Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : ESENT MessagesBase RuleDatabase InformationInformation
VMID 102 : Database Engine Starting New InstanceSub RuleGeneral ESENT InformationInformation
VMID 103 : Database Engine Stopped An InstanceSub RuleGeneral ESENT InformationInformation
VMID 104 : Application Log ClearedSub RuleLog ClearedAccess Success
VMID 105 : Database Engine Started New InstanceSub RuleGeneral ESENT InformationInformation
VMID 326 : Database Engine Attached A DatabaseSub RuleGeneral ESENT InformationInformation
VMID 327 : Database Engine Attached A DatabaseSub RuleGeneral ESENT InformationInformation
VMID 412 : DNS Bound High Number of IPsSub RuleGeneral DNS ErrorError
VMID 413 : Cannot Create New Log FileSub RuleFailed Audit Log WriteOther Audit Failure
VMID 428 : Failed To Update DatabaseSub RuleUpdate FailedError
VMID 454 : Multiple Mac Addresses DetectedSub RuleMAC Address Addition FailedError
VMID 455 : Failed To Open FileSub RuleFailed To Open FileError
VMID 471 : Unable To Execute Rollback OperationSub RuleFailed Rollback CommandError
VMID 482 : Failed To Write Into FileSub RuleFile Write FailureError
VMID 486 : File Move FailureSub RuleMove Object FailureAccess Failure
VMID 492 : Logging StoppedSub RuleFailed Audit Log WriteOther Audit Failure
VMID 507 : Abnormally Long Access Time - HW ErrorSub RuleHardware ProblemWarning
VMID 508 : Abnormally Long Access Time - HW ErrorSub RuleHardware ProblemWarning

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='ESENT'/><EventID Qualifiers='0'>326</EventID><Level>Information</Level><Task>General</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-07T20:05:21.000000000Z'/><EventRecordID>536096</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>svchost</Data><Data>18960</Data><Data>Instance: </Data><Data>1</Data><Data>C:\ProgramData\Microsoft\Windows\AppRepository\PackageRepository.edb</Data><Data>0</Data><Data>[1] 0.000, [2] 0.031, [3] 0.000, [4] 0.016, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.</Data><Data>1 0</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in log message

Log Value

LogRhythm Schema

Data Type

Provider NameESENT<vendorinfo>Text/String
EventID Qualifiers326<vmid>Number
LevelInformation<severity>Text/String
N/Asvchost<process>Text/String
Computer_destinationhostname<dname>Text/String
N/A18960<processid>Number/Text/String