Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : Level 3Base RuleGeneral InformationInformation
General Warning MessageSub RuleGeneral WarningWarning
General Critical MessageSub RuleGeneral CriticalCritical
General Error MessageSub RuleGeneral ErrorError
General Informational MessageSub RuleGeneral InformationInformation
EVID 0: Agent Isn't ReconnectingSub RuleGeneral .NET Runtime ErrorError
EVID 0: Component Not Installed Or CorruptedSub RuleGeneral Software Installation ErrorError
Evid 0 : General WarningSub RuleGeneral WarningWarning
EVID 3 : WebHost Failed To Process RequestSub RuleProcess Request FailedError
EVID 6: Citrix Service Cannot Be StartedSub RuleService Start FailureError
EVID 10: Events Cannot Be DeliveredSub RuleGeneral FILTER ErrorError
EVID 11 : VSS Writer Error NotificationSub RuleGeneral VSS ErrorError
EVID 20 : Oracle Instance NotificationSub RuleGeneral Error InformationError
EVID 33: Activation Context Generation FailedSub RuleActivation FailedError
EVID 33 : Port Connection ErrorSub RulePort Not ListeningError
EVID 63 : WMI Privileged Provider RegisteredSub RuleGeneral Wmi WarningWarning
EVID 64 : Certificate Expired Or About To ExpireSub RuleCertificate ExpiredWarning
EVID 64 : Certificate Enrollment FailedSub RuleClient Rejected CertificateWarning
EVID 65 : Could Not Publish AD CS Revocation ListSub RuleCertificate Revocation List Adding FailureError
EVID 257: Volume Not DefragmentedSub RuleGeneral O&O Defrag ErrorError
EVID 258 :  Windows Defrag ActivitySub RuleGeneral O&O Defrag InformationInformation
EVID 400 : Terminal Services Gateway MessageSub RuleContent Services Gateway NotificationWarning
EVID 510 : Folder Redirection Policy NotificationSub RuleGeneral Folder Redirection WarningWarning
EVID 510 : ESENT Performance NotificationSub RuleWindows Warning EventWarning
EVID 781 : COM+ ActivitySub RuleGeneral COM+ InformationInformation
EVID 900 : Office SPPS StartingSub RuleMS Platform Service Activated Or DeactivatedInformation
EVID 900 : SPP Service StartingSub RuleSoftware Protection Service StartedInformation
EVID 902 : SPP Service Has StartedSub RuleSoftware Protection Service StartedInformation
EVID 902 : Office SPPS StartedSub RuleMS Platform Service Activated Or DeactivatedInformation
EVID 903 : Software Protection Platform ServiceSub RuleMS Platform Service Activated Or DeactivatedInformation
EVID 903 : Office SPPS StoppedSub RuleMS Platform Service Activated Or DeactivatedInformation
EVID 1000 : Application Error MessageSub RuleGeneral Application ErrorError
EVID 1000 : Auto Upgrade Not SupportedSub RuleUpgrade CanceledWarning
EVID 1000 : Windows Performance MonitorSub RuleGeneral Perfmon InformationInformation
EVID 1000 : Windows Interactive ServicesSub RuleMS Windows Interactive LoginOther Audit
EVID 1001: Security Policy Cannot Be PropagatedSub RuleGeneral POLICY ErrorError
EVID 1001 : Windows Performance MonitorSub RuleGeneral Perfmon InformationInformation
EVID 1001 : Windows Error ReportingSub RuleGeneral Application Error InformationInformation
EVID 1003 : Office SPPS Completed Licensing CheckSub RuleLicense ValidInformation
EVID 1003 : SPP Completed Licensing CheckSub RuleLicense ValidInformation
EVID 1008 : Performance Data Access DeniedSub RuleAccess Object FailureAccess Failure
EVID 1013 : MsiInstaller InformationSub RuleGeneral MsiInstaller InformationInformation
EVID 1013 : MsiInstaller Error NotificationSub RuleGeneral MsiInstaller ErrorError
EVID 1015 : Failed To Connect ServerSub RuleWindows Installer Failed to Connect to ServerWarning
EVID 1015 : MsiInstaller InformationSub RuleGeneral MsiInstaller WarningWarning
EVID 1020: Error Processing Registry ParametersSub RuleInvalid Registry ValueError
EVID 1023 : Cannot Load Extensible Counter DLLSub RuleFailed To Load ModuleError
EVID 1026 : Process Error - Unhandled ExceptionSub RuleUnhandled ExceptionError
EVID 1033 : Office SPPS Startup Or ShutdownSub RuleMS Platform Service Activated Or DeactivatedInformation
EVID 1033 : SPP Policies ExcludedSub RulePolicy Disabled : SystemPolicy
EVID 1034 : SPP Duplicate Policy FoundSub RuleGeneral PolicyOther Audit
EVID 1066 : SPPS Startup Or ShutdownSub RuleMS Platform Service Activated Or DeactivatedInformation
EVID 1101 : Service Failed - No VDA AvailableSub RuleService Broker Message UndeliverableWarning
EVID 1101: Failed To Compile ServiceSub RuleGeneral .NET Runtime Optimization Svc ErrorError
EVID 1103 : Printer Access FailureSub RulePrinter StalledWarning
EVID 1104 : Printer Auto-creation FailedSub RulePrinter Not ReadyWarning
EVID 1106 : Printer Auto-creation FailedSub RulePrinter Not ReadyWarning
EVID 1110: Service StoppedSub RuleGeneral .NET Runtime Optimization Svc ErrorError
EVID 1116: Error During Printer AutocreationSub RulePrinter Not ReadyWarning
EVID 1202 : User Account Not Resolvable To SIDSub RuleComputer Logon FailureAuthentication Failure
EVID 1309 : ASP.NET Request Timed OutSub RuleOperation Timed OutWarning
EVID 1505 : Cannot Load User ProfileSub RuleAuthorization Profiles Not FoundError
EVID 1511 : User Logged On Using Temporary ProfileSub RuleAuthorization Profiles Not FoundError
EVID 1515 : User Logged On Using Temporary ProfileSub RuleAuthorization Profiles Not FoundError
EVID 1530 : Registry File Still In Use - UnloadingSub RuleRegistry File Currently In Use By Another AppWarning
EVID 1542 : Cannot Load Classes Registry FileSub RuleFile Not FoundError
EVID 1704 : GPO InformationSub RuleGroup Policy RetrievedOther Audit Success
EVID 2004 : Cannot Open Server Service Perf ObjectSub RuleAccess Object FailureAccess Failure
EVID 2017 : PerfOS Event NotificationSub RuleGeneral PerfOS WarningWarning
EVID 2019: SNMP Agent Initialized IncorrectlySub RuleSNMP Initialization FailedError
EVID 3001 : Windows Performance MonitorSub RuleGeneral Perfmon InformationInformation
EVID 3005: Seek To End Of Log FailedSub RuleError Detecting End Of LineError
EVID 4005: Windows Logon Process TerminatedSub RuleGeneral Winlogon ErrorError
EVID 4018 : DX SpoolingSub RuleGeneral SpoolerCtrs WarningWarning
EVID 4098 : Service Does Not ExistSub RuleProcess Does Not ExistInformation
EVID 4101 : WinLogon - Windows License ValidatedSub RuleGeneral Winlogon InformationInformation
EVID 4103 : Object Access FailureSub RuleAccess Object FailureAccess Failure
EVID 4156 : MSDTC InformationSub RuleGeneral MSDTC InformationInformation
EVID 4404:Tracing System Initialization FailedSub RuleThe Trace Was Unable To InitializeError
EVID 4407:Tracing System Initialization FailedSub RuleThe Trace Was Unable To InitializeError
EVID 4609 : COM+ Bad Return CodeSub RuleGeneral COM+ ErrorError
EVID 5017 : LR Agent Connection Forcibly ClosedSub RuleConnection ClosedNetwork Traffic
EVID 5121 : OCSP Responder Service StoppedSub RuleOCSP Response ErrorError
EVID 5605 : Wmi NotificationSub RuleGeneral Wmi WarningWarning
EVID 6000 : Winlogon UnavailableSub RuleGeneral Winlogon WarningWarning
EVID 6003 : Winlogon Unavailable - Critical EventSub RuleGeneral Winlogon ErrorError
EVID 6004 : Subscriber Failure NotificationSub RuleGeneral Winlogon WarningWarning
EVID 6005 : Subscriber NotificationSub RuleGeneral Winlogon WarningWarning
EVID 6006 : Subscriber NotificationSub RuleGeneral Winlogon WarningWarning
EVID 8001: LR Agent Unable To Resolve Virtual HostSub RuleUnable To Resolve Dynamic Address ObjectInformation
EVID 8194: User Policy Cannot Be RemovedSub RulePolicy Cannot Be RemovedError
EVID 8194: Policy Cannot Be RemovedSub RulePolicy Cannot Be RemovedError
EVID 8197 : SLUI.exe Launched With ParametersSub RuleProcess/Service StartedStartup and Shutdown
EVID 8200: License Acquisition Failure DetailsSub RuleLicense ErrorError
EVID 8208: Acquisition Of Ticket FailedSub RuleFailed To Acquire CredentialsError
EVID 8211: Windows License Update FailedSub RuleLicense Update FailedError
EVID 8230 : VSS Warning MessageSub RuleGeneral VSS WarningWarning
EVID 8230 : SPP Schedule InformationSub RuleGeneral Schedule InformationInformation
EVID 9002 : DWM Unable To StartSub RuleDesktop Window Manager Unable To StartError
EVID 9003 : DWM Unable To StartSub RuleDesktop Window Manager Unable To StartError
EVID 9009 : DWM Has ExitedSub RuleDesktop Manager ExitedInformation
EVID 10000 : WSUS InformationSub RuleGeneral WSUSService InformationInformation
EVID 10000 : Windows Restart ManagerSub RuleSession State ChangedOther Audit
EVID 10001 : Windows Restart ManagerSub RuleSession State ChangedOther Audit
EVID 10109: LR Agent Acceptance Error ReceivedSub RuleConnection RejectedInformation
EVID 12288 : Windows Activation VKM InformationSub RuleGeneral Windows Product Activation InformationInformation
EVID 12288 : Volume Shadow Copy ErrorSub RuleGeneral VSS ErrorError
EVID 12289 : VSS Error NotificationSub RuleGeneral VSS ErrorError
EVID 12289 : Windows Activation VKM WarningSub RuleLicense Approaching LimitError
EVID 12289 : Office Activation ResponseSub RuleGeneral Windows Product Activation InformationInformation
EVID 12293: DNS Signature Failed To VerifySub RuleGeneral DNS ErrorError
EVID 12294 : SPP InformationSub RuleMS Platform Service Activated Or DeactivatedInformation
EVID 16384 : Office Licensing Status CheckSub RuleGeneral Windows Product Activation InformationInformation
EVID 16384 : SPP Scheduled For RestartSub RuleScheduled Task CreatedInformation
EVID 16385: Failed To Schedule SPP ServiceSub RuleGeneral Schedule ErrorError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='.NET Runtime'/><EventID Qualifiers='0'>1026</EventID><Level>Error</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-08T05:21:30.000000000Z'/><EventRecordID>712872</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Data>Application: scsm.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Runtime.InteropServices.COMException
Stack:
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32, IntPtr)
at uk.h()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart(System.Object)
</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

N/A.NET Runtime<process>Text/String
Provider name.NET Runtime<vendorinfo>Text/String
Eventid1026<vmid>Number
LevelError<severity>Text/String
Computer_destinationHostname<dname>Text/String
processidN/A<processid>Number
threadidN/A<session>Number
useridN/A<domain>Text/String
N/AN/A<login>Text/String
IPN/A<sip>Number
N/AN/A<object>Text/String