Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : Application MessagesBase RuleGeneral Application InformationInformation
EVID 1000 : Application ErrorSub RuleGeneral Application Error Error

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Application Error'/><EventID Qualifiers='0'>1000</EventID><Level>Error</Level><Task>Application Crashing Events</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-19T03:52:00.000000000Z'/><EventRecordID>716411</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Data>scsm.exe</Data><Data>5.5.5.5</Data><Data>54860c92</Data><Data>KERNELBASE.dll</Data><Data>5.5.5.5</Data><Data>5708a89c</Data><Data>e0434352</Data><Data>000000000001a06d</Data><Data>204c</Data><Data>01d2421820567d41</Data><Data>C:\Program Files\LogRhythm\LogRhythm System Monitor\scsm.exe</Data><Data>C:\Windows\system32\KERNELBASE.dll</Data><Data>85a21e3f-ae0b-11e6-ac44-14feb5da00c2</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in log message

Log Value

LogRhythm Schema

Data Type

Provider nameApplication Error<vendorinfo>Text/string
Eventid1000<vmid>Number
LevelError<severity>Text/string
Computer_destinationHostname<dname>Text/string
EventDatascsm.exe<object>Text/string