Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Header: Severity |
<severity> |
N/A |
|
Type (type) |
N/A |
<vmid> |
|
Content/Threat Type (subtype) |
N/A |
<vendorinfo> |
|
Event ID (eventid) |
<tag1> |
<action>
|
|
Object (object) |
N/A |
<object> |
|
Severity (severity) |
N/A |
<severity> |
|
Description (opaque) |
<subject>
|
<subject>
|
|
Action Flags (actionflags) |
<object> |
N/A |
|
Device Name (device_name) |
N/A |
<objectname> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1001606
|
SSL VPN & GlobalProtect Events |
Base Rule |
General Audit Message |
Other Audit |
|
GlobalProtect : Gateway Config Success |
Sub Rule |
Configuration Successful |
Information |
|
|
GlobalProtect : Client SSL Tunnel Success |
Sub Rule |
Object Created |
Access Success |
|
|
GlobalProtect : Client Config Generated |
Sub Rule |
Object Created |
Access Success |
|
|
GlobalProtect : Gateway Regist Failure |
Sub Rule |
Registration Failure |
Error |
|
|
SSL VPN User Authentication Succeeded |
Sub Rule |
User Logon |
Authentication Success |
|
|
SSL VPN User Login Succeeded |
Sub Rule |
User Logon |
Authentication Success |
|
|
GlobalProtect : User Authentication Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
GlobalProtect : Gateway User Login |
Sub Rule |
User Logon |
Authentication Success |
|
|
GlobalProtect : Gateway User Auth Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
SSL VPN User Logout Succeeded |
Sub Rule |
User Logoff |
Authentication Success |
|
|
GlobalProtect : Gateway Client Config Released |
Sub Rule |
User Logoff |
Authentication Success |
|
|
GlobalProtect : User Logout |
Sub Rule |
User Logoff |
Authentication Success |
|
|
GlobalProtectportal-Auth-Fail |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
GlobalProtectGateway-Auth-Fail |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
SSL VPN Client Switch To SSL Tunnel Succeeded |
Sub Rule |
Trust Relationship Established |
Access Granted |
|
|
SSL VPN Client Configuration Generated |
Sub Rule |
Configuration Loaded : System |
Configuration |
|
|
GlobalProtect : Gateway Config Failure |
Sub Rule |
Configuration Failure |
Critical |
|
|
SSL VPN Client Configuration Released |
Sub Rule |
End Configuration |
Information |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1010870 |
V 2.0 General GlobalProtect Messages |
Base Rule |
General VPN Information |
Other Operations |
|
V 2.0 GlobalProtect Gateway : Remote Logon Failure |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 GlobalProtect Portal : Remote Logon Failure |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
V 2.0 GlobalProtect Gateway : Remote Logon Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
V 2.0 GlobalProtect Portal : Remote Logon Success |
Sub Rule |
User Logon |
Authentication Success |