Skip to main content
Skip table of contents

Policy [7.2]

The specific policy referenced (for example, Firewall or Proxy) in a log message.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type




Client Console Full Name


Client Console Short Name


Web Console Tab/Name


Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Not applicable

Field Relationships

  • Group
  • Login
  • Account
  • Domain
  • Object (disambiguation—policy was historically stored as object in some cases)

Common Applications

  • Firewall
  • Antivirus
  • Directory
  • Vulnerability scanners
  • Audit tools
  • Proxies
  • IT management

Use Case

  • Tracking group policy
  • Correlating AV and vulnerability scanners
  • Compliance
  • Policy violations

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Only store explicitly called out Policy values from log.
  • You can store policy synonyms (for example, Standard).
  • Capture the broadest policy if multiple different policy types are defined in the log.


  • SourceFire IDS

10 02 2016 20:30:22 <LOC6:WARN> Oct  2 23:27:07 mtl-corp-sen-01 CORPvDC: Protocol: TCP, SrcIP:, DstIP:, SrcPort: 54217, DstPort: 443, TCPFlags: 0x0, IngressInterface: s1p6, EgressInterface: s1p5, IngressZone: Ingress_CORP_recflow_FROM_NX, EgressZone: Egress_CORP_recflow_TO_ASA, DE: Primary Detection Engine (f20ae1fc-2be2-22e3-9bcc-2222222222222), Policy: RECFLOW_CORP_Sensor, ConnectType: End, AccessControlRuleName: Rules_Inspection_CORP_RF_Log, AccessControlRuleAction: Allow, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: recflow, InitiatorPackets: 9, ResponderPackets: 9, InitiatorBytes: 1017, ResponderBytes: 4258, NAPPolicy: RF_CORP_PREPROCESSORS, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL:

Policy is parsed here as it is explicitly called out. NAPPolicy can go unparsed as there is a broader policy name field.

  • Sourcefire IDS

05 22 2014 06:12:49 <SLOG:ERRR> 2014-05-22 10:12:47.494 recmetric:SOURCE[recflow.Host4]:REC2604E:[ALARM] Policy[ForTheRecord-Media] User[recflow\Domain Usersrecflowusers,Medium Mandatory Level@Mandatory Label...\ercflow,Host4] Process[\SystemRoot\System32\Host2] Action[read_dir] Res[M:\Media\QueryBuilder]  Effect[DENIED Code (1U,2U,3U,4U,5U,6U,7U,8U,9U,10U,11U,12P,13P,14U,15U,16U,17A,18U,19M)]

ForTheRecord-Media parses into Policy as it is explicitly called out.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.