AD-Connector Messages | LogRhythm Documentation

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
pri_num	N/A	N/A
time	N/A	N/A
IP address/hostname	N/A	N/A
cat_name	N/A	<vendorinfo>
msg_id	N/A	N/A
total_seg	N/A	N/A
seg_num	N/A	N/A
timestamp	N/A	N/A
sequence_num	N/A	N/A
msg_code	N/A	<vmid> <tag1>
msg_sev	<severity>	<severity>
msg_class	<process>	<subject>
msg_text	<status>	<action>
ConfigVersionId	N/A	N/A
AD-Account-Name	<account>
AD-Domain	<domainorigin>	<domainorigin>
AD-Domain-Controller	N/A	N/A
AD-Hostname	<dname>	N/A
AD-IP-Address	<dip>	<sip>
AD-Error-Details	<reason> <result>	N/A
AD-Forest	N/A	N/A
AD-IP-Address-Black-Listed	N/A	N/A
AD-Log-Id	<session>	N/A
AD-Trusted-Domain	N/A	N/A
AD-Site	N/A	N/A
AD-Srv-Query	N/A	N/A
AD-Srv-Record	N/A	N/A
AD-Srv-Record	N/A	N/A
AD-Srv-Record	N/A	N/A
AD-Srv-Record	N/A	N/A
Key1	N/A	N/A
Key2	N/A	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1011231	AD-Connector Messages	Base Rule	General Active Directory Information	Information

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1012598	V 2.0 AD Connector Event	Base Rule	General Information Log Message	Information
	V 2.0 EVID 25000: ISE Server Pwd Update Success	Sub Rule	Performing Password Change	Information
	V 2.0 EVID 25001: ISE Server Pwd Update Failure	Sub Rule	Password Change Failed	Error
	V 2.0 EVID 25002: ISE Server TGT Refresh Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25003: Machine TGT Refresh Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25004: AD Connector Start	Sub Rule	Process/Service Started	Startup and Shutdown
	V 2.0 EVID 25005: AD Connector Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown
	V 2.0 EVID 25006: AD Connector Restart	Sub Rule	Process/Service Stopped	Startup and Shutdown
	V 2.0 EVID 25007: Join Point Connector Start	Sub Rule	Process/Service Stopped	Startup and Shutdown
	V 2.0 EVID 25008: Join Point Connector Stop	Sub Rule	Process/Service Stopped	Startup and Shutdown
	V 2.0 EVID 25009: Trusted Domain Discovery Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25010: Trusted Domain Discovery Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25011: Domain Join Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25012: Domain Join Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25013: Domain Leave Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25014: Domain Leave Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25015: DNS SRV Query Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25016: DNS SRV Query Failure	Sub Rule	DNS Query Failed	Error
	V 2.0 EVID 25017: DC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25018: DC Discovery Failure	Sub Rule	Domain Controller Unreachable	Error
	V 2.0 EVID 25019: KDC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25020: KDC Discovery Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25021: GC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25022: GC Discovery Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25023: LDAP Connect To DC Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25024: LDAP Connect To DC Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25025: LDAP Connect To GC Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25026: LDAP Connect To GC Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25027: RPC Connect To DC Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25028: RPC Connect To DC Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25029: KDC Connect To DC Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25030: KDC Connect To DC Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25031: AD Provider Failed To Start	Sub Rule	Server Failed To Start	Error
	V 2.0 EVID 25032: Trusted Domain Discovered	Sub Rule	Domain Trust Information	Information
	V 2.0 EVID 25033: DNS A/AAAA Query Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25034: DNS A/AAAA Query Failure	Sub Rule	DNS Query Failed	Error
	V 2.0 EVID 25035: Writeable DC Discovery Success	Sub Rule	Successful Activity	Other Audit Success
	V 2.0 EVID 25036: Writeable DC Discovery Failure	Sub Rule	General Action Failure	Error
	V 2.0 EVID 25037: DC Record Cached	Sub Rule	Cache Information	Information
	V 2.0 EVID 25038: GC Record Cached	Sub Rule	Cache Information	Information
	V 2.0 EVID 25039: LDAP SASL Bind Failure	Sub Rule	SASLAUTHD Error	Error
	V 2.0 EVID 25040: RPC SC Establishment Failure	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25041: ISE Server Site Discovered	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25042: ISE Server Not Assigned To AD	Sub Rule	General Active Directory Warning	Warning
	V 2.0 EVID 25043: No DC Found In ISE Server Site	Sub Rule	Time Service Couldn't Find Domain Controller	Warning
	V 2.0 EVID 25044: Communication To Domain Failure	Sub Rule	Communications Failed	Error
	V 2.0 EVID 25045: Configured NameServer Down	Sub Rule	The Server Is Down	Information
	V 2.0 EVID 25046: Joined Domain Is Unavailable	Sub Rule	RADIUS Domain Unavailable	Error
	V 2.0 EVID 25047: Auth Domain Is Unavailable	Sub Rule	RADIUS Domain Unavailable	Error
	V 2.0 EVID 25048: AD Forest Is Unavailable	Sub Rule	General Active Directory Information	Information
	V 2.0 EVID 25049: Machine Account Not Found	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25050: Machine Account Deleted From AD	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25051: Machine Account Deletion Failed	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25052: Periodic Trusts Discovery Start	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25053: Detected Offline Forest	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25054: Trust Removed By Discovery	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25055: DC Added To Blacklist	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25056: DC Removed From Blacklist	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25057: No Privileges For ISE Mac Acc.	Sub Rule	Insufficient Privileges	Error
	V 2.0 EVID 25058: ISE Is Not Joined To AD DC	Sub Rule	General Active Directory Error	Error
	V 2.0 EVID 25100: Connecting To External REST ID	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 25101: Successful Connect To Ext REST	Sub Rule	Connection Established	Network Traffic
	V 2.0 EVID 25102: Connection To Ext REST DB Fail	Sub Rule	General Database Error	Error
	V 2.0 EVID 25103: Plain Text Pwd Auth In Ext REST	Sub Rule	General Authentication Information	Information
V 2.0 EVID 25104: Plain Text Pwd Auth Success	Sub Rule	Authentication Activity	Authentication Success
V 2.0 EVID 25105: Plain Text Pwd Auth Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 25106: REST Indicated Pwd Auth Failure	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 25107: REST ID Store Server Respond	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25108: No User Groups Included To REST	Sub Rule	General Information Log Message	Information
V 2.0 EVID 25109: ISE Starts Set User Groups	Sub Rule	Cache Information	Information
V 2.0 EVID 25110: User Grp Insert To Session Cache	Sub Rule	Cache Information	Information
V 2.0 EVID 25111: Failed To Set User Groups	Sub Rule	Cache Information	Information
V 2.0 EVID 25112: REST DB Indicated Pwd Auth Fail	Sub Rule	Authentication Failure Activity	Authentication Failure
V 2.0 EVID 25113: Skipping AD Authentication	Sub Rule	General Active Directory Warning	Warning
V 2.0 EVID 25114: Low Bad Password For AD Instance	Sub Rule	General Active Directory Error	Error
V 2.0 EVID 25115: Fail To Fetch User Attr From AD	Sub Rule	General Active Directory Error	Error
V 2.0 EVID 25116: No Bad Pwd Count Attribute In AD	Sub Rule	General Active Directory Error	Error
V 2.0 EVID 25117: AD Is Part Of ID Sequence	Sub Rule	General Active Directory Warning	Warning