Serial Number [7.2]
The hardware or software serial number in a log message. Should be a permanent, unique identifier of what it is identifying.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String (128 characters maximum)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Serial Number |
Client Console Short Name | Not applicable |
Web Console Tab/Name | Serial Number |
Elasticsearch Field Name | serialNumber |
Rule Builder Column Name | SerialNumber |
Regex Pattern | <serialnumber> |
NetMon Name | Not applicable |
Field Relationships
- This field was previously an overload of object and subject.
- Session is often used for what are called serial numbers, but are closer to session identifiers.
Common Applications
- Palo Alto
- Juniper
- F5
- Asset management systems
Use Case
Uniquely identify systems.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Serial Number is only used for data that uniquely identifies an object, device or application. It is not meant to be used for defining a "session" or "record id."
- Only overload this field with GUID when S/N not present when the GUID is permanent.
Examples
Correct Examples
- Avaya Secure Access Link Remote Access Log
Jun 21 16:29:30 Host2ldomain Host1 xgEnterpriseProxy: Device registered with server https://Host4/eMessage: model: SessionMgr, serial number: (000)222-2222
Serial Number describes the device being registered to the server.
- Bluecat Adonis
03 19 2013 14:34:17 1.1.1.1 <LOC1:INFO> Mar 19 14:34:17 USABLDRRECFLOW01named[4476]: info: zone 10.in-addr.arpa/IN/Internal: transferred serial 324442789: TSIG 'view13530'
Serial used in DNS transaction.
Ambiguous Examples
- FortiGate
03 27 2016 12:24:47 1.1.1.1 <LOC5:ALRT> date=2016-03-27 time=12:24:47 devname=SLAVE devid=FG222222222222222222 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd="Front_End" severity=high srcip=1.1.1.1 dstip=1.1.1.1 srcintf="port14" dstintf="port13" policyid=1897 sessionid=3487142146 action=detected proto=6 service=HTTPS attack="OpenSSL.ChangeCipherSpec.Injection" srcport=50077 dstport=443 hostname="recordflow.biz" direction=outgoing attackid=38738 profile="All-All-All" ref="http://www.fortinet.com/ids/VID38738" incidentserialno=981770026 msg="applications3: OpenSSL.ChangeCipherSpec.Injection," crscore=30 crlevel=high
Incidentserialno correlates logs describing a single incident, and is closer to a session or record ID than a serial number.
- Cisco Telepresence VCS
04 26 2016 18:07:35 1.1.1.1 <USER:NOTE> 2016-04-26T18:07:36-04:00 radvcsx tvcs: Event="Search Completed" Reason="Not Found" Service="H323" Src-alias-type="H323" Src-alias="pima_373@Host5" Dst-alias-type="E164" Dst-alias="93516#9#935" Call-serial-number="e2c39d22-cd9f-222c-a2ea-7b57a39239fc" Tag="f420cf74-2222-45d6-989a-76e32d94525a" Detail="found:false, searchtype:LRQ" Level="1" UTCTime="2016-04-26 22:07:36,027"
Call-Serial-Number is closer to a session in this context.