Breadcrumbs

Failed Attempts

Vendor Documentation

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

pri_num

N/A

N/A

time

N/A

N/A

IP address/hostname

N/A

N/A

cat_name

N/A

<vendorinfo>

msg_id

N/A

N/A

total_seg

N/A

N/A

seg_num

N/A

N/A

timestamp

N/A

N/A

sequence_num

N/A

N/A

msg_code

N/A

<vmid>
<tag1>

msg_sev

N/A

<severity>

msg_class

<process>

<subject> 

msg_text

<status>
<tag1>

<action> 

ConfigVersionId

<version>

 N/A

DeviceIPAddress

<dip>

<sip>

DevicePort

<dport>

<sport>

DestinationIPAddress

N/A

<dip>

DestinationPort

N/A

<dport>

RadiusPacketType

<objecttype>

 N/A

UserName

<login>

<account>

MacAddress

N/A

<smac>

IpAddress

N/A

<sip>

CmdSet

N/A

N/A

Protocol

<protname>

<protnum>/<protname>

RequestLatency

N/A

 N/A

NetworkDeviceName

<dname>

 N/A

Type

N/A

N/A

Action

N/A

<status>

Privilege-Level

N/A

N/A

Authen-Type

N/A

N/A

Service

N/A

N/A

User

N/A

N/A

Port

N/A

N/A

Remote-Address

<sip>

N/A

User-Name

<login>

 <account>

NAS-IP-Address

N/A

 N/A

NAS-Port

N/A

 N/A

Service-Type

N/A

 N/A

Framed-MTU

N/A

 N/A

State

N/A

<status>

Called-Station-ID

<dnatip>/<dmac>

 N/A

Calling-Station-ID

<snatip>/<smac>

 N/A

Acct-Session-Id

N/A

 <session>

NAS-Port-Type

N/A

 N/A

cisco-av-pair

N/A

 N/A

NetworkDeviceProfileName

N/A

 N/A

NetworkDeviceProfileId

N/A

 N/A

IsThirdPartyDeviceFlow

N/A

 N/A

RadiusFlowType

<object>

N/A

SSID

<dinterface>

N/A

PostureStatus

N/A

<status>

AcsSessionID

<session>

<session>

AuthenticationMethod

N/A

 N/A

SelectedAccessService

N/A

 N/A

SelectedAuthorizationProfiles

<object>

N/A

FailureReason

<reason>

<reason>

Step

N/A

N/A

SelectedAuthenticationIdentityStores

N/A

N/A

EndPointMACAddress

N/A

<dmac>

ISEPolicySetName

<policy>


Key1

N/A

N/A

Key2

N/A

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1010163

Failed Attempts

Base Rule

General Action Failure

Error

Authentication Failed

Sub Rule

Authentication Failure Activity

Authentication Failure

RADIUS Accounting-Request Dropped

Sub Rule

RADIUS Request Failure

Warning

RADIUS Request Dropped

Sub Rule

RADIUS Request Failure

Warning

TACACS+ Request Dropped

Sub Rule

Request Dropped

Warning

LogRhythm Default v2.0

Regex ID

Rule Name

Rule Type

Common Event

Classification

1012913

V 2.0 Failed Attempts Event

Base Rule

General Failed Activity

Failed Activity

V 2.0 EVID 5400 Authentication Failed

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5401 Authentication Failed

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5402 Command Authorization Failed

Sub Rule

Authorization Failed

Warning

V 2.0 EVID 5403 Session Authorization Failed

Sub Rule

Authorization Failed

Warning

V 2.0 EVID 5404 Authorization Failed

Sub Rule

Authorization Failed

Warning

V 2.0 EVID 5405 RADIUS Request Dropped

Sub Rule

RADIUS Request Failure

Warning

V 2.0 EVID 5406 TACACS+ Request Dropped

Sub Rule

TACACS+ Accounting Request Rejected

Information

V 2.0 EVID 5407 TACACS+ Authorization Failed

Sub Rule

Authorization Failed

Warning

V 2.0 EVID 5408 Command Authorization Error

Sub Rule

General Authorization Warning

Warning

V 2.0 EVID 5409 Session Authorization Error

Sub Rule

General Authorization Warning

Warning

V 2.0 EVID 5410 TACACS+ Authorization Error

Sub Rule

General Authorization Warning

Warning

V 2.0 EVID 5411 Supplicant Stopped Responding

Sub Rule

Host Not Responding

Warning

V 2.0 EVID 5412 TACACS+ Auth Req Ended With Err

Sub Rule

Authentication Error

Error

V 2.0 EVID 5413 RADIUS Accounting-Req Dropped

Sub Rule

Accounting Request Dropped

Warning

V 2.0 EVID 5414 TACACS+ Accounting Failed

Sub Rule

Accounting Failure

Error

V 2.0 EVID 5415 Change Password Failed

Sub Rule

Password Change Failed

Error

V 2.0 EVID 5416 RADIUS PAP Session Cleaned Up

Sub Rule

PAP Session Cleaned Up

Information

V 2.0 EVID 5417 Dynamic Authorization Failed

Sub Rule

Authorization Failed

Warning

V 2.0 EVID 5418 Guest Authentication Failed

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5419 DACL Download Failed

Sub Rule

Download Object Failure

Access Failure

V 2.0 EVID 5420 Trustsec Data Download Failed

Sub Rule

Download Object Failure

Access Failure

V 2.0 EVID 5421 Trustsec Peer Policy Dwnld Fail

Sub Rule

Download Object Failure

Access Failure

V 2.0 EVID 5422 Authorize-Only Failed

Sub Rule

Authorization Failed

Warning

V 2.0 EVID 5423 Device Registration Web Auth Fail

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5434 Endpoint Multiple Failed Auth

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5435 NAS Multiple Failed Auth

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5436 RADIUS Packet Already In Process

Sub Rule

Packet Already In Process

Information

V 2.0 EVID 5437 Dup. RADIUS Pkt For Mult Paramet

Sub Rule

Duplicate Packet

Error

V 2.0 EVID 5438 RADIUS Pkt Session Doesnot Exist

Sub Rule

Cannot Establish Session

Error

V 2.0 EVID 5439 RADIUS Packet Session Not Start

Sub Rule

Failed To Create Session

Error

V 2.0 EVID 5440 Endpoint EAP Session Abandoned

Sub Rule

Session Terminated Due To Error

Error

V 2.0 EVID 5441 Endpoint New Session Dropped

Sub Rule

Failed To Create Session

Error

V 2.0 EVID 5442 RADIUS Req Drop- System Overload

Sub Rule

Request Rejected

Error

V 2.0 EVID 5443 RADIUS Req Drop- EAP Session Lim

Sub Rule

Request Rejected

Error

V 2.0 EVID 5447 MDM Authentication Passed

Sub Rule

Authentication Complete

Information

V 2.0 EVID 5448 MDM Authentication Failed

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5449 Endpoint Multiple Failed Auth

Sub Rule

Authentication Failure Activity

Authentication Failure

V 2.0 EVID 5450 RADIUS DTLS Handshake Failed

Sub Rule

Handshake Failed

Warning

V 2.0 EVID 5451 Social Login Permission Denied

Sub Rule

Social Media Activity

Misuse

V 2.0 EVID 5452 Social Login User Info Error

Sub Rule

LOGIN Error

Error