Skip to main content
Skip table of contents

Object Name

The resource name (filename) referenced or impacted by activity reported in the log, specifically related to what is parsed into Object.

Object Name is a friendly name or expanded information about the Object. Do not use Object Name if Object is not also parsed.

Object Name is normalized into the star schema of the Events database (LogRhythm_Events.dbo.Object). 

Data Type

String (1000 characters maximum)



Client Console Full Name

Object Name

Client Console Short Name

Object Name

Web Console Tab/Name

Object Name

Elasticsearch Fieldname


Rule Builder Column Name


Regex Pattern


NetMon Name

Not applicable

Field Relationships

  • Object is described by Object Name
  • Object Type

Common Applications

Everywhere that Object is used and a friendly name exists.

Use Case

  • Getting context about an Object.
  • Not likely to be a primary search field.
  • Not likely to be a major field in AIE rules.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Object and Object Name are context-sensitive to the log itself. They must be defined for each device and device family across multiple samples.
    • Object is primary and required to be filled first. Object Name is secondary and optional.
    • Object Name is an expanded or friendly name of the object, not necessarily the file or process name (Object).
  • For any database log:
    • Object is the name of the database.
    • Object Name should only be used if there is a human readable name in addition.
  • Do not use Object Name with any other speciality field, such as session, process, URL, and so on.


Correct Examples

  • Windows Security Event Log

<Event xmlns=''><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54559625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4907</EventID><Version>0</Version><Level>Information</Level><Task>Audit Policy Change</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2016-02-26T06:56:10.852896900Z'/><EventRecordID>228903233</EventRecordID><Correlation/><Execution ProcessID='752' ThreadID='768'/><Channel>Security</Channel><Computer>log.log.log</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>log\dave.crowley</Data><Data Name='SubjectUserName'>dave.crowley</Data><Data Name='SubjectDomainName'>log</Data><Data Name='SubjectLogonId'>0x10be65</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Windows\System32\autochk.exe</Data><Data Name='HandleId'>0xb0</Data><Data Name='OldSd'>S:AI</Data><Data Name='NewSd'>S:(AU;SAFA;DCL545RSDWDWO;;;WD)</Data><Data Name='ProcessId'>0x3298</Data><Data Name='ProcessName'>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data></EventData></Event>

File parses into Object—though Object Type would be better. Autochk.exe parses into Object Name appropriately.

  • Windows Security Event Log

<Event xmlns='http://Host3/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{548465416845-5478-4994-a5ba-3e3b0328c30d}'/><EventID>6144</EventID><Version>0</Version><Level>Informationen</Level><Task>Andere Richtlinienänderungsereignisse</Task><Opcode>Info</Opcode><Keywords>Überwachung erfolgreich</Keywords><TimeCreated SystemTime='2016-03-15T17:52:23.176154700Z'/><EventRecordID>57042720</EventRecordID><Correlation/><Execution ProcessID='524' ThreadID='2808'/><Channel>Security</Channel><Computer>Host2l</Computer><Security/></System><EventData><Data Name='ErrorCode'>0</Data><Data Name='GPOList'>{31b2f340-016d-11d2-945f-00c04fb984f9}     Default Domain Policy </Data></EventData></Event>

The string for GPOList parses into Object. The Default Domain Policy parses into Object Name.

  • Cisco Unified Communication Mgr

11 09 2009 00:22:45 <LOC7:ERRR> 157: : : 125: Nov 09 05:22:03.34 UTC :  %CCM_CALLMANAGER-CALLMANAGER-3-DeviceTypeMismatch: Device type mismatch. Name of device.:DAV002454654BA Device type.:436 Database device type:435 App ID:Cisco CallManager Cluster ID:CORP-DP001 Node ID:CORP0004-D31005

Cluster ID parses into Object. Node ID parses into Object Name.

  • Voltage Securemail

01 29 2015 01:02:20 <USER:DBUG> voltage: LogMsgID="3", ServerNode="MVBK1", TenantID="LOG.BIZ.RU", SubTenant="<default>", Created="2015-01-29 01:02:20.673", Status="0", Summary="Authentication being handled for", EventLevel="Verbose", SessionID="1odz45646546dfdf3gscuijtpiv8", RequestID="1191", SourceName="IDAdapterEvents", EventName="Auth", Service="VSIBE", ClusterName="GH Data Center", ClusterUID="1", IPAddress="", TenantUID="36", UserAgentType="2", Identity="", AdapterType="vs.enrollment", AdapterID="24358855551109029088", Result="4", Duration="9", Details="null"

Vs.enrollment parses into Object. The numeric string for AdapterID parses into Object Name.

Ambiguous Examples

  • NAC System – FortiGate

07 23 2016 20:00:12 <LOC7:NOTE> date=2016-07-23 time=23:00:11 devname=logfw devid=FG5555555RecFlw1600315 logid=0100043777 type=event subtype=system level=notice vd="Transparent" logdesc="NAC anomaly quarantine" srcip= dstip=2.2.22 src_int="port1" dst_int="N/A" srcport=0 dstport=0 proto=0 service="ip" action=ban-ip user="N/A" group="N/A" policyid=0 banned_src=dos banned_rule="tcp_dst_session" sensor="DoS-policy1"

Banned_src and banned_rule parse into Object and Object Name, respectively. These are ambiguous because the source and rule are related to one another, but source refers to a denial of service attack, which is more of an action than a resource.

In this case, banned_rule could be parsed into Policy and banned_src could parse into Object (because the rule acted on the "dos" src).

  • Postgres

07 15 2015 14:59:42 <LOC4:INFO> Jul 15 14:59:43 src@Host70lt0 postgres[26940]: [708937-1] user=hasselhoff,db=recordflow_dev LOG:  duration: 929.018 ms  execute <unnamed>: UPDATE jobs.TRIGGERS SET TRIGGER_STATE = $1 WHERE SCHED_NAME = 'schedulerFactoryBean' AND JOB_NAME = $2 AND JOB_GROUP = $3 AND TRIGGER_STATE = $4

Database and Log parse into Object Name and Object, respectively. A database meets the criteria of a resource referenced or impacted in this log. However, the log seems closer to a command, action, or result (log parses into Command).

The database value should parse into Object, and the log should parse into Command. Object Name should not be used.

  • Two logs from FortiGate with URLs

08 21 2016 02:16:52 <LOC1:ALRT> date=2016-08-21,time=02:17:46,devname=FG123456456,devid=FG5445645641,logid=0419016384,type=utm,subtype=ips,eventtype=signature,level=alert,vd="root",severity=low,srcip=,dstip=,srcintf="port16",dstintf="port16",policyid=1,sessionid=22078931,action=detected,proto=6,service=tcp/20480,attack="MS.IIS.Web.Server.Folder.Traversal.Evasion",srcport=53355,dstport=80,hostname="",direction=outgoing,attackid=15152,profile="all_default",ref="",incidentserialno=1981412111,msg="web_server:



07 23 2016 20:00:12 <LOC7:ALRT> date=2016-07-23 time=23:00:11 devname=zackasdsd3343434 devid=FG5555121321 logid=0720018432 type=anomaly subtype=anomaly level=alert vd="Transparent" severity=critical srcip= dstip= srcintf="port1" sessionid=0 action=detected proto=6 service=SNMP count=802 attack="tcp_src_session" srcport=36078 dstport=162 attackid=4544654 policyid=1 ref="" msg="anomaly: tcp_src_session, 1251 > threshold 1250, repeats 802 times" crscore=50 crlevel=critical

The domain of the URL parses into Object Name in the referrer field in both logs. Strictly speaking, this is a referenced object, but Object is not used in the first log, so there is no relation. In the second log, Subtype parses into Object and the domain of the URL parses into Object Name. There is no relation between these fields in the second instance, as subtype describes the event rather than a resource.

In these logs, the ref field defines an outside URL to additional information. It is not the object of the log or the name of the object. The ref field should parse into the Vendor Information field. There is no need to have an Object or Object Name for this log source.

  • Entrust entillgence messaging server - User Credentials

06 07 2013 09:29:36 <LOC3:WARN> ECD[12901]: b7fd WARN ECD: (31516556428) Warning of credential expiry.  Details [[friendlyName=Onboard SSL credential for][days since expiry:161]]

Friendly name parses into Object Name and the subsequent hostname parses into Object. Object should parse into impacted host (dname) in this log. Object Name is strictly correct with the usage of object for the hostname, but would probably be better for Object after that is changed to dname.

If onboard SSL Credential parses into Object, then Object Name is empty. Also, the rule name and common event probably captures it already "credential expiry." Look at other samples to see if there are other types of credential besides the one shown here.

  • Microsoft Antimalware

4/24/2013 4:03 PM TYPE=Warning USER= COMP=Host1 SORC=Microsoft Antimalware CATG=(0) EVID=1116 MESG=Microsoft Antimalware has detected malware or other potentially unwanted software.  For more information please see the following: http://Host3/fwlink/?linkid=37020&name=Worm:Win32/Vobfus.PQ&threatid=2147680921        Name: Worm:Win32/Vobfus.PQ    ID: 214764421     Severity: Severe        Category: Worm    Path: file:_C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APQ7.tmp  Detection Origin: Local machine     Detection Type: Concrete      Detection Source: Real-Time Protection        User: NT AUTHORITY\SYSTEM     Process Name: C:\Program Files (x86)\Symantec AntiVirus\RHost2     Signature Version: AV:, AS:, NIS:      Engine Version: AM: 1.1.9402.0, NIS:

The object is the target file (apq7.tmp), as it is being acted on. The name is a friendly descriptor and thus is the Object Name.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.