Classification

Rule Name

Rule Type

Common Event

Classification

EVID 1002 : Application HangBase RuleGeneral Application Hang ErrorError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Application Hang'/><EventID Qualifiers='0'>1002</EventID><Level>Error</Level><Task></Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-15T19:36:01.000000000Z'/><EventRecordID>38130</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>lrconsole.exe</Data><Data>7.1.8.8003</Data><Data>4b24</Data><Data>01d23f7762eb92cc</Data><Data>5</Data><Data>C:\Program Files\LogRhythm\LogRhythm Console 7.1.8\lrconsole.exe</Data><Data>bbd0308a-ab6a-11e6-ad2a-185e0f30b01e</Data><Binary>55006E006B006E006F0077006E0000000000</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameApplication Hang<vendorinfo>Text/String
EventID Qualifiers1002<vmid>Number
LevelError<severity>Text/String
N/Alrconsole.exe<process>Text/String
Computer_destinationhostname<dname>Text/String
N/A7.1.8.8003<version>Number/Text/String
N/AC:\Program Files\LogRhythm\LogRhythm Console 7.1.8\lrconsole.exe<object>Text/String