WebFilter Traffic

WebFilter Traffic

Base Rule

General WebFilter Event

Information

EVID 12547 : Webfilter Invalid Hostname

Sub Rule

Unknown Hostname

Warning

EVID 12801 : Webfilter Error

Sub Rule

Unknown Hostname

Warning

EVID 13317 : Web Filter Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

EVID 13312 : Web Filter Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

EVID 12544 : URL Was Blocked

Sub Rule

Traffic Denied by Proxy

Network Deny

EVID 13057 : Web Filter Blocked

Sub Rule

Traffic Denied by Network Firewall

Network Deny

EVID 13056 : Web Filter Blocked

Sub Rule

Traffic Denied by Network Firewall

Network Deny

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

logid

<vmid>

Number

The ID (logid) is a 10-digit field. It is a unique identifier for that specific log.

msg

<vendorinfo>

Text\String

N/A

level

<severity>

Text\String

Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry.

srcip

<sip>

IP Address

IP address of the traffic’s origin.

dstip

<dip>

IP Address

Destination IP address for the web.

srcport

<sport>

Number

Port number of the traffic's origin

dstport

<dport>

Number

Port number of the traffic's destination.

srcintf

<sinterface>

Text\String

Interface name of the traffic's origin.

dstintf

<dinterface>

Text\String

Interface of the traffic's destination.

proto

<protnum>

Number

The protocol used by web traffic (tcp by default).

service

<protname>

Text\String

Name of the service.

user

<login>

Text\String

N/A

vd

<domainorigin>

Text\String

N/A

sessionid

<session>

Number

N/A

msg

<object>

Text\String

N/A

catdesc

<subject>

Text\String

N/A

url

<url>

Text\String

N/A

profile

<group>

Text\String

N/A

action

<action>

Text\String

N/A

eventtype

<result>

Text\String

N/A

method

<reason>

Text\String

N/A

rcvdbyte

<bytesin>

Number

N/A

sentbyte

<bytesout>

Number

N/A