Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
Vendor |
N/A |
<vendorinfo> |
|
DeviceProduct |
N/A |
N/A |
|
Version |
N/A |
N/A |
|
Event ID |
N/A |
<vmid> |
|
Attack Name |
<vmid> |
<threatname> |
|
Attack Severity |
<severity> |
<severity> |
|
suid |
N/A |
N/A |
|
Customer |
<account> |
N/A |
|
tag |
N/A |
N/A |
|
cicode |
N/A |
N/A |
|
src |
<dip> |
<sip> |
|
in |
<amount> |
<size> |
|
ccode |
<object> |
N/A |
|
cn1 |
<responsecode> |
<responsecode> |
|
fileId |
<process> |
N/A |
|
requestMethod |
<command> |
<command> |
|
deviceFacility |
N/A |
N/A |
|
app |
<protname> |
<protname> |
|
ver |
N/A |
<version> |
|
ref |
N/A |
N/A |
|
additionalReqHeaders |
N/A |
N/A |
|
deviceExternalId |
N/A |
N/A |
|
act |
<result>, <tag1> |
<action> |
|
start |
N/A |
N/A |
|
end |
N/A |
N/A |
|
additionalResHeaders |
N/A |
N/A |
|
siteid |
N/A |
N/A |
|
sourceServiceName |
<domainorigin> |
<process> |
|
siteTag |
N/A |
N/A |
|
cpt |
<sport> |
<sport> |
|
request |
<url> |
<url> |
|
requestClientApplication |
<useragent> |
<useragent> |
|
xff |
N/A |
N/A |
|
cs11 |
N/A |
N/A |
|
filePermission |
N/A |
<threatid> |
|
fileType |
N/A |
N/A |
|
dproc |
<objecttype> |
N/A |
|
cs1 |
N/A |
N/A |
|
cs6 |
<objectname> |
N/A |
|
cs3 |
N/A |
N/A |
|
cs5 |
<vendorinfo> |
N/A |
|
cs2 |
N/A |
N/A |
|
cs7 |
N/A |
N/A |
|
cs8 |
N/A |
N/A |
|
postbody |
N/A |
N/A |
|
qstr |
N/A |
N/A |
|
cs9 |
N/A |
<policy> |
|
sip |
<sip> |
<dip> |
|
spt |
<dport> |
<dport> |
|
cs4 |
<session> |
N/A |
|
cs10 |
N/A |
N/A |
|
cs2Label |
N/A |
N/A |
|
cs3Label |
N/A |
N/A |
|
cs1Label |
N/A |
N/A |
|
cs4Label |
N/A |
N/A |
|
cs5Label |
N/A |
N/A |
|
cs6Label |
N/A |
N/A |
|
cs7Label |
N/A |
N/A |
|
cs8Label |
N/A |
N/A |
|
deviceExternalID |
N/A |
N/A |
|
cs9Label |
N/A |
N/A |
|
cs11Label |
N/A |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1009987 |
Web Server Logs |
Base Rule |
General Web Server Log |
Information |
|
Web Server Log : GET |
Sub Rule |
HTTP GET Method Event |
Information |
|
|
Web Server Log : POST |
Sub Rule |
HTTP POST Method Event |
Information |
|
|
Web Server Log : REQ_PASSED |
Sub Rule |
Traffic Allowed by WAF |
Network Allow |
|
|
Web Server Log : REQ_BAD |
Sub Rule |
Traffic Denied by WAF |
Network Deny |
|
|
Web Server Log : REQ_CACHED |
Sub Rule |
Web Cache Traffic |
Network Traffic |
|
|
Web Server Log : REQ_CHALLENGED |
Sub Rule |
Access Challenge Response Received |
Information |
|
|
Web Server Log : REQ_BLOCKED |
Sub Rule |
Traffic Denied by WAF |
Network Deny |
|
|
Severity 3: ACL Block |
Sub Rule |
General ACL Deny Event |
Network Traffic |
|
|
Severity 4: Manual Rule |
Sub Rule |
General Syslog Alert |
Critical |
|
|
Severity 6: DDOS |
Sub Rule |
Host Distributed Denial Of Service |
Denial Of Service |
|
|
Severity 8: Cross Site Scripting Or RFI |
Sub Rule |
Cross-Site Scripting |
Attack |
|
|
Severity 9: SQL Injection |
Sub Rule |
SQL Injection |
Attack |
|
|
Severity 10: Backdoor |
Sub Rule |
Possible Backdoor Activity |
Malware |
|
|
Severity 5: Bad Bots |
Sub Rule |
Unauthorized Program/Process |
Misuse |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1012502 |
V 2.0 : Access And Security Events |
Base Rule |
General Information Log Message |
Information |