Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
pri_num |
N/A |
N/A |
|
time |
N/A |
N/A |
|
IP address/hostname |
N/A |
N/A |
|
cat_name |
N/A |
<vendorinfo> |
|
msg_id |
N/A |
N/A |
|
total_seg |
N/A |
N/A |
|
seg_num |
N/A |
N/A |
|
timestamp |
N/A |
N/A |
|
sequence_num |
N/A |
N/A |
|
msg_code |
N/A |
<vmid>
|
|
msg_sev |
<severity> |
<severity> |
|
msg_class |
<process> |
<subject> |
|
msg_text |
<subject> |
<action> |
|
ConfigVersionId |
<version> |
N/A |
|
DestinationIPAddress |
<dip> |
<dip> |
|
UserName |
<login> |
<account> |
|
NAS-IP-Address |
N/A |
N/A |
|
AcsSessionID |
<session> |
<session> |
|
AuthenticationIdentityStore |
N/A |
N/A |
|
AuthenticationMethod |
<command> |
N/A |
|
SelectedAccessService |
N/A |
N/A |
|
WorkflowCurrentIDStoreIndex |
N/A |
N/A |
|
WorkflowSequenceType |
N/A |
N/A |
|
CurrentIDStoreName |
N/A |
N/A |
|
WorkflowIfUserNotFound |
N/A |
N/A |
|
WorkflowIfProcessError |
N/A |
<result> |
|
WorkflowIfAuthenticationFailed |
N/A |
<status> |
|
CPMSessionID |
N/A |
N/A |
|
StepLatency |
N/A |
N/A |
|
Response |
N/A |
N/A |
|
Key1 |
N/A |
N/A |
|
Key2 |
N/A |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1012195 |
CISE_Authentication_Flow_Diagnostics |
Base Rule |
Diagnostic Information |
Information |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1012611 |
V 2.0 Authentication Flow Diagnostics Event |
Base Rule |
Diagnostic Information |
Information |
|
V 2.0 EVID 22000: Auth Resulted In Internal Error |
Sub Rule |
General Authentication Error |
Error |
|
|
V 2.0 EVID 22001: Restricted Attribute(s) Found |
Sub Rule |
Object Attributes Listed |
Information |
|
|
V 2.0 EVID 22002: Authentication Completed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
V 2.0 EVID 22003: Missing Attribute For Auth |
Sub Rule |
Attribute Missing |
Warning |
|
|
V 2.0 EVID 22004: Authentication Wrong Password |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
V 2.0 EVID 22005: Could Not Get Shell Profile Obj |
Sub Rule |
Shell Profiles Not Found |
Error |
|
|
V 2.0 EVID 22006: Shell Profile Object Not Config |
Sub Rule |
Shell Profile Object Not Configured |
Information |
|
|
V 2.0 EVID 22007: Username Attribute Not Present |
Sub Rule |
Attributes Not Found |
Error |
|
|
V 2.0 EVID 22008: Changing Enable Pwd Not Allowed |
Sub Rule |
Password Change Failed |
Error |
|
|
V 2.0 EVID 22015: Identity Seq Continues To Next |
Sub Rule |
Continuing Identity Sequence |
Information |
|
|
V 2.0 EVID 22016: Identity Seq Completed Iterating |
Sub Rule |
Successful Activity |
Other Audit Success |
|
|
V 2.0 EVID 22017: Selected Identity Src DenyAccess |
Sub Rule |
Access Denied |
Warning |
|
|
V 2.0 EVID 22019: Identity Policy Evaluated Before |
Sub Rule |
General POLICY Information |
Information |
|
|
V 2.0 EVID 22020: Config Error Identity Src Blank |
Sub Rule |
Identity Source Blank |
Error |
|
|
V 2.0 EVID 22021: Config Error Auth IDStores List |
Sub Rule |
Configuration Error |
Error |
|
|
V 2.0 EVID 22022: Setting Err Failed To Open Opt |
Sub Rule |
General Failed Activity |
Failed Activity |
|
|
V 2.0 EVID 22023: Proceed To Attribute Retrieval |
Sub Rule |
Proceed To Attribute Retrieval |
Information |
|
|
V 2.0 EVID 22028: Auth Failed Advanced Opt Ignored |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22034: Attribute Retrieval Failed |
Sub Rule |
Attribute Retrieval Failed |
Error |
|
|
V 2.0 EVID 22036: Retrieved Attributes Successful |
Sub Rule |
Attribute Retrieval Succeeded |
Information |
|
|
V 2.0 EVID 22037: Authentication Passed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
V 2.0 EVID 22038: Skipping IDStore For Attr Retr. |
Sub Rule |
Skipping IDStore For Attribute Retrieval |
Information |
|
|
V 2.0 EVID 22039: Invalid Workflow Sequence Type |
Sub Rule |
Invalid Sequence Type |
Error |
|
|
V 2.0 EVID 22040: Wrong Pwd/Invalid Shared Secret |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
V 2.0 EVID 22043: Auth Method Not Supported |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22044: Identity Policy Res Not Config |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 22045: Identity Policy Res Not Config |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 22046: Identity Sequence Received CAR |
Sub Rule |
Authentication Request Received |
Information |
|
|
V 2.0 EVID 22047: Username Attribute Missing |
Sub Rule |
Attribute Missing |
Warning |
|
|
V 2.0 EVID 22048: Client Cert. Binary Missing |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22049: Binary Comparison Of Cert. Fail |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22050:User/Host Disable In Curr IDStore |
Sub Rule |
Host Disabled |
Other Audit |
|
|
V 2.0 EVID 22051: User/Host Disable In Int IDStore |
Sub Rule |
Host Disabled |
Other Audit |
|
|
V 2.0 EVID 22052: Authentication IDStore Empty |
Sub Rule |
IDStore Empty |
Error |
|
|
V 2.0 EVID 22054: Binary Comparison Of Cert. Pass |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22055: Failed To Find Expected Username |
Sub Rule |
General Failed Activity |
Failed Activity |
|
|
V 2.0 EVID 22056: Subject Not Found In Applicable |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22057: Used Adv Opt Config For Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22058: Used Adv Opt Config For Unknown |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22059: Used Adv Opt Config For Process |
Sub Rule |
Process Failed |
Error |
|
|
V 2.0 EVID 22060: Continue Advanced Option Config |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22061: Reject Advanced Option Config |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22062: Drop Advanced Option Config |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22063: Wrong Password |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
V 2.0 EVID 22064: Auth Method Not Supported |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22065: Guest Session Limit Not Enforced |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22066: Removing Older Guest Sessions |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
V 2.0 EVID 22067: Missing Relevant Information |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22068: Binary Comparison Of Cert. Skip |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22069: AD Account Search Attr. Missing |
Sub Rule |
Attribute Missing |
Warning |
|
|
V 2.0 EVID 22070: Identity Name Taken From Cert. |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22071: Identity Name Taken From AD Acc |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22072: Selected Identity Source Seq. |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 22073: Removing Newest Guest Session |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
|
V 2.0 EVID 22074: Protocol Disabled In FIPS Mode |
Sub Rule |
Protocol Disabled |
Information |
|
|
V 2.0 EVID 22080: New Accounting Session Created |
Sub Rule |
Object Created |
Access Success |
|
|
V 2.0 EVID 22081: Max Sessions Policy Passed |
Sub Rule |
General POLICY Information |
Information |
|
|
V 2.0 EVID 22082: Max Sessions Policy Disabled |
Sub Rule |
General POLICY Information |
Information |
|
|
V 2.0 EVID 22083: User/Grp Session Counters Inc. |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
V 2.0 EVID 22084: User/Grp Session Counters Dec. |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
V 2.0 EVID 22085: Accounting Session Updated |
Sub Rule |
Object Modified |
Access Success |
|
|
V 2.0 EVID 22086: Active Session Purged For Device |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22087: Accounting Session Timed Out |
Sub Rule |
Session Timed Out |
Warning |
|
|
V 2.0 EVID 22088: Accounting Session Purged |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22089: Session Limit Reached New User |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22090: One Or More Attributes Missing |
Sub Rule |
Attribute Missing |
Warning |
|
|
V 2.0 EVID 22091: Excessive Failed Auth Attempts |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID 22092: No Accounting Start Received |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22093: Duplicate Session Found |
Sub Rule |
Duplicate Event |
Information |
|
|
V 2.0 EVID 22094: Audit Session Not Found |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22095: Accounting Start Received |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22096: Max Session Policy Not Available |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22097: Max Session Group Limit Reached |
Sub Rule |
Session Information |
Information |
|
|
V 2.0 EVID 22098: Max Sess User In Grp Limit Reach |
Sub Rule |
Session Information |
Information |