Skip to main content
Skip table of contents

Serial Number [7.2]

The hardware or software serial number in a log message. Should be a permanent, unique identifier of what it is identifying.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String (128 characters maximum)



Client Console Full Name

Serial Number

Client Console Short Name

Not applicable

Web Console Tab/Name

Serial Number

Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Not applicable

Field Relationships

  • This field was previously an overload of object and subject.
  • Session is often used for what are called serial numbers, but are closer to session identifiers.

Common Applications

  • Palo Alto
  • Juniper
  • F5
  • Asset management systems

Use Case

Uniquely identify systems.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Serial Number is only used for data that uniquely identifies an object, device or application. It is not meant to be used for defining a "session" or "record id."
  • Only overload this field with GUID when S/N not present when the GUID is permanent.


Correct Examples

  • Avaya Secure Access Link Remote Access Log

Jun 21 16:29:30 Host2ldomain Host1 xgEnterpriseProxy: Device registered with server https://Host4/eMessage: model: SessionMgr, serial number: (000)222-2222

Serial Number describes the device being registered to the server.

  • Bluecat Adonis

03 19 2013 14:34:17 <LOC1:INFO> Mar 19 14:34:17 USABLDRRECFLOW01named[4476]: info: zone transferred serial 324442789: TSIG 'view13530'

Serial used in DNS transaction.

Ambiguous Examples

  • FortiGate

03 27 2016 12:24:47 <LOC5:ALRT> date=2016-03-27 time=12:24:47 devname=SLAVE devid=FG222222222222222222 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd="Front_End" severity=high srcip= dstip= srcintf="port14" dstintf="port13" policyid=1897 sessionid=3487142146 action=detected proto=6 service=HTTPS attack="OpenSSL.ChangeCipherSpec.Injection" srcport=50077 dstport=443 hostname="" direction=outgoing attackid=38738 profile="All-All-All" ref="" incidentserialno=981770026 msg="applications3: OpenSSL.ChangeCipherSpec.Injection," crscore=30 crlevel=high

Incidentserialno correlates logs describing a single incident, and is closer to a session or record ID than a serial number.

  • Cisco Telepresence VCS

04 26 2016 18:07:35 <USER:NOTE> 2016-04-26T18:07:36-04:00 radvcsx tvcs: Event="Search Completed" Reason="Not Found" Service="H323" Src-alias-type="H323" Src-alias="pima_373@Host5" Dst-alias-type="E164" Dst-alias="93516#9#935" Call-serial-number="e2c39d22-cd9f-222c-a2ea-7b57a39239fc" Tag="f420cf74-2222-45d6-989a-76e32d94525a" Detail="found:false, searchtype:LRQ" Level="1" UTCTime="2016-04-26 22:07:36,027"

Call-Serial-Number is closer to a session in this context.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.