Applications
| Web Console Display Name | Lucene Search Syntax | Field Description |
|---|---|---|
Action | action | An action taken by a device. |
Amount | amount | Integer value representing a quantity. |
Application | portProtocol | A network protocol or a web application impacted by the event generated from the log message. The "unknown" category is an aggregation of applications that have not been classified. |
Command | command | The name of an executed command within the metadata (for example: login, get, or put). |
Duration | duration | Running time of a session, job, activity, etc. |
Hash | hash | The digital signature, or mathematical equivalent, of the file that retrieves data from a URL or is the combination of other downloaded files. |
Known Application | serviceName | Known application or service, such as HTTP, POP3, or Telnet. An application is known if LogRhythm can match the protocol number from the log to a service name in the Events Database. |
Object Object | object objectName | Resource that is referenced or impacted by the log activity. An object can include a file, file path, registry key, etc. The Object field contains the full path and name, but objectName only stores the object name. |
Object Type | objectType | A pair with an Object and an Object Name (for example, the content type from HTTP logs). |
Parent Process ID | parentProcessId | An ID number for a service or process running on a device, also known as PID. |
Parent Process Name | parentProcessName | The name of a process currently running on a system. |
Parent Process Path | parentProcessPath | The logical storage path for a given process. |
Policy | policy | The specific policy referenced (i.e., Firewall, Proxy) in a log message. |
Process Name | process | Name or value that identifies a process (for example, "inetd" or "sshd"). |
Process ID | processId | The ID associated with a process. |
Quantity | quantity | Item quantity. |
Rate | rate | Rate of an item. |
Reason | reason | The justification for an action or result when not an explicit policy. |
Response Code | responseCode | The explicit and well-defined response code for an action or command captured in a log. Response Code differs from Result in that response code should be well-structured and easily identifiable as a code. |
Result | result | The outcome of a command operation or action (for example, the result of "quarantine" might be "success"). |
Session Type | sessionType | The type of session described in the log (e.g., console, CLI, web). Unique from IANA Protocol. |
Size | size | The size of an item, which depends on the log type (for example, logs relating to firewalls may show the size or length of a packet). |
Status | status | The vendor's perspective on the state of a system, process, or entity. Status should NOT be used as the result of an action. |
Subject | subject | Email subject line. For non-email logs, this field could represent the subject in some form of communicated information. |
Threat ID | threatId | An Identification Number specified for a given threat, as defined from a third-party security system or device, such as a firewall, IPS/IDS, AV, Endpoint Protection System, etc. |
User Agent | userAgent | The User Agent string from web server logs. |
Version | version | A value that represents a version (OS version, patch version, doc version, etc.). |
