V 2.0 Catch-all - System Messages 1
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| N/A | N/A | <vmid> |
| N/A | <severity> | <severity> |
| N/A | N/A | <vendorinfo> |
| N/A | <tag1> | N/A |
| N/A | <subject> | <subject> |
| N/A | <sip> | N/A |
| N/A | <sname> | N/A |
| N/A | <dip> | N/A |
| N/A | <login> | N/A |
| N/A | <domainorigin> | N/A |
| N/A | <object> | N/A |
| N/A | <version> | N/A |
| N/A | <reason> | N/A |
| N/A | <tag5> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1001606 | SSL VPN & GlobalProtect Events | Base Rule | General Audit Message | Other Audit |
| SSL VPN Client Configuration Released | Sub Rule | End Configuration | Information | |
| GlobalProtect : Gateway Config Success | Sub Rule | Configuration Successful | Information | |
| GlobalProtect : Client SSL Tunnel Success | Sub Rule | Object Created | Access Success | |
| GlobalProtect : Client Config Generated | Sub Rule | Object Created | Access Success | |
| GlobalProtect : Gateway Regist Failure | Sub Rule | Registration Failure | Error | |
| SSL VPN User Authentication Succeeded | Sub Rule | User Logon | Authentication Success | |
| SSL VPN User Login Succeeded | Sub Rule | User Logon | Authentication Success | |
| GlobalProtect : User Authentication Success | Sub Rule | User Logon | Authentication Success | |
| GlobalProtect : Gateway User Login | Sub Rule | User Logon | Authentication Success | |
| GlobalProtect : Gateway User Auth Success | Sub Rule | User Logon | Authentication Success | |
| SSL VPN User Logout Succeeded | Sub Rule | User Logoff | Authentication Success | |
| GlobalProtect : Gateway Client Config Released | Sub Rule | User Logoff | Authentication Success | |
| GlobalProtect : User Logout | Sub Rule | User Logoff | Authentication Success | |
| GlobalProtectportal-Auth-Fail | Sub Rule | User Logon Failure | Authentication Failure | |
| GlobalProtectGateway-Auth-Fail | Sub Rule | User Logon Failure | Authentication Failure | |
| SSL VPN Client Switch To SSL Tunnel Succeeded | Sub Rule | Trust Relationship Established | Access Granted | |
| SSL VPN Client Configuration Generated | Sub Rule | Configuration Loaded : System | Configuration | |
| GlobalProtect : Gateway Config Failure | Sub Rule | Configuration Failure | Critical | |
| License Install Succeeded | Sub Rule | License Installed | Information | |
| Succeeded Exporting Config Bundle Via SSH | Sub Rule | Configuration Exporting | Other Audit Success | |
| Traffic And Logging Resumed | Sub Rule | General Traffic Other Alert | Critical | |
| Abnormal System Memory Usage | Sub Rule | Memory Usage Exceeded The Threshold | Warning | |
| Traffic And Logging Are Resumed | Sub Rule | General Traffic Other Alert | Critical | |
| Route Removed | Sub Rule | Static Route Removed | Information | |
| Route Recovered | Sub Rule | Route Created | Information |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Events | Classifications |
|---|---|---|---|---|
| 1010895 | V 2.0 Catch-all : System Messages | Base Rule | General System Message | Information |