WebFilter Traffic

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
WebFilter Traffic	Base Rule	General WebFilter Event	Information
EVID 12547 : Webfilter Invalid Hostname	Sub Rule	Unknown Hostname	Warning
EVID 12801 : Webfilter Error	Sub Rule	Unknown Hostname	Warning
EVID 13317 : Web Filter Allowed	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
EVID 13312 : Web Filter Allowed	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
EVID 12544 : URL Was Blocked	Sub Rule	Traffic Denied by Proxy	Network Deny
EVID 13057 : Web Filter Blocked	Sub Rule	Traffic Denied by Network Firewall	Network Deny
EVID 13056 : Web Filter Blocked	Sub Rule	Traffic Denied by Network Firewall	Network Deny

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
logid	<vmid>	Number	The ID (logid) is a 10-digit field. It is a unique identifier for that specific log.
msg	<vendorinfo>	Text\String	N/A
level	<severity>	Text\String	Each log entry contains a Level (level) field that indicates the estimated severity of the event that caused the log entry.
srcip	<sip>	IP Address	IP address of the traffic’s origin.
dstip	<dip>	IP Address	Destination IP address for the web.
srcport	<sport>	Number	Port number of the traffic's origin
dstport	<dport>	Number	Port number of the traffic's destination.
srcintf	<sinterface>	Text\String	Interface name of the traffic's origin.
dstintf	<dinterface>	Text\String	Interface of the traffic's destination.
proto	<protnum>	Number	The protocol used by web traffic (tcp by default).
service	<protname>	Text\String	Name of the service.
user	<login>	Text\String	N/A
vd	<domainorigin>	Text\String	N/A
sessionid	<session>	Number	N/A
msg	<object>	Text\String	N/A
catdesc	<subject>	Text\String	N/A
url	<url>	Text\String	N/A
profile	<group>	Text\String	N/A
action	<action>	Text\String	N/A
eventtype	<result>	Text\String	N/A
method	<reason>	Text\String	N/A
rcvdbyte	<bytesin>	Number	N/A
sentbyte	<bytesout>	Number	N/A