Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paul_Warnagiris
Collaborator

Correlated logs missing rule name/number

Hi Check Mates.  I have run into this issue in the past and I normally find a work around by doing a different search via destination IP and another combination or more than one search terms in the search field.  But it shouldn't be this difficult.  The challenge is when a log shows up correlated it fails to you you the rule name or the rule number no matter if its an accept or a drop.  How am I supposed to troubleshoot this if say for example I needed to find the rule this was catching on?  There is this.... "Application Rule ID: 712C4203-D768-434F-89FE-849261C9437A" but I don't know what that means.  Any help would be appreciated.  I probably just don't understand how I need to diagnose this so any help would be appreciated.

 

corellated.png

 

 

0 Kudos
Reply
1 Reply
_Val_
Admin
Admin

The field is app_rule_id, it is a unique identifier of the policy rule. 

You have two options here:
1. Get the original logs and see there rule number/name
2. Go to the policy package, click on any rule there, then Choose "Actions / Go to rule" and paste UID to the field, to find the rule in question
Screenshot 2020-12-22 at 09.36.26.png

0 Kudos
Reply