Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
pri_num |
N/A |
N/A |
|
time |
N/A |
N/A |
|
IP address/hostname |
N/A |
N/A |
|
cat_name |
N/A |
<vendorinfo> |
|
msg_id |
N/A |
N/A |
|
total_seg |
N/A |
N/A |
|
seg_num |
N/A |
N/A |
|
timestamp |
N/A |
N/A |
|
sequence_num |
N/A |
N/A |
|
msg_code |
N/A |
<vmid>
|
|
msg_sev |
N/A |
<severity> |
|
msg_class |
<process> |
<subject> |
|
msg_text |
<status>
|
<action> |
|
ConfigVersionId |
<version> |
N/A |
|
DeviceIPAddress |
<dip> |
<sip> |
|
DevicePort |
<dport> |
<sport> |
|
DestinationIPAddress |
N/A |
<dip> |
|
DestinationPort |
N/A |
<dport> |
|
RadiusPacketType |
<objecttype> |
N/A |
|
UserName |
<login> |
<account> |
|
MacAddress |
N/A |
N/A |
|
IpAddress |
N/A |
<sip> |
|
CmdSet |
N/A |
N/A |
|
Protocol |
<protname> |
<protnum>/<protname> |
|
RequestLatency |
N/A |
N/A |
|
NetworkDeviceName |
<dname> |
N/A |
|
Type |
N/A |
N/A |
|
Action |
N/A |
<status> |
|
Privilege-Level |
N/A |
N/A |
|
Authen-Type |
N/A |
N/A |
|
Service |
N/A |
N/A |
|
User |
N/A |
N/A |
|
Port |
N/A |
N/A |
|
Remote-Address |
<sip> |
N/A |
|
User-Name |
N/A |
<account> |
|
NAS-IP-Address |
N/A |
N/A |
|
NAS-Port |
N/A |
N/A |
|
Service-Type |
N/A |
N/A |
|
Framed-MTU |
N/A |
N/A |
|
State |
N/A |
<status> |
|
Called-Station-ID |
N/A |
<dnatip>,<dmac> |
|
Calling-Station-ID |
N/A |
<snatip>,<smac> |
|
Acct-Session-Id |
N/A |
<session> |
|
NAS-Port-Type |
N/A |
N/A |
|
cisco-av-pair |
N/A |
N/A |
|
NetworkDeviceProfileName |
N/A |
N/A |
|
NetworkDeviceProfileId |
N/A |
N/A |
|
IsThirdPartyDeviceFlow |
N/A |
N/A |
|
PostureStatus |
N/A |
<status> |
|
AcsSessionID |
<session> |
<session> |
|
AuthenticationMethod |
N/A |
N/A |
|
SelectedAccessService |
N/A |
N/A |
|
FailureReason |
<reason> |
<reason> |
|
Step |
N/A |
N/A |
|
SelectedAuthenticationIdentityStores |
N/A |
N/A |
|
EndPointMACAddress |
N/A |
<dnatip>,<dmac> |
|
Key1 |
N/A |
N/A |
|
Key2 |
N/A |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1003092 |
Failed Attempts Format: 1 |
Base Rule |
General Action Failure |
Error |
|
Authentication Succeeded |
Sub Rule |
User Logon |
Authentication Success |
|
|
RADIUS Accounting Update |
Sub Rule |
Software Updated |
Configuration |
|
|
Login Timeout |
Sub Rule |
Session Timeout |
Warning |
|
|
RADIUS Accounting Stop Request |
Sub Rule |
Process/Service Stopping |
Startup and Shutdown |
|
|
RADIUS Accounting Start Request |
Sub Rule |
Process/Service Starting |
Startup and Shutdown |
|
|
RADIUS Invalid Authenticator |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
Authentication Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
RADIUS Accounting-Request Dropped |
Sub Rule |
Radius Request Failed |
Error |
|
|
Invalid EAP Response |
Sub Rule |
Invalid Result |
Error |
|
|
Invalid Certificate CA |
Sub Rule |
Server Certificate Validation Failure |
Other Audit Failure |
|
|
RADIUS Request Dropped |
Sub Rule |
Radius Request Failed |
Error |
|
|
No Response Received |
Sub Rule |
No Response Received |
Warning |
|
|
Dynamic Authorization Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
Invalid RADIUS State |
Sub Rule |
Invalid Result |
Error |
|
|
Invalid EAP Payload |
Sub Rule |
Invalid Result |
Error |
|
|
Authorization-Only Success |
Sub Rule |
User Logon |
Authentication Success |
|
|
Dynamic Authorization Failure |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
EAP-FAST Failure |
Sub Rule |
Client Indicates Failure |
Warning |
|
|
Local Certificate Rejected |
Sub Rule |
Certificate Verification Failure |
Error |
|
|
Unexpected EAP Message |
Sub Rule |
Unexpected Return Result |
Warning |
|
|
Crypto Processing Failed |
Sub Rule |
Crypto Processing Failed |
Error |
|
|
EAP: PEAP Handshake Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EAP: Unexpectedly Received TLS Alert Message |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
Expected TLS Ack For Alert: Received Another Mesg |
Sub Rule |
Suspicious Activity |
Suspicious |
|
|
Passed-Authentication: DACL Download Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
Administrator Authentication Fail |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
|
User Account Created |
Sub Rule |
User Account Created |
Account Created |
|
|
User Authentication |
Sub Rule |
User Logon |
Authentication Success |
|
|
Sponsor Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
Sponsor Authenticated |
Sub Rule |
User Logon |
Authentication Success |
|
|
Empty TLS Message |
Sub Rule |
Empty Message Received |
Warning |
|
|
Rejection From Client |
Sub Rule |
Message Rejected |
Warning |
|
|
Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
Administrator Authentication Succeeded |
Sub Rule |
User Logon |
Authentication Success |
|
|
Certificate Check |
Sub Rule |
Certificate Status Response |
Activity |
|
|
SSL Handshake Failure |
Sub Rule |
Handshake Failed |
Warning |
|
|
Administrator Login Failed |
Sub Rule |
User Logon Failure |
Authentication Failure |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1012913 |
V 2.0 Failed Attempts Event |
Base Rule |
General Failed Activity |
Failed Activity |
|
V 2.0 EVID: 5400 Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5401 Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5402 Command Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
V 2.0 EVID: 5403 Session Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
V 2.0 EVID: 5404 Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
V 2.0 EVID: 5405 RADIUS Request Dropped |
Sub Rule |
RADIUS Request Failure |
Warning |
|
|
V 2.0 EVID: 5406 TACACS+ Request Dropped |
Sub Rule |
TACACS+ Accounting Request Rejected |
Information |
|
|
V 2.0 EVID: 5407 TACACS+ Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
V 2.0 EVID: 5408 Command Authorization Error |
Sub Rule |
General Authorization Warning |
Warning |
|
|
V 2.0 EVID: 5409 Session Authorization Error |
Sub Rule |
General Authorization Warning |
Warning |
|
|
V 2.0 EVID: 5410 TACACS+ Authorization Error |
Sub Rule |
General Authorization Warning |
Warning |
|
|
V 2.0 EVID: 5411 Supplicant Stopped Responding |
Sub Rule |
Host Not Responding |
Warning |
|
|
V 2.0 EVID: 5412 TACACS+ Auth Req Ended With Err |
Sub Rule |
Authentication Error |
Error |
|
|
V 2.0 EVID: 5413 RADIUS Accounting-Req Dropped |
Sub Rule |
Accounting Request Dropped |
Warning |
|
|
V 2.0 EVID: 5414 TACACS+ Accounting Failed |
Sub Rule |
Accounting Failure |
Error |
|
|
V 2.0 EVID: 5415 Change Password Failed |
Sub Rule |
Password Change Failed |
Error |
|
|
V 2.0 EVID: 5416 RADIUS PAP Session Cleaned Up |
Sub Rule |
PAP Session Cleaned Up |
Information |
|
|
V 2.0 EVID: 5417 Dynamic Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
V 2.0 EVID: 5418 Guest Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5419 DACL Download Failed |
Sub Rule |
Download Object Failure |
Access Failure |
|
|
V 2.0 EVID: 5420 Trustsec Data Download Failed |
Sub Rule |
Download Object Failure |
Access Failure |
|
|
V 2.0 EVID: 5421 Trustsec Peer Policy Dwnld Fail |
Sub Rule |
Download Object Failure |
Access Failure |
|
|
V 2.0 EVID: 5422 Authorize-Only Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
V 2.0 EVID :5423 Device Registration Web Auth Fail |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5434 Endpoint Multiple Failed Auth |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5435 NAS Multiple Failed Auth |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5436 RADIUS Packet Already In Process |
Sub Rule |
Packet Already In Process |
Information |
|
|
V 2.0 EVID: 5437 Dup. RADIUS Pkt For Mult Paramet |
Sub Rule |
Duplicate Packet |
Error |
|
|
V 2.0 EVID: 5438 RADIUS Pkt Session Doesnot Exist |
Sub Rule |
Cannot Establish Session |
Error |
|
|
V 2.0 EVID: 5439 RADIUS Packet Session Not Start |
Sub Rule |
Failed To Create Session |
Error |
|
|
V 2.0 EVID: 5440 Endpoint EAP Session Abandoned |
Sub Rule |
Session Terminated Due To Error |
Error |
|
|
V 2.0 EVID: 5441 Endpoint New Session Dropped |
Sub Rule |
Failed To Create Session |
Error |
|
|
V 2.0 EVID: 5442 RADIUS Req Drop- System Overload |
Sub Rule |
Request Rejected |
Error |
|
|
V 2.0 EVID: 5443 RADIUS Req Drop- EAP Session Lim |
Sub Rule |
Request Rejected |
Error |
|
|
V 2.0 EVID: 5447 MDM Authentication Passed |
Sub Rule |
Authentication Complete |
Information |
|
|
V 2.0 EVID: 5448 MDM Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5449 Endpoint Multiple Failed Auth |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
V 2.0 EVID: 5450 RADIUS DTLS Handshake Failed |
Sub Rule |
Handshake Failed |
Warning |
|
|
V 2.0 EVID: 5451 Social Login Permission Denied |
Sub Rule |
Social Media Activity |
Misuse |
|
|
V 2.0 EVID: 5452 Social Login User Info Error |
Sub Rule |
LOGIN Error |
Error |