Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Type (type) |
N/A |
<vmid> |
|
Source Address (src) |
N/A |
<sip> |
|
Destination Address (dst) |
N/A |
<dip> |
|
Rule Name (rule) |
N/A |
<policy> |
|
Inbound Interface (inbound_if) |
N/A |
<sinterface> |
|
Outbound Interface (outbound_if) |
N/A |
<dinterface> |
|
Session ID (sessionid) |
N/A |
<session> |
|
Source Port (sport) |
N/A |
<sport> |
|
Destination Port (dport) |
N/A |
<dport> |
|
IP Protocol (proto) |
N/A |
<protname> |
|
Action (action) |
N/A |
<action>
|
|
Device Name (device_name) |
N/A |
<objectname> |
|
Severity (severity) |
N/A |
<severity> |
|
SCTP Event Type (sctp_event_type) |
N/A |
<subject> |
|
SCTP Association End Reason (assoc_end_reason) |
N/A |
<reason> |
|
Packets Sent (pkts_sent) |
N/A |
<packetsout> |
|
Packets Received (pkts_received) |
N/A |
<packetsin> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
N/A |
N/A |
N/A |
N/A |
N/A |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Events |
Classifications |
|---|---|---|---|---|
|
1010888
|
V 2.0 SCTP Messages |
Base Rule |
General Network Traffic |
Network Traffic |
|
V 2.0 Traffic Allowed By Network Firewall Messages |
Sub Rule |
Traffic Allowed by Network Firewall |
Network Allow |
|
|
V 2.0 Traffic Denied By Network Firewall |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |