
|
IP Protocol (proto) |
N/A |
<protname> |
|
Action (action) |
N/A |
<action>
|
|
Device Name (device_name) |
N/A |
<objectname> |
|
Application Characteristic (characteristic_of_app) |
N/A |
<group> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
N/A |
N/A |
N/A |
N/A |
N/A |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1011937
|
V 2.0 Decryption Event Messages |
Base Rule |
Session Information |
Information |
|
V 2.0 Decryption Session Allowed |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
V 2.0 Decryption Session Denied |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
V 2.0 Decryption Session Dropped |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
|
V 2.0 Decryption Session Reset |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |