Web Server Access 1
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
---|---|---|
N/A | <bytesin> | <bytesin> |
N/A | <bytesout> | <bytesout> |
N/A | <command> | <command> |
N/A | <dip> | <dip> |
N/A | <domain> | N/A |
N/A | N/A | <dname> |
N/A | <dport> | <dport> |
N/A | <group> | N/A |
N/A | <login> | <login> |
N/A | <milliseconds> | <milliseconds> |
N/A | <object> | <object> |
N/A | <responsecode> | N/A |
N/A | N/A | <process> |
N/A | N/A | <responsecode> |
N/A | <sender> | N/A |
N/A | <sinterface> | N/A |
N/A | <sip> | <sip> |
N/A | <snatip> | N/A |
N/A | <tag1> | <tag1> |
N/A | N/A | <tag2> |
N/A | <url> | <url> |
N/A | <subject> | N/A |
N/A | <useragent> | <useragent> |
N/A | N/A | <version> |
N/A | <vmid> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1001460 | Web Server Access | Base Rule | Object Accessed | Access Success |
File Download | Sub Rule | Object Downloaded | Access Success | |
File Post | Sub Rule | Object Added | Access Success | |
PROPFIND Method | Sub Rule | Object Accessed | Access Success | |
HEAD Method | Sub Rule | Object Accessed | Access Success | |
Remote Procedure Call Over HTTP: OUT | Sub Rule | Remote Procedure Call Attempt | Network Traffic | |
Remote Procedure Call Over HTTP: IN | Sub Rule | Remote Procedure Call Attempt | Network Traffic | |
HTTP GET - 401 - Req Error - Unauthorized | Sub Rule | HTTP 401: Request Error - Unauthorized | Error | |
HTTP GET - 400 - Req Error - Bad Request | Sub Rule | HTTP 400: Request Error - Bad Request | Error | |
HTTP GET - 403 - Req Error - Forbidden | Sub Rule | HTTP 403: Request Error - Forbidden | Error | |
HTTP GET - 404 - Req Error - Not Found | Sub Rule | HTTP 404: Request Error - Not Found | Error | |
HTTP GET - 500 - Svr Error - Internal Server Error | Sub Rule | HTTP 500: Server Error - Internal Server Error | Error | |
HTTP GET - 503 - Svr Error - Service Unavailable | Sub Rule | HTTP 503: Server Error - Service Unavailable | Error | |
HTTP POST - 401 - Req Error - Unauthorized | Sub Rule | HTTP 401: Request Error - Unauthorized | Error | |
HTTP POST - 400 - Req Error - Bad Request | Sub Rule | HTTP 400: Request Error - Bad Request | Error | |
HTTP POST - 403 - Req Error - Forbidden | Sub Rule | HTTP 403: Request Error - Forbidden | Error | |
HTTP POST - 404 - Req Error - Not Found | Sub Rule | HTTP 404: Request Error - Not Found | Error | |
HTTP POST- 500 - Svr Error - Internal Server Error | Sub Rule | HTTP 500: Server Error - Internal Server Error | Error | |
HTTP POST - 503 - Svr Error - Service Unavailable | Sub Rule | HTTP 503: Server Error - Service Unavailable | Error | |
HTTP POST - 405 - Req Error - Method Not Allowed | Sub Rule | HTTP 405: Request Error - Method Not Allowed | Error | |
HTTP - 502 - Svr Error - Bad Gateway | Sub Rule | HTTP 502: Server Error - Bad Gateway | Error | |
HTTP - 400 - Req Error - Bad Request | Sub Rule | HTTP 400: Request Error - Bad Request | Error | |
HTTP - 401 - Req Error - Unauthorized | Sub Rule | HTTP 401: Request Error - Unauthorized | Error | |
HTTP - 402 - Req Error - Payment Required | Sub Rule | HTTP 402: Request Error - Payment Required | Error | |
HTTP - 403 - Req Error - Forbidden | Sub Rule | HTTP 403: Request Error - Forbidden | Error | |
HTTP - 404 - Req Error - Not Found | Sub Rule | HTTP 404: Request Error - Not Found | Error | |
HTTP - 405 - Req Error - Method Not Allowed | Sub Rule | HTTP 405: Request Error - Method Not Allowed | Error | |
HTTP - 500 - Svr Error - Internal Server Error | Sub Rule | HTTP 500: Server Error - Internal Server Error | Error | |
HTTP - 502 - Svr Error - Bad Gateway | Sub Rule | HTTP 502: Server Error - Bad Gateway | Error | |
HTTP - 503 - Svr Error - Service Unavailable | Sub Rule | HTTP 503: Server Error - Service Unavailable | Error | |
HTTP - GET - 200: Success Reply - OK | Sub Rule | HTTP 200: Success Reply - OK | Information | |
HTTP GET - 304 Redirect - Not Modified | Sub Rule | HTTP 304: Redirect - Not Modified | Information |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|---|
1013065 | V 2.0: IIS W3C Events | Base Rule | General IIS Activity | Information |
V 2.0: HTTP POST 400: Bad Request | Sub Rule | HTTP 400: Bad Request | Error | |
V 2.0: HTTP POST 401: Unauthorized | Sub Rule | HTTP 401: Unauthorized | Error | |
V 2.0: HTTP POST 402: Request Err - Payment Req | Sub Rule | HTTP 402: Request Error - Payment Required | Error | |
V 2.0: HTTP POST 403: Forbidden | Sub Rule | HTTP 403: Forbidden | Error | |
V 2.0: HTTP POST 404: Not Found | Sub Rule | HTTP 404: Not Found | Error | |
V 2.0: HTTP POST 405: Method Not Allowed | Sub Rule | HTTP 405: Method Not Allowed | Error | |
V 2.0: HTTP POST 406: Not Acceptable | Sub Rule | HTTP 406: Not Acceptable | Error | |
V 2.0: HTTP POST 407: Proxy Authentication Req | Sub Rule | HTTP 407: Proxy Authentication Required | Error | |
V 2.0: HTTP POST 408: Request Timeout | Sub Rule | HTTP 408: Request Timeout | Error | |
V 2.0: HTTP POST 409: Conflict | Sub Rule | HTTP 409: Conflict | Error | |
V 2.0: HTTP POST 410: Gone | Sub Rule | HTTP 410: Gone | Error | |
V 2.0: HTTP POST 411: Length Required | Sub Rule | HTTP 411: Length Required | Error | |
V 2.0: HTTP POST 412: Precondition Failed | Sub Rule | HTTP 412: Precondition Failed | Error | |
V 2.0: HTTP POST 413: Request Entity Too Large | Sub Rule | HTTP 413: Request Entity Too Large | Error | |
V 2.0: HTTP POST 414: Request-URI Too Long | Sub Rule | HTTP 414: Request-URI Too Long | Error | |
V 2.0: HTTP POST 415: Unsupported Media Type | Sub Rule | HTTP 415: Unsupported Media Type | Error | |
V 2.0: HTTP POST 416: Requested Range Not Satisfy | Sub Rule | HTTP 416: Requested Range Not Satisfiable | Error | |
V 2.0: HTTP POST 417: Expectation Failed | Sub Rule | HTTP 417: Expectation Failed | Error | |
V 2.0: HTTP POST 440: Req Error - Login Timeout | Sub Rule | HTTP 440: Request Error - Login Timeout | Error | |
V 2.0: HTTP POST 500: Server Err - Int Server Err | Sub Rule | HTTP 500: Server Error - Internal Server Error | Error | |
V 2.0: HTTP POST 501: Server Err - Not Implement | Sub Rule | HTTP 501: Server Error - Not Implemented | Error | |
V 2.0: HTTP POST 502: Server Error - Bad Gateway | Sub Rule | HTTP 502: Server Error - Bad Gateway | Error | |
V 2.0: HTTP POST 503: Service Unavailable | Sub Rule | HTTP 503: Service Unavailable | Error | |
V 2.0: HTTP POST 504: Server Err -Gateway Timeout | Sub Rule | HTTP 504: Server Error - Gateway Time-Out | Error | |
V 2.0: HTTP POST 505: Server Err -HTTP Ver Unsupp | Sub Rule | HTTP 505: Server Error - HTTP Ver Unsupported | Error | |
V 2.0: HTTP POST 995: SSL Operation Aborted | Sub Rule | HTTP 995: Request Error - SSL Operation Aborted | Error | |
V 2.0: HTTP POST 100: Continue | Sub Rule | HTTP 100: Continue | Information | |
V 2.0: HTTP POST 101: Transition Status- Protocol | Sub Rule | HTTP 101: Transition Status - Protocol Switch | Information | |
V 2.0: HTTP POST 200: Success Reply - OK | Sub Rule | HTTP 200: Success Reply - OK | Information | |
V 2.0: HTTP POST 201: Success Reply - Created | Sub Rule | HTTP 201: Success Reply - Created | Information | |
V 2.0: HTTP POST 202: Success Reply - Accepted | Sub Rule | HTTP 202: Success Reply - Accepted | Information | |
V 2.0: HTTP POST 203: Success Reply - Non-auth | Sub Rule | HTTP 203: Success Reply - Nonauthoritative Info | Information | |
V 2.0: HTTP POST 204: Success Reply - No Content | Sub Rule | HTTP 204: Success Reply - No Content | Information | |
V 2.0: HTTP POST 205: Success Reply-Reset Content | Sub Rule | HTTP 205: Success Reply - Reset Content | Information | |
V 2.0:HTTP POST 206: Success Rep -Partial Content | Sub Rule | HTTP 206: Success Reply - Partial Content | Information | |
V 2.0: HTTP POST 207: Success - Multistatus Resp | Sub Rule | HTTP 207: Success - Multistatus Response | Information | |
V 2.0: HTTP POST 300: Redirect - Multiple Choice | Sub Rule | HTTP 300: Redirect - Multiple Choices | Information | |
V 2.0: HTTP POST 301: Redirect - Moved Permanent | Sub Rule | HTTP 301: Redirect - Moved Permanently | Information | |
V 2.0: HTTP POST 302: Redirect - Moved Temporary | Sub Rule | HTTP 302: Redirect - Moved Temporarily | Information | |
V 2.0: HTTP POST 303: Redirect - See Other | Sub Rule | HTTP 303: Redirect - See Other | Information | |
V 2.0: HTTP POST 304: Redirect - Not Modified | Sub Rule | HTTP 304: Redirect - Not Modified | Information | |
V 2.0: HTTP POST 305: Redirect - Use Proxy | Sub Rule | HTTP 305: Redirect - Use Proxy | Information | |
V 2.0: HTTP POST 306: Redirect - Unused | Sub Rule | HTTP 306: Redirect - Unused | Information | |
V 2.0:HTTP POST 307: Redirect -Temporary Redirect | Sub Rule | HTTP 307: Redirect - Temporary Redirect | Information | |
V 2.0: HTTP GET 100: Transitional - Continue | Sub Rule | HTTP 100: Continue | Information | |
V 2.0: HTTP GET 101: Transitional - Proto Switch | Sub Rule | HTTP 101: Transition Status - Protocol Switch | Information | |
V 2.0: HTTP GET 200: Success - OK | Sub Rule | HTTP 200: Success Reply - OK | Information | |
V 2.0: HTTP GET 201: Success - Created | Sub Rule | HTTP 201: Success Reply - Created | Information | |
V 2.0: HTTP GET 202: Success - Accepted | Sub Rule | HTTP 202: Success Reply - Accepted | Information | |
V 2.0: HTTP GET 203: Success - Nonauthoritative | Sub Rule | HTTP 203: Success Reply - Nonauthoritative Info | Information | |
V 2.0: HTTP GET 204: Success - No Content | Sub Rule | HTTP 204: Success Reply - No Content | Information | |
V 2.0: HTTP GET 205: Success - Reset Content | Sub Rule | HTTP 205: Success Reply - Reset Content | Information | |
V 2.0: HTTP GET 206: Success - Partial Content | Sub Rule | HTTP 206: Success Reply - Partial Content | Information | |
V 2.0: HTTP GET 207: Success - Mult Response | Sub Rule | HTTP 207: Success - Multistatus Response | Information | |
V 2.0: HTTP GET 300: Redirect - Multiple Choices | Sub Rule | HTTP 300: Redirect - Multiple Choices | Information | |
V 2.0: HTTP GET 301: Redirect - Moved Permanently | Sub Rule | HTTP 301: Redirect - Moved Permanently | Information | |
V 2.0: HTTP GET 302: Redirect- Moved Temporarily | Sub Rule | HTTP 302: Redirect - Moved Temporarily | Information | |
V 2.0: HTTP GET 303: Redirect - See Other | Sub Rule | HTTP 303: Redirect - See Other | Information | |
V 2.0: HTTP GET 304: Redirect - Not Modified | Sub Rule | HTTP 304: Redirect - Not Modified | Information | |
V 2.0: HTTP GET 305: Redirect - Use Proxy | Sub Rule | HTTP 305: Redirect - Use Proxy | Information | |
V 2.0: HTTP GET 306: Redirect - Unused | Sub Rule | HTTP 306: Redirect - Unused | Information | |
V 2.0: HTTP GET 307: Redirect-Temporary Redirect | Sub Rule | HTTP 307: Redirect - Temporary Redirect | Information | |
V 2.0: HTTP GET 400: Req Error - Bad Request | Sub Rule | HTTP 400: Bad Request | Error | |
V 2.0: HTTP GET 401: Req Error - Unauthorized | Sub Rule | HTTP 401: Unauthorized | Error | |
V 2.0: HTTP GET 402: Req Error-Payment Required | Sub Rule | HTTP 402: Request Error - Payment Required | Error | |
V 2.0: HTTP GET 403: Req Error - Forbidden | Sub Rule | HTTP 403: Forbidden | Error | |
V 2.0: HTTP GET 404: Req Error - Not Found | Sub Rule | HTTP 404: Not Found | Error | |
V 2.0: HTTP GET 405: Req Error-Method Not Allowed | Sub Rule | HTTP 405: Request Error - Method Not Allowed | Error | |
V 2.0: HTTP GET 406: Req Error - Not Acceptable | Sub Rule | HTTP 406: Not Acceptable | Error | |
V 2.0: HTTP GET 407: Req Error-Proxy Auth Request | Sub Rule | HTTP 407: Request Error - Proxy Auth Required | Error | |
V 2.0: HTTP GET 408: Req Error -Request Time Out | Sub Rule | HTTP 408: Request Error - Request Time-Out | Error | |
V 2.0: HTTP GET 409: Req Error - Conflict | Sub Rule | HTTP 409: Request Error - Conflict | Error | |
V 2.0: HTTP GET 410: Req Error - Gone | Sub Rule | HTTP 410: Request Error - Gone | Error | |
V 2.0: HTTP GET 411: Req Error - Length Required | Sub Rule | HTTP 411: Request Error - Length Required | Error | |
V 2.0:HTTP GET 412: Req Error-Precondition Failed | Sub Rule | HTTP 412: Request Error - Precondition Failed | Error | |
V 2.0: HTTP GET 413: Req Error-Req Item Too Big | Sub Rule | HTTP 413: Request Error - Request Item Too Big | Error | |
V 2.0: HTTP GET 414: Req Error-Req URL Too Large | Sub Rule | HTTP 414: Request-URI Too Long | Error | |
V 2.0: HTTP GET 415: Req Error -Unsupported Type | Sub Rule | HTTP 415: Request Error - Unsupported Type | Error | |
V 2.0:HTTP GET 416: Req Error-Req Rng Unfillable | Sub Rule | HTTP 416: Request Error - Range Unfillable | Error | |
V 2.0: HTTP GET 417: Req Error -Expectation Failed | Sub Rule | HTTP 417: Request Error - Expectation Failed | Error | |
V 2.0: HTTP GET 440: Client Error -Login Timeout | Sub Rule | HTTP 440: Request Error - Login Timeout | Error | |
V 2.0: HTTP GET 500: Svr Err -Internal Server Err | Sub Rule | HTTP 500: Server Error - Internal Server Error | Error | |
V 2.0: HTTP GET 501: Svr Error - Not Implemented | Sub Rule | HTTP 501: Server Error - Not Implemented | Error | |
V 2.0: HTTP GET 502: Svr Error - Bad Gateway | Sub Rule | HTTP 502: Server Error - Bad Gateway | Error | |
V 2.0: HTTP GET 503: Svr Err-Service Unavailable | Sub Rule | HTTP 503: Server Error - Service Unavailable | Error | |
V 2.0: HTTP GET 504: Svr Error -Gateway Time Out | Sub Rule | HTTP 504: Server Error - Gateway Time-Out | Error | |
V 2.0:HTTP GET 505: Svr Error-HTTP Ver Unsupported | Sub Rule | HTTP 505: Server Error - HTTP Ver Unsupported | Error | |
V 2.0: GET Request | Sub Rule | HTTP GET Method Event | Information | |
V 2.0: POST Request | Sub Rule | HTTP POST Method Event | Information | |
V 2.0: RPC_OUT_DATA: 200 - OK | Sub Rule | HTTP 200: Success Reply - OK | Information | |
V 2.0: RPC_IN_DATA: 404 - Not Found | Sub Rule | HTTP 404: Not Found | Error | |
V 2.0: RPC_OUT_DATA: 404 - Not Found | Sub Rule | HTTP 404: Not Found | Error | |
V 2.0: RPC_IN_DATA: 200 - OK | Sub Rule | HTTP 200: Success Reply - OK | Information | |
V 2.0: PROPFIND Request | Sub Rule | Webdav Protocol PROPFIND Method | Activity | |
V 2.0: HEAD Request | Sub Rule | HTTP Head | Activity | |
V 2.0: HTTP 440: Client Error - Login Timeout | Sub Rule | HTTP 440: Request Error - Login Timeout | Error | |
V 2.0: HTTP 207: Success - Multistatus Response | Sub Rule | HTTP 207: Success - Multistatus Response | Information | |
V 2.0: HTTP 100: Transitional - Continue | Sub Rule | HTTP 100: Transition Status - Continue | Information | |
V 2.0: HTTP 101: Transitional - Protocol Switch | Sub Rule | HTTP 101: Transition Status - Protocol Switch | Information | |
V 2.0: HTTP 200: Success - OK | Sub Rule | HTTP 200: Success Reply - OK | Information | |
V 2.0: HTTP 201: Success - Created | Sub Rule | HTTP 201: Success Reply - Created | Information | |
V 2.0: HTTP 202: Success - Accepted | Sub Rule | HTTP 202: Success Reply - Accepted | Information | |
V 2.0: HTTP 203: Success - Nonauthoritative Info | Sub Rule | HTTP 203: Success Reply - Nonauthoritative Info | Information | |
V 2.0: HTTP 204: Success - No Content | Sub Rule | HTTP 204: Success Reply - No Content | Information | |
V 2.0: HTTP 205: Success - Reset Content | Sub Rule | HTTP 205: Success Reply - Reset Content | Information | |
V 2.0: HTTP 206: Success - Partial Content | Sub Rule | HTTP 206: Success Reply - Partial Content | Information | |
V 2.0: HTTP 300: Redirect - Multiple Choices | Sub Rule | HTTP 300: Redirect - Multiple Choices | Information | |
V 2.0: HTTP 301: Redirect - Moved Permanently | Sub Rule | HTTP 301: Redirect - Moved Permanently | Information | |
V 2.0: HTTP 302: Redirect - Moved Temporarily | Sub Rule | HTTP 302: Redirect - Moved Temporarily | Information | |
V 2.0: HTTP 303: Redirect - See Other | Sub Rule | HTTP 303: Redirect - See Other | Information | |
V 2.0: HTTP 304: Redirect - Not Modified | Sub Rule | HTTP 304: Redirect - Not Modified | Information | |
V 2.0: HTTP 305: Redirect - Use Proxy | Sub Rule | HTTP 305: Redirect - Use Proxy | Information | |
V 2.0: HTTP 306: Redirect - Unused | Sub Rule | HTTP 306: Redirect - Unused | Information | |
V 2.0: HTTP 307: Redirect - Temporary Redirect | Sub Rule | HTTP 307: Redirect - Temporary Redirect | Information | |
V 2.0: HTTP 400: Req Error - Bad Request | Sub Rule | HTTP 400: Request Error - Bad Request | Error | |
V 2.0: HTTP 401: Req Error - Unauthorized | Sub Rule | HTTP 401: Request Error - Unauthorized | Error | |
V 2.0: HTTP 402: Req Error - Payment Required | Sub Rule | HTTP 402: Request Error - Payment Required | Error | |
V 2.0: HTTP 403: Req Error - Forbidden | Sub Rule | HTTP 403: Request Error - Forbidden | Error | |
V 2.0: HTTP 404: Req Error - Not Found | Sub Rule | HTTP 404: Request Error - Not Found | Error | |
V 2.0: HTTP 405: Req Error - Method Not Allowed | Sub Rule | HTTP 405: Request Error - Method Not Allowed | Error | |
V 2.0: HTTP 406: Req Error - Not Acceptable | Sub Rule | HTTP 406: Request Error - Not Acceptable | Error | |
V 2.0: HTTP 407: Req Error -Proxy Auth Requested | Sub Rule | HTTP 407: Request Error - Proxy Auth Required | Error | |
V 2.0: HTTP 408: Req Error - Request Time Out | Sub Rule | HTTP 408: Request Error - Request Time-Out | Error | |
V 2.0: HTTP 409: Req Error - Conflict | Sub Rule | HTTP 409: Request Error - Conflict | Error | |
V 2.0: HTTP 410: Req Error - Gone | Sub Rule | HTTP 410: Request Error - Gone | Error | |
V 2.0: HTTP 411: Req Error - Length Required | Sub Rule | HTTP 411: Request Error - Length Required | Error | |
V 2.0: HTTP 412: Req Error - Precondition Failed | Sub Rule | HTTP 412: Request Error - Precondition Failed | Error | |
V 2.0: HTTP 413: Req Error - Req Item Too Big | Sub Rule | HTTP 413: Request Error - Request Item Too Big | Error | |
V 2.0: HTTP 414: Req Error - Req URL Too Large | Sub Rule | HTTP 414: Request Error - Request-URL Too Large | Error | |
V 2.0: HTTP 415: Req Error - Unsupported Type | Sub Rule | HTTP 415: Request Error - Unsupported Type | Error | |
V 2.0: HTTP 416: Req Error - Req Rng Unfillable | Sub Rule | HTTP 416: Request Error - Range Unfillable | Error | |
V 2.0: HTTP 417: Req Error - Expectation Failed | Sub Rule | HTTP 417: Request Error - Expectation Failed | Error | |
V 2.0: HTTP 500: Svr Error - Internal Server Err | Sub Rule | HTTP 500: Server Error - Internal Server Error | Error | |
V 2.0: HTTP 501: Svr Error - Not Implemented | Sub Rule | HTTP 501: Server Error - Not Implemented | Error | |
V 2.0: HTTP 502: Svr Error - Bad Gateway | Sub Rule | HTTP 502: Server Error - Bad Gateway | Error | |
V 2.0: HTTP 503: Svr Error - Service Unavailable | Sub Rule | HTTP 503: Server Error - Service Unavailable | Error | |
V 2.0: HTTP 504: Svr Error - Gateway Time Out | Sub Rule | HTTP 504: Server Error - Gateway Time-Out | Error | |
V 2.0: HTTP 505: Svr Error - HTTP Ver Unsupported | Sub Rule | HTTP 505: Server Error - HTTP Ver Unsupported | Error |