|
Web Console Display Name |
Lucene Search Syntax |
Field Description |
|---|---|---|
|
Action |
action |
An action taken by a device. |
|
Amount |
amount |
Integer value representing a quantity. |
|
Application |
portProtocol |
A network protocol or a web application impacted by the event generated from the log message. The "unknown" category is an aggregation of applications that have not been classified.
|
|
Command |
command |
The name of an executed command within the metadata (for example: login, get, or put). |
|
Duration |
duration |
Running time of a session, job, activity, etc. |
|
Hash |
hash |
The digital signature, or mathematical equivalent, of the file that retrieves data from a URL or is the combination of other downloaded files. |
|
Known Application |
serviceName |
Known application or service, such as HTTP, POP3, or Telnet. An application is known if LogRhythm can match the protocol number from the log to a service name in the Events Database. |
|
Object Object
|
object objectName |
Resource that is referenced or impacted by the log activity. An object can include a file, file path, registry key, etc. The Object field contains the full path and name, but objectName only stores the object name.
|
|
Object Type |
objectType |
A pair with an Object and an Object Name (for example, the content type from HTTP logs). |
|
Parent Process ID |
parentProcessId |
An ID number for a service or process running on a device, also known as PID. |
|
Parent Process Name |
parentProcessName |
The name of a process currently running on a system. |
|
Parent Process Path |
parentProcessPath |
The logical storage path for a given process. |
|
Policy |
policy |
The specific policy referenced (i.e., Firewall, Proxy) in a log message. |
|
Process Name |
process |
Name or value that identifies a process (for example, "inetd" or "sshd"). |
|
Process ID |
processId |
The ID associated with a process. |
|
Quantity |
quantity |
Item quantity. |
|
Rate |
rate |
Rate of an item. |
|
Reason |
reason |
The justification for an action or result when not an explicit policy. |
|
Response Code |
responseCode |
The explicit and well-defined response code for an action or command captured in a log. Response Code differs from Result in that response code should be well-structured and easily identifiable as a code. |
|
Result |
result |
The outcome of a command operation or action (for example, the result of "quarantine" might be "success"). |
|
Session Type |
sessionType |
The type of session described in the log (e.g., console, CLI, web). Unique from IANA Protocol. |
|
Size |
size |
The size of an item, which depends on the log type (for example, logs relating to firewalls may show the size or length of a packet). |
|
Status |
status |
The vendor's perspective on the state of a system, process, or entity. Status should NOT be used as the result of an action. |
|
Subject |
subject |
Email subject line. For non-email logs, this field could represent the subject in some form of communicated information. |
|
Threat ID |
threatId |
An Identification Number specified for a given threat, as defined from a third-party security system or device, such as a firewall, IPS/IDS, AV, Endpoint Protection System, etc. |
|
User Agent |
userAgent |
The User Agent string from web server logs. |
|
Version |
version |
A value that represents a version (OS version, patch version, doc version, etc.). |