Intrusion Rule Update Log Details

Tip

You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed. Make sure you set your time constraints to include all objects you want to include in the search.

Intrusion Rule Update Log Details

Field

Description

Action

An indication that one of the following has occurred for the object type:

  • new (for a rule, this is the first time the rule has been stored on this appliance)

  • changed (for a rule update component or rule, the rule update component has been modified, or the rule has a higher revision number and the same GID and SID)

  • collision (for a rule update component or rule, import was skipped because its revision conflicts with an existing component or rule on the appliance)

  • deleted (for rules, the rule has been deleted from the rule update)

  • enabled (for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy provided with the system)

  • disabled (for rules, the rule has been disabled in a default policy provided with the system)

  • drop (for rules, the rule has been set to Drop and Generate Events in a default policy provided with the system)

  • error (for a rule update or local rule file, the import failed)

  • apply (the Reapply all policies after the rule update import completes option was enabled for the import)

Default Action

The default action defined by the rule update. When the imported object type is rule, the default action is Pass, Alert, or Drop. For all other imported object types, there is no default action.

Details

A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed rule, displayed as previously (GID:SID:Rev). This field is blank for a rule that has not changed.

GID

The generator ID for a rule. For example, 1 (standard text rule, Global domain or legacy GID) or 3 (shared object rule).

Name

The name of the imported object, which for rules corresponds to the rule Message field, and for rule update components is the component name.

Policy

For imported rules, this field displays All. This means that the rule was imported successfully, and can be enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.

Rev

The revision number for a rule.

Rule Update

The rule update file name.

SID

The SID for a rule.

Time

The time and date the import began.

Type

The type of imported object, which can be one of the following:

  • rule update component (an imported component such as a rule pack or policy pack)

  • rule (for rules, a new or updated rule)

  • policy apply (the Reapply all policies after the rule update import completes option was enabled for the import)

Count

The count (1) for each record. The Count field appears in a table view when the table is constrained, and the Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.