AD-Connector Messages
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| pri_num | N/A | N/A |
| time | N/A | N/A |
| IP address/hostname | N/A | N/A |
| cat_name | N/A | <vendorinfo> |
| msg_id | N/A | N/A |
| total_seg | N/A | N/A |
| seg_num | N/A | N/A |
| timestamp | N/A | N/A |
| sequence_num | N/A | N/A |
| msg_code | N/A | <vmid> <tag1> |
| msg_sev | <severity> | <severity> |
| msg_class | <process> | <subject> |
| msg_text | <status> | <action> |
| ConfigVersionId | N/A | N/A |
| AD-Account-Name | <account> | |
| AD-Domain | <domainorigin> | <domainorigin> |
| AD-Domain-Controller | N/A | N/A |
| AD-Hostname | <dname> | N/A |
| AD-IP-Address | <dip> | <sip> |
| AD-Error-Details | <reason> <result> | N/A |
| AD-Forest | N/A | N/A |
| AD-IP-Address-Black-Listed | N/A | N/A |
| AD-Log-Id | <session> | N/A |
| AD-Trusted-Domain | N/A | N/A |
| AD-Site | N/A | N/A |
| AD-Srv-Query | N/A | N/A |
| AD-Srv-Record | N/A | N/A |
| AD-Srv-Record | N/A | N/A |
| AD-Srv-Record | N/A | N/A |
| AD-Srv-Record | N/A | N/A |
| Key1 | N/A | N/A |
| Key2 | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1011231 | AD-Connector Messages | Base Rule | General Active Directory Information | Information |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
| 1012598 | V 2.0 AD Connector Event | Base Rule | General Information Log Message | Information |
| V 2.0 EVID 25000: ISE Server Pwd Update Success | Sub Rule | Performing Password Change | Information | |
| V 2.0 EVID 25001: ISE Server Pwd Update Failure | Sub Rule | Password Change Failed | Error | |
| V 2.0 EVID 25002: ISE Server TGT Refresh Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25003: Machine TGT Refresh Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25004: AD Connector Start | Sub Rule | Process/Service Started | Startup and Shutdown | |
| V 2.0 EVID 25005: AD Connector Stopped | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 EVID 25006: AD Connector Restart | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 EVID 25007: Join Point Connector Start | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 EVID 25008: Join Point Connector Stop | Sub Rule | Process/Service Stopped | Startup and Shutdown | |
| V 2.0 EVID 25009: Trusted Domain Discovery Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25010: Trusted Domain Discovery Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25011: Domain Join Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25012: Domain Join Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25013: Domain Leave Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25014: Domain Leave Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25015: DNS SRV Query Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25016: DNS SRV Query Failure | Sub Rule | DNS Query Failed | Error | |
| V 2.0 EVID 25017: DC Discovery Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25018: DC Discovery Failure | Sub Rule | Domain Controller Unreachable | Error | |
| V 2.0 EVID 25019: KDC Discovery Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25020: KDC Discovery Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25021: GC Discovery Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25022: GC Discovery Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25023: LDAP Connect To DC Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25024: LDAP Connect To DC Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25025: LDAP Connect To GC Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25026: LDAP Connect To GC Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25027: RPC Connect To DC Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25028: RPC Connect To DC Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25029: KDC Connect To DC Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25030: KDC Connect To DC Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25031: AD Provider Failed To Start | Sub Rule | Server Failed To Start | Error | |
| V 2.0 EVID 25032: Trusted Domain Discovered | Sub Rule | Domain Trust Information | Information | |
| V 2.0 EVID 25033: DNS A/AAAA Query Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25034: DNS A/AAAA Query Failure | Sub Rule | DNS Query Failed | Error | |
| V 2.0 EVID 25035: Writeable DC Discovery Success | Sub Rule | Successful Activity | Other Audit Success | |
| V 2.0 EVID 25036: Writeable DC Discovery Failure | Sub Rule | General Action Failure | Error | |
| V 2.0 EVID 25037: DC Record Cached | Sub Rule | Cache Information | Information | |
| V 2.0 EVID 25038: GC Record Cached | Sub Rule | Cache Information | Information | |
| V 2.0 EVID 25039: LDAP SASL Bind Failure | Sub Rule | SASLAUTHD Error | Error | |
| V 2.0 EVID 25040: RPC SC Establishment Failure | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25041: ISE Server Site Discovered | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25042: ISE Server Not Assigned To AD | Sub Rule | General Active Directory Warning | Warning | |
| V 2.0 EVID 25043: No DC Found In ISE Server Site | Sub Rule | Time Service Couldn't Find Domain Controller | Warning | |
| V 2.0 EVID 25044: Communication To Domain Failure | Sub Rule | Communications Failed | Error | |
| V 2.0 EVID 25045: Configured NameServer Down | Sub Rule | The Server Is Down | Information | |
| V 2.0 EVID 25046: Joined Domain Is Unavailable | Sub Rule | RADIUS Domain Unavailable | Error | |
| V 2.0 EVID 25047: Auth Domain Is Unavailable | Sub Rule | RADIUS Domain Unavailable | Error | |
| V 2.0 EVID 25048: AD Forest Is Unavailable | Sub Rule | General Active Directory Information | Information | |
| V 2.0 EVID 25049: Machine Account Not Found | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25050: Machine Account Deleted From AD | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25051: Machine Account Deletion Failed | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25052: Periodic Trusts Discovery Start | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25053: Detected Offline Forest | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25054: Trust Removed By Discovery | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25055: DC Added To Blacklist | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25056: DC Removed From Blacklist | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25057: No Privileges For ISE Mac Acc. | Sub Rule | Insufficient Privileges | Error | |
| V 2.0 EVID 25058: ISE Is Not Joined To AD DC | Sub Rule | General Active Directory Error | Error | |
| V 2.0 EVID 25100: Connecting To External REST ID | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25101: Successful Connect To Ext REST | Sub Rule | Connection Established | Network Traffic | |
| V 2.0 EVID 25102: Connection To Ext REST DB Fail | Sub Rule | General Database Error | Error | |
| V 2.0 EVID 25103: Plain Text Pwd Auth In Ext REST | Sub Rule | General Authentication Information | Information | |
| V 2.0 EVID 25104: Plain Text Pwd Auth Success | Sub Rule | Authentication Activity | Authentication Success | |
| V 2.0 EVID 25105: Plain Text Pwd Auth Failure | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| V 2.0 EVID 25106: REST Indicated Pwd Auth Failure | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| V 2.0 EVID 25107: REST ID Store Server Respond | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25108: No User Groups Included To REST | Sub Rule | General Information Log Message | Information | |
| V 2.0 EVID 25109: ISE Starts Set User Groups | Sub Rule | Cache Information | Information | |
| V 2.0 EVID 25110: User Grp Insert To Session Cache | Sub Rule | Cache Information | Information | |
| V 2.0 EVID 25111: Failed To Set User Groups | Sub Rule | Cache Information | Information | |
| V 2.0 EVID 25112: REST DB Indicated Pwd Auth Fail | Sub Rule | Authentication Failure Activity | Authentication Failure | |
| V 2.0 EVID 25113: Skipping AD Authentication | Sub Rule | General Active Directory Warning | Warning | |
| V 2.0 EVID 25114: Low Bad Password For AD Instance | Sub Rule | General Active Directory Error | Error | |
| V 2.0 EVID 25115: Fail To Fetch User Attr From AD | Sub Rule | General Active Directory Error | Error | |
| V 2.0 EVID 25116: No Bad Pwd Count Attribute In AD | Sub Rule | General Active Directory Error | Error | |
| V 2.0 EVID 25117: AD Is Part Of ID Sequence | Sub Rule | General Active Directory Warning | Warning |