Classification

Rule Name

Rule Type

Common Event

Classification

EVID 1309 : ASP.NET Request AbortedBase RuleConnection AbortedNetwork Traffic

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='ASP.NET 2.0.50727.0'/><EventID Qualifiers='32768'>1309</EventID><Level>Warning</Level><Task>Web Event</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-19T03:08:52.000000000Z'/><EventRecordID>76004</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>3001</Data><Data>The request has been aborted.</Data><Data>11/18/2016 8:08:52 PM</Data><Data>11/19/2016 3:08:52 AM</Data><Data>80a301aa732b43c78a561d2a05b30faa</Data><Data>4</Data><Data>1</Data><Data>0</Data><Data>/LM/W3SVC/1/ROOT/ServerSyncWebService-3-131239983810192518</Data><Data>Full</Data><Data>/ServerSyncWebService</Data><Data>C:\Program Files\Update Services\WebServices\ServerSyncWebService\</Data><Data>_destinationhostname</Data><Data></Data><Data>2316</Data><Data>w3wp.exe</Data><Data>_domain\_somename</Data><Data>HttpException</Data><Data>Request timed out.</Data><Data>http://_destinationhostname/ServerSyncWebService/serversyncwebservice.asmx/ServerSyncWebService/serversyncwebservice.asmx::1False_domainOrigin\_originUser</Data><Data>5</Data><Data>_domainOrigin\_originUser</Data><Data>False</Data><Data>

</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log message

Log Value

LogRhythm Schema

Data Type

Provider NameASP.NET 2.0.50727.0<vendorinfo>Text/String
EventID Qualifiers1309<vmid>Number
Levelwarning<severity>Text/String
N/A_originUser<login>Text/String
N/A_domainOrigin<domainorigin>Text/String
N/Aw3wp.exe<process>Text/String
Execution Processid2136<processid>Number
Computer_destinationhostname<dname>Text/String
N/AC:\Program Files\Update Services\WebServices\ServerSyncWebService\<object>Text/String