Classification

Rule Name

Rule Type

Common Event

Classification

EVID 2004 : Microsoft-Windows-PerfNetBase RuleService Start FailureError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PerfNet' Guid='{cab2b8a5-49b9-4eec-b1b0-fac21da05a3b}' EventSourceName='PerfNet'/><EventID Qualifiers='49152'>2004</EventID><Version>0</Version><Level>Error</Level><Task>None</Task><Opcode></Opcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2018-08-01T06:34:34.000000000Z'/><EventRecordID>1379871</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Binary>220000C0</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameMicrosoft-Windows-PerfNet<vendorinfo>Text/String
Eventid2004<vmid>Number
LevelError<severity>Text/String
Computer_destinationHostname<dname>Text/String
ProcessID0<processid>Number
ThreadIDN/A<threatid>Number
Version0<version>Number