Classification

Rule Name

Rule Type

Common Event

Classification

EVID 1000 : Application FaultBase RuleApplication ErrorError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Application Error'/><EventID Qualifiers='0'>1000</EventID><Level>Error</Level><Task>Application Crashing Events</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-08T16:31:14.000000000Z'/><EventRecordID>713139</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>scsm.exe</Data><Data>6.3.3.8001</Data><Data>54860c92</Data><Data>KERNELBASE.dll</Data><Data>6.1.7601.23418</Data><Data>5708a89c</Data><Data>e0434352</Data><Data>000000000001a06d</Data><Data>249c</Data><Data>01d239dd11339a7a</Data><Data>C:\Program Files\LogRhythm\LogRhythm System Monitor\scsm.exe</Data><Data>C:\Windows\system32\KERNELBASE.dll</Data><Data>c3a13c28-a5d0-11e6-ac44-14feb5da00c2</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameApplication Error<venderinfo>Text/String
EventID Qualifiers1000<vmid>Number
LevelError<severity>Text/String
N/Ascsm.exe<process>Text/String
Computer_destinationhostname<dname>Text/String
N/A6.3.3.8001<version>Number/Text/String
N/AKERNELBASE.dll<object>Text/String