Skip to main content
Skip table of contents

Action [7.2]

Action is a broad field for what was done as described in the log. Action is usually a secondary function of a command or process. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type




Client Console Full Name


Client Console Short Name


Web Console Tab/Name


Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Not applicable

Field Relationships

  • Command
  • Status
  • Result
  • Response Code
  • Process

Common Applications

  • Firewall
  • Proxy
  • Antivirus
  • Vulnerability scanner

Use Case

  • Recording network traffic accepts, drops, or blocks.
  • Secondary function of a command—for example, PowerShell (process), might issue "AD commandlet" (command), which might have an action of lock out user.
  • Action describes a mechanism. The result describes a state outcome. A firewall action can "pass" traffic. The result might be "success.”  

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Capture more simplistic actions than command might.
  • An Action is what you are trying to initiate via a command.
  • Action, Process, and Command separation:
    • A process is something "running."
    • A command is an operating system command (for example, batch) or a user originated command to a system.
    • The Action is often the "result" of a process or command. The A/V process (Symantec) might have a command of "Run Scan", which could have an Action of Quarantine.
  • In RIM/FIM, the Action would be "read, write, add, delete" or any other common action verb applied to the file or registry key. 


  • FortiGate

02 18 2015 16:13:49 <LOC7:INFO> date=2015-02-18 time=16:13:51 devname=FG22222222222217 devid=FGdfsdfds1111111 logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd="root" appid=16637 user="" srcip= srcport=57227 dstip= dstport=53 proto=17 service="DNS" sessionid=391322221 applist="APPC Monitor All" appcat="Update" app="Sophos.Update" action=pass msg="Update: Sophos.Update," apprisk=low

In this case, the firewall action is to "pass" the traffic because it is on an approved list.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.