Skip to main content
Skip table of contents

Failed Attempts Format : 1

Vendor Documentation

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
pri_numN/AN/A
timeN/AN/A
IP address/hostnameN/AN/A
cat_nameN/A<vendorinfo>
msg_idN/AN/A
total_segN/AN/A
seg_numN/AN/A
timestampN/AN/A
sequence_numN/AN/A
msg_codeN/A<vmid>
<tag1>
msg_sevN/A<severity>
msg_class<process><subject> 
msg_text<status>
<tag1>
<action> 
ConfigVersionId<version> N/A
DeviceIPAddress<dip><sip>
DevicePort<dport><sport>
DestinationIPAddressN/A<dip>
DestinationPortN/A<dport>
RadiusPacketType<objecttype> N/A
UserName<login><account>
MacAddressN/A<smac>
IpAddressN/A<sip>
CmdSetN/AN/A
Protocol<protname><protnum>/<protname>
RequestLatencyN/A N/A
NetworkDeviceName<dname> N/A
TypeN/AN/A
ActionN/A<status>
Privilege-LevelN/AN/A
Authen-TypeN/AN/A
ServiceN/AN/A
UserN/AN/A
PortN/AN/A
Remote-Address<sip>N/A
User-NameN/A <account>
NAS-IP-AddressN/A N/A
NAS-PortN/A N/A
Service-TypeN/A N/A
Framed-MTUN/A N/A
StateN/A<status>
Called-Station-IDN/A N/A
Calling-Station-IDN/A N/A
Acct-Session-IdN/A <session>
NAS-Port-TypeN/A N/A
cisco-av-pairN/A N/A
NetworkDeviceProfileNameN/A N/A
NetworkDeviceProfileIdN/A N/A
IsThirdPartyDeviceFlowN/A N/A
PostureStatusN/A<status>
AcsSessionID<session><session>
AuthenticationMethodN/A N/A
SelectedAccessServiceN/A N/A
FailureReason<reason><reason>
StepN/AN/A
SelectedAuthenticationIdentityStoresN/AN/A
EndPointMACAddressN/A<dmac>
Key1N/AN/A
Key2N/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1003092Failed Attempts Format: 1Base RuleGeneral Action FailureError
Authentication SucceededSub RuleUser LogonAuthentication Success
RADIUS Accounting UpdateSub RuleSoftware UpdatedConfiguration
Login TimeoutSub RuleSession TimeoutWarning
RADIUS Accounting Stop RequestSub RuleProcess/Service StoppingStartup and Shutdown
RADIUS Accounting Start RequestSub RuleProcess/Service StartingStartup and Shutdown
RADIUS Invalid AuthenticatorSub RuleUser Logon FailureAuthentication Failure
Authentication FailedSub RuleUser Logon FailureAuthentication Failure
RADIUS Accounting-Request DroppedSub RuleRadius Request FailedError
Invalid EAP ResponseSub RuleInvalid ResultError
Invalid Certificate CASub RuleServer Certificate Validation FailureOther Audit Failure
RADIUS Request DroppedSub RuleRadius Request FailedError
No Response ReceivedSub RuleNo Response ReceivedWarning
Dynamic Authorization SuccessSub RuleUser LogonAuthentication Success
Invalid RADIUS StateSub RuleInvalid ResultError
Invalid EAP PayloadSub RuleInvalid ResultError
Authorization-Only SuccessSub RuleUser LogonAuthentication Success
Dynamic Authorization FailureSub RuleUser Logon FailureAuthentication Failure
EAP-FAST FailureSub RuleClient Indicates FailureWarning
Local Certificate RejectedSub RuleCertificate Verification FailureError
Unexpected EAP MessageSub RuleUnexpected Return ResultWarning
Crypto Processing FailedSub RuleCrypto Processing FailedError
EAP: PEAP Handshake FailedSub RuleAuthentication Failure ActivityAuthentication Failure
EAP: Unexpectedly Received TLS Alert MessageSub RuleAuthentication Failure ActivityAuthentication Failure
Expected TLS Ack For Alert: Received Another MesgSub RuleSuspicious ActivitySuspicious
Passed-Authentication: DACL Download SucceededSub RuleAuthentication ActivityAuthentication Success
Administrator Authentication FailSub RuleUser Logon FailureAuthentication Failure
User Account CreatedSub RuleUser Account CreatedAccount Created
User AuthenticationSub RuleUser LogonAuthentication Success
Sponsor Authentication FailedSub RuleAuthentication Failure ActivityAuthentication Failure
Sponsor AuthenticatedSub RuleUser LogonAuthentication Success
Empty TLS MessageSub RuleEmpty Message ReceivedWarning
Rejection From ClientSub RuleMessage RejectedWarning
Authentication FailedSub RuleAuthentication Failure ActivityAuthentication Failure
Administrator Authentication SucceededSub RuleUser LogonAuthentication Success
Certificate CheckSub RuleCertificate Status ResponseActivity
SSL Handshake FailureSub RuleHandshake FailedWarning
Administrator Login FailedSub RuleUser Logon FailureAuthentication Failure

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1012913V 2.0 Failed Attempts EventBase RuleGeneral Failed ActivityFailed Activity
V 2.0 EVID: 5400 Authentication FailedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5401 Authentication FailedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5402 Command Authorization FailedSub RuleAuthorization FailedWarning
V 2.0 EVID: 5403 Session Authorization FailedSub RuleAuthorization FailedWarning
V 2.0 EVID: 5404 Authorization FailedSub RuleAuthorization FailedWarning
V 2.0 EVID: 5405 RADIUS Request DroppedSub RuleRADIUS Request FailureWarning
V 2.0 EVID: 5406 TACACS+ Request DroppedSub RuleTACACS+ Accounting Request RejectedInformation
V 2.0 EVID: 5407 TACACS+ Authorization FailedSub RuleAuthorization FailedWarning
V 2.0 EVID: 5408 Command Authorization ErrorSub RuleGeneral Authorization WarningWarning
V 2.0 EVID: 5409 Session Authorization ErrorSub RuleGeneral Authorization WarningWarning
V 2.0 EVID: 5410 TACACS+ Authorization ErrorSub RuleGeneral Authorization WarningWarning
V 2.0 EVID: 5411 Supplicant Stopped RespondingSub RuleHost Not RespondingWarning
V 2.0 EVID: 5412 TACACS+ Auth Req Ended With ErrSub RuleAuthentication ErrorError
V 2.0 EVID: 5413 RADIUS Accounting-Req DroppedSub RuleAccounting Request DroppedWarning
V 2.0 EVID: 5414 TACACS+ Accounting FailedSub RuleAccounting FailureError
V 2.0 EVID: 5415 Change Password FailedSub RulePassword Change FailedError
V 2.0 EVID: 5416 RADIUS PAP Session Cleaned UpSub RulePAP Session Cleaned UpInformation
V 2.0 EVID: 5417 Dynamic Authorization FailedSub RuleAuthorization FailedWarning
V 2.0 EVID: 5418 Guest Authentication FailedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5419 DACL Download FailedSub RuleDownload Object FailureAccess Failure
V 2.0 EVID: 5420 Trustsec Data Download FailedSub RuleDownload Object FailureAccess Failure
V 2.0 EVID: 5421 Trustsec Peer Policy Dwnld FailSub RuleDownload Object FailureAccess Failure
V 2.0 EVID: 5422 Authorize-Only FailedSub RuleAuthorization FailedWarning
V 2.0 EVID :5423 Device Registration Web Auth FailSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5434 Endpoint Multiple Failed AuthSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5435 NAS Multiple Failed AuthSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5436 RADIUS Packet Already In ProcessSub RulePacket Already In ProcessInformation
V 2.0 EVID: 5437 Dup. RADIUS Pkt For Mult ParametSub RuleDuplicate PacketError
V 2.0 EVID: 5438 RADIUS Pkt Session Doesnot ExistSub RuleCannot Establish SessionError
V 2.0 EVID: 5439 RADIUS Packet Session Not StartSub RuleFailed To Create SessionError
V 2.0 EVID: 5440 Endpoint EAP Session AbandonedSub RuleSession Terminated Due To ErrorError
V 2.0 EVID: 5441 Endpoint New Session DroppedSub RuleFailed To Create SessionError
V 2.0 EVID: 5442 RADIUS Req Drop- System OverloadSub RuleRequest RejectedError
V 2.0 EVID: 5443 RADIUS Req Drop- EAP Session LimSub RuleRequest RejectedError
V 2.0 EVID: 5447 MDM Authentication PassedSub RuleAuthentication CompleteInformation
V 2.0 EVID: 5448 MDM Authentication FailedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5449 Endpoint Multiple Failed AuthSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID: 5450 RADIUS DTLS Handshake FailedSub RuleHandshake FailedWarning
V 2.0 EVID: 5451 Social Login Permission DeniedSub RuleSocial Media ActivityMisuse
V 2.0 EVID: 5452 Social Login User Info ErrorSub RuleLOGIN ErrorError
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.