Skip to main content
Skip table of contents

CISE_Authentication_Flow_Diagnostics

Vendor Documentation

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
pri_numN/AN/A
timeN/AN/A
IP address/hostnameN/AN/A
cat_nameN/A<vendorinfo>
msg_idN/AN/A
total_segN/AN/A
seg_numN/AN/A
timestampN/AN/A
sequence_numN/AN/A
msg_codeN/A<vmid>
<tag1>
msg_sev<severity><severity>
msg_class<process><subject>
msg_text<subject><action>
ConfigVersionId<version>N/A
DestinationIPAddress<dip><dip>
UserName<login><account>
NAS-IP-AddressN/AN/A
AcsSessionID<session><session>
AuthenticationIdentityStoreN/AN/A
AuthenticationMethod<command>N/A
SelectedAccessServiceN/AN/A
WorkflowCurrentIDStoreIndexN/AN/A
WorkflowSequenceTypeN/AN/A
CurrentIDStoreNameN/AN/A
WorkflowIfUserNotFoundN/AN/A
WorkflowIfProcessErrorN/A<result>
WorkflowIfAuthenticationFailedN/A<status>
CPMSessionIDN/AN/A
StepLatencyN/AN/A
ResponseN/AN/A
Key1N/AN/A
Key2N/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1012195CISE_Authentication_Flow_DiagnosticsBase RuleDiagnostic InformationInformation

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1012611V 2.0 Authentication Flow Diagnostics EventBase RuleDiagnostic InformationInformation
V 2.0 EVID 22000: Auth Resulted In Internal ErrorSub RuleGeneral Authentication ErrorError
V 2.0 EVID 22001: Restricted Attribute(s) FoundSub RuleObject Attributes ListedInformation
V 2.0 EVID 22002: Authentication CompletedSub RuleAuthentication ActivityAuthentication Success
V 2.0 EVID 22003: Missing Attribute For AuthSub RuleAttribute MissingWarning
V 2.0 EVID 22004: Authentication Wrong PasswordSub RuleFailed Unauthorized ActivityFailed Misuse
V 2.0 EVID 22005: Could Not Get Shell Profile ObjSub RuleShell Profiles Not FoundError
V 2.0 EVID 22006: Shell Profile Object Not ConfigSub RuleShell Profile Object Not ConfiguredInformation
V 2.0 EVID 22007: Username Attribute Not PresentSub RuleAttributes Not FoundError
V 2.0 EVID 22008: Changing Enable Pwd Not AllowedSub RulePassword Change FailedError
V 2.0 EVID 22015: Identity Seq Continues To NextSub RuleContinuing Identity SequenceInformation
V 2.0 EVID 22016: Identity Seq Completed IteratingSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 22017: Selected Identity Src DenyAccessSub RuleAccess DeniedWarning
V 2.0 EVID 22019: Identity Policy Evaluated BeforeSub RuleGeneral POLICY InformationInformation
V 2.0 EVID 22020: Config Error Identity Src BlankSub RuleIdentity Source BlankError
V 2.0 EVID 22021: Config Error Auth IDStores ListSub RuleConfiguration ErrorError
V 2.0 EVID 22022: Setting Err Failed To Open OptSub RuleGeneral Failed ActivityFailed Activity
V 2.0 EVID 22023: Proceed To Attribute RetrievalSub RuleProceed To Attribute RetrievalInformation
V 2.0 EVID 22028: Auth Failed Advanced Opt IgnoredSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22034: Attribute Retrieval FailedSub RuleAttribute Retrieval FailedError
V 2.0 EVID 22036: Retrieved Attributes SuccessfulSub RuleAttribute Retrieval SucceededInformation
V 2.0 EVID 22037: Authentication PassedSub RuleAuthentication ActivityAuthentication Success
V 2.0 EVID 22038: Skipping IDStore For Attr Retr.Sub RuleSkipping IDStore For Attribute RetrievalInformation
V 2.0 EVID 22039: Invalid Workflow Sequence TypeSub RuleInvalid Sequence TypeError
V 2.0 EVID 22040: Wrong Pwd/Invalid Shared SecretSub RuleFailed Unauthorized ActivityFailed Misuse
V 2.0 EVID 22043: Auth Method Not SupportedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22044: Identity Policy Res Not ConfigSub RulePolicy Not ConfiguredError
V 2.0 EVID 22045: Identity Policy Res Not ConfigSub RulePolicy Not ConfiguredError
V 2.0 EVID 22046: Identity Sequence Received CARSub RuleAuthentication Request ReceivedInformation
V 2.0 EVID 22047: Username Attribute MissingSub RuleAttribute MissingWarning
V 2.0 EVID 22048: Client Cert. Binary MissingSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22049: Binary Comparison Of Cert. FailSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22050:User/Host Disable In Curr IDStoreSub RuleHost DisabledOther Audit
V 2.0 EVID 22051: User/Host Disable In Int IDStoreSub RuleHost DisabledOther Audit
V 2.0 EVID 22052: Authentication IDStore EmptySub RuleIDStore EmptyError
V 2.0 EVID 22054: Binary Comparison Of Cert. PassSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22055: Failed To Find Expected UsernameSub RuleGeneral Failed ActivityFailed Activity
V 2.0 EVID 22056: Subject Not Found In ApplicableSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22057: Used Adv Opt Config For FailedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22058: Used Adv Opt Config For UnknownSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22059: Used Adv Opt Config For ProcessSub RuleProcess FailedError
V 2.0 EVID 22060: Continue Advanced Option ConfigSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22061: Reject Advanced Option ConfigSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22062: Drop Advanced Option ConfigSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22063: Wrong PasswordSub RuleFailed Unauthorized ActivityFailed Misuse
V 2.0 EVID 22064: Auth Method Not SupportedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22065: Guest Session Limit Not EnforcedSub RuleSession InformationInformation
V 2.0 EVID 22066: Removing Older Guest SessionsSub RuleObject Deleted/RemovedAccess Success
V 2.0 EVID 22067: Missing Relevant InformationSub RuleSession InformationInformation
V 2.0 EVID 22068: Binary Comparison Of Cert. SkipSub RuleSession InformationInformation
V 2.0 EVID 22069: AD Account Search Attr. MissingSub RuleAttribute MissingWarning
V 2.0 EVID 22070: Identity Name Taken From Cert.Sub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22071: Identity Name Taken From AD AccSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22072: Selected Identity Source Seq.Sub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 22073: Removing Newest Guest SessionSub RuleObject Deleted/RemovedAccess Success
V 2.0 EVID 22074: Protocol Disabled In FIPS ModeSub RuleProtocol DisabledInformation
V 2.0 EVID 22080: New Accounting Session CreatedSub RuleObject CreatedAccess Success
V 2.0 EVID 22081: Max Sessions Policy PassedSub RuleGeneral POLICY InformationInformation
V 2.0 EVID 22082: Max Sessions Policy DisabledSub RuleGeneral POLICY InformationInformation
V 2.0 EVID 22083: User/Grp Session Counters Inc.Sub RuleProcess/Service StartedStartup and Shutdown
V 2.0 EVID 22084: User/Grp Session Counters Dec.Sub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 EVID 22085: Accounting Session UpdatedSub RuleObject ModifiedAccess Success
V 2.0 EVID 22086: Active Session Purged For DeviceSub RuleSession InformationInformation
V 2.0 EVID 22087: Accounting Session Timed OutSub RuleSession Timed OutWarning
V 2.0 EVID 22088: Accounting Session PurgedSub RuleSession InformationInformation
V 2.0 EVID 22089: Session Limit Reached New UserSub RuleSession InformationInformation
V 2.0 EVID 22090: One Or More Attributes MissingSub RuleAttribute MissingWarning
V 2.0 EVID 22091: Excessive Failed Auth AttemptsSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 22092: No Accounting Start ReceivedSub RuleSession InformationInformation
V 2.0 EVID 22093: Duplicate Session FoundSub RuleDuplicate EventInformation
V 2.0 EVID 22094: Audit Session Not FoundSub RuleSession InformationInformation
V 2.0 EVID 22095: Accounting Start ReceivedSub RuleSession InformationInformation
V 2.0 EVID 22096: Max Session Policy Not AvailableSub RuleSession InformationInformation
V 2.0 EVID 22097: Max Session Group Limit ReachedSub RuleSession InformationInformation
V 2.0 EVID 22098: Max Sess User In Grp Limit ReachSub RuleSession InformationInformation
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.