V 2.0 General GlobalProtect Messages 1

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
N/A	N/A	<vmid>
N/A	<severity>	<severity>
N/A	<sip>	<sip>
N/A	<sname>	N/A
N/A	<dip>	N/A
N/A	N/A	<dname>
N/A	<login>	<login>
N/A	<domainorigin>	N/A
N/A	<object>	N/A
N/A	N/A	<vendorinfo>
N/A	<subject>	<subject>
N/A	<version>	N/A
N/A	<reason>	<reason>
N/A	<tag1>	<tag1>
N/A	<tag5>	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1001606	SSL VPN & GlobalProtect Events	Base Rule	General Audit Message	Other Audit
	GlobalProtect : Gateway Config Success	Sub Rule	Configuration Successful	Information
	GlobalProtect : Client SSL Tunnel Success	Sub Rule	Object Created	Access Success
	GlobalProtect : Client Config Generated	Sub Rule	Object Created	Access Success
	GlobalProtect : Gateway Regist Failure	Sub Rule	Registration Failure	Error
	SSL VPN User Authentication Succeeded	Sub Rule	User Logon	Authentication Success
	SSL VPN User Login Succeeded	Sub Rule	User Logon	Authentication Success
	GlobalProtect : User Authentication Success	Sub Rule	User Logon	Authentication Success
	GlobalProtect : Gateway User Login	Sub Rule	User Logon	Authentication Success
	GlobalProtect : Gateway User Auth Success	Sub Rule	User Logon	Authentication Success
	SSL VPN User Logout Succeeded	Sub Rule	User Logoff	Authentication Success
	GlobalProtect : Gateway Client Config Released	Sub Rule	User Logoff	Authentication Success
	GlobalProtect : User Logout	Sub Rule	User Logoff	Authentication Success
	GlobalProtectportal-Auth-Fail	Sub Rule	User Logon Failure	Authentication Failure
	GlobalProtectGateway-Auth-Fail	Sub Rule	User Logon Failure	Authentication Failure
	SSL VPN Client Switch To SSL Tunnel Succeeded	Sub Rule	Trust Relationship Established	Access Granted
	SSL VPN Client Configuration Generated	Sub Rule	Configuration Loaded : System	Configuration
	GlobalProtect : Gateway Config Failure	Sub Rule	Configuration Failure	Critical
	SSL VPN Client Configuration Released	Sub Rule	End Configuration	Information

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Events	Classifications
1010870	V 2.0 General GlobalProtect Messages	Base Rule	General VPN Information	Other Operations
	V 2.0 GlobalProtect Gateway : Remote Logon Failure	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 GlobalProtect Portal : Remote Logon Failure	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 GlobalProtect Gateway : Remote Logon Success	Sub Rule	User Logon	Authentication Success
	V 2.0 GlobalProtect Portal : Remote Logon Success	Sub Rule	User Logon	Authentication Success