Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Type (type) |
N/A |
<vmid> |
|
Content/Threat Type (subtype) |
N/A |
<vendorinfo> |
|
Event ID (eventid) |
N/A |
<action> |
|
Object (object) |
N/A |
<object> |
|
Severity (severity) |
<severity> |
<severity> |
|
Description (opaque) |
<subject> <tag1> <version> <dname> <dip> <tag2> |
<subject> |
|
Device Name (device_name) |
N/A |
<objectname> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1004489
|
Catch All : System Messages |
Base Rule |
General System Information |
Information |
|
All DNS Proxy Cache Entries Were Cleared |
Sub Rule |
Cache Information |
Information |
|
|
Antivirus Update Job Succeeded |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
Auto Update Agent Found No New WildFire Updates |
Sub Rule |
General Automatic Updates Information |
Information |
|
|
EBL Refresh Aborted : No Changes To List |
Sub Rule |
No Change Detected In Signature File |
Information |
|
|
NTP Restart Synchronization Performed |
Sub Rule |
System Clock Synchronized |
Information |
|
|
User Information Refreshed |
Sub Rule |
Updated User Data |
Information |
|
|
WildFire Update Job Succeeded |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
Communication Error : Fail WildFire Upgrade Check |
Sub Rule |
Communication Failure |
Error |
|
|
Antivirus Version Does Not Match |
Sub Rule |
General Antivirus Warning |
Warning |
|
|
Wildfire Auto Update Failed |
Sub Rule |
Software Update Failed |
Error |
|
|
Antivirus : Upload Deployment Job Failed |
Sub Rule |
File Upload Failed |
Error |
|
|
Antivirus : Upload Deployment Job Succeeded |
Sub Rule |
File Uploaded |
Information |
|
|
Content : Upload Deployment Job Failed |
Sub Rule |
File Upload Failed |
Error |
|
|
Content : Upload Deployment Job Succeeded |
Sub Rule |
File Uploaded |
Information |
|
|
License : Upload Deployment Job Failed |
Sub Rule |
File Upload Failed |
Error |
|
|
Antivirus Install Failed |
Sub Rule |
General Software Installation Error |
Error |
|
|
Antivirus Install Succeeded |
Sub Rule |
Software Installed |
Configuration |
|
|
License Install Failed |
Sub Rule |
License Warning |
Warning |
|
|
License Install Succeeded |
Sub Rule |
License Installed |
Information |
|
|
Succeeded Exporting Config Bundle Via SSH |
Sub Rule |
Configuration Exporting |
Other Audit Success |
|
|
Traffic And Logging Resumed |
Sub Rule |
General Traffic Other Alert |
Critical |
|
|
Abnormal System Memory Usage |
Sub Rule |
Memory Usage Exceeded The Threshold |
Warning |
|
|
Traffic And Logging Are Resumed |
Sub Rule |
General Traffic Other Alert |
Critical |
|
|
Route Removed |
Sub Rule |
Static Route Removed |
Information |
|
|
Route Recovered |
Sub Rule |
Route Created |
Information |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1010865 |
V 2.0 General Remote Access Manager Messages |
Base Rule |
General Information |
Information |