Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|
| N/A | <vmid> | <vmid> |
| N/A | <command> | <vendorinfo> |
| N/A | <tag1> | <tag1> |
| N/A | <sip> | <sip> |
| N/A | <dip> | <dip> |
| N/A | N/A | <snatip> |
| N/A | <dnatip> | <dnatip> |
| N/A | <policy> | <policy> |
| N/A | N/A | <domainorigin> |
| N/A | <login> | <login> |
| N/A | N/A | <domainimpacted> |
| N/A | N/A | <account> |
| N/A | <sinterface> | <sinterface> |
| N/A | <dinterface> | <dinterface> |
| N/A | <session> | <session> |
| N/A | <sport> | <sport> |
| N/A | <dport> | <dport> |
| N/A | <snatport> | <snatport> |
| N/A | N/A | <dnatport> |
| N/A | <protname> | <protname> |
| N/A | <tag2> | <tag2> |
| N/A | <action> | <action> |
| N/A | <bytesin> | <bytesin> |
| N/A | <bytesout> | <bytesout> |
| N/A | <seconds> | <seconds> |
| N/A | <subject> | <subject> |
| N/A | <packetsin> | <packetsin> |
| N/A | <packetsout> | <packetsout> |
| N/A | <domainorigin> | N/A |
| N/A | <login> | N/A |
| N/A | <account> | N/A |
| N/A | <object> | <object> |
| N/A | <group> | N/A |
| N/A | <tag4> | N/A |
| N/A | <size> | N/A |
| N/A | <amount> | N/A |
| N/A | <seconds> | N/A |
| N/A | <process> | N/A |
| N/A | <vendorinfo> | N/A |
| N/A | <bytes> | N/A |
| N/A | <reason> | N/A |
| N/A | <objectname> | <objecttype> |
| N/A | <quantity> | N/A |
| N/A | N/A | <reason> |
| N/A | N/A | <threatname> |
| N/A | N/A | <threatid> |
| N/A | N/A | <severity> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|
1000723
| Pattern 2 : Traffic Messages | Base Rule | Network Traffic | Network Traffic |
| Session Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| Session Denied At Application Layer | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| Session Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| Connection Reset - Client And Server | Sub Rule | Connection Reset | Network Traffic |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|
1010886
| V 2.0 Traffic Messages | Base Rule | General Network Traffic | Network Traffic |
| V 2.0 Session Started | Sub Rule | Network Session Created | Network Traffic |
| V 2.0 Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| V 2.0 Traffic Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| V 2.0 Traffic Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
| V 2.0 Network Session Closed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| V 2.0 Network Connection Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |