Intrusion rule update log details

Note

You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed. Make sure you set your time constraints to include all objects you want to include in the search.

Intrusion rule update log details
Field	Description
Action	An indication that one of the following has occurred for the object type: `new` (for a rule, this is the first time the rule has been stored) `changed` (for a rule update component or rule, the rule update component has been modified, or the rule has a higher revision number and the same GID and SID) `collision` (for a rule update component or rule, import was skipped because its revision conflicts with an existing component or rule) `deleted` (for rules, the rule has been deleted from the rule update) `enabled` (for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy provided with the system) `disabled` (for rules, the rule has been disabled in a default policy provided with the system) `drop` (for rules, the rule has been set to Drop and Generate Events in a default policy provided with the system) `error` (for a rule update or local rule file, the import failed) `apply` (the Reapply all policies after the rule update import completes option was enabled for the import)
Default Action	The default action defined by the rule update. When the imported object type is `rule`, the default action is `Pass`, `Alert`, or `Drop`. For all other imported object types, there is no default action.
Details	A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed rule, displayed as `previously (GID:SID:Rev)`. This field is blank for a rule that has not changed.
GID	The generator ID for a rule. For example, `1` (standard text rule, Global domain or legacy GID) or `3` (shared object rule).
Name	The name of the imported object,`All` which for rules corresponds to the rule Message field, and for rule update components is the component name.
Policy	For imported rules, this field displays . This means that the rule was imported successfully, and can be enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.
Rev	The revision number for a rule.
Rule Update	The rule update file name.
SID	The SID for a rule.
Time	The time and date the import began.
Type	The type of imported object, which can be one of the following: `rule update component` (an imported component such as a rule pack or policy pack) `rule` (for rules, a new or updated rule) `policy apply` (the Reapply all policies after the rule update import completes option was enabled for the import)
Count	The count (`1`) for each record. The Count field appears in a table view when the table is constrained, and the Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.