Guest Message | LogRhythm Documentation

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
pri_num	N/A	N/A
time	N/A	N/A
IP address/hostname	N/A	N/A
cat_name	N/A	<vendorinfo>
msg_id	N/A	N/A
total_seg	N/A	N/A
seg_num	N/A	N/A
timestamp	N/A	N/A
sequence_num	N/A	N/A
msg_code	N/A	<vmid> <tag1>
msg_sev	N/A	<severity>
msg_class	<process>	<subject>
msg_text	<status> <tag1>	<action>
ConfigVersionId	<version>	N/A
UserType	<objecttype>	N/A
UserName	<login>	<account>
Firstname	N/A	N/A
Lastname	N/A	N/A
PhoneNumber	N/A	N/A
MacAddress	<smac>	<smac>
IpAddress	<sip>	<sip>
AuthenticationIdentityStore	N/A	N/A
PortalName	N/A	N/A
SponsorUser	N/A	N/A
IdentityGroup	N/A	N/A
PsnHostName	N/A	N/A
GuestUser	N/A	N/A
GuestUserName	N/A	N/A
GuestFirstname	N/A	N/A
GuestLastname	N/A	N/A
GuestEmailAddress	N/A	N/A
GuestAuthenticationIdentityStore	N/A	N/A
GuestType	N/A	N/A
GuestValidDays	N/A	N/A
GuestLocation	N/A	N/A
GuestStatus	N/A	N/A
EPMacAddress	<dmac>	N/A
NADAddress	<dip>	N/A
ResponseTime	N/A	N/A
AuditSessionId	<session>	N/A
ETS	N/A	N/A
Key1	N/A	N/A
Key2	N/A	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1010154	Guest Message	Base Rule	General POLICY Information	Information

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1012622	V 2.0 Guest Event	Base Rule	General Information Log Message	Information
	V 2.0 EVID 86001 Guest User Logged In	Sub Rule	User Logon	Authentication Success
	V 2.0 EVID 86002 Guest Account Suspended	Sub Rule	Access Revoked Activity	Access Revoked
	V 2.0 EVID 86003 Guest Account Enabled	Sub Rule	Account Enabled	Access Granted
	V 2.0 EVID 86004 Password Changed By Guest User	Sub Rule	Password Modified	Account Modified
	V 2.0 EVID 86005 Policy Accepted By Guest User	Sub Rule	Policy Created User/Password	Policy
	V 2.0 EVID 86006 Guest Account Created	Sub Rule	User Account Created	Account Created
	V 2.0 EVID 86007 Guest Account Updated	Sub Rule	User Account Attribute Modified	Account Modified
	V 2.0 EVID 86008 Guest Account Deleted	Sub Rule	User Account Deleted	Account Deleted
	V 2.0 EVID 86009 Guest Account Not Found	Sub Rule	User Not Found	Error
	V 2.0 EVID 86010 Guest User Auth Failure	Sub Rule	User Logon Failure	Authentication Failure
	V 2.0 EVID 86011 Guest User Not Enabled	Sub Rule	User Logon Failure Account Disabled	Authentication Failure
	V 2.0 EVID 86012 Access Policy Declined By Guest	Sub Rule	Policy Disabled User/Password	Policy
	V 2.0 EVID 86013 Portal Not Found	Sub Rule	Default Address Not Found	Error
	V 2.0 EVID 86014 User Account Suspended	Sub Rule	Access Revoked Activity	Access Revoked
	V 2.0 EVID 86015 Invalid Password Change	Sub Rule	Password Modified	Account Modified
	V 2.0 EVID 86016 Guest Timout Exceeded	Sub Rule	User Disconnected Due To Time Out	Information
	V 2.0 EVID 86017 SessionID Missing	Sub Rule	Session Could Not Be Established	Warning
	V 2.0 EVID 86018 Guest CoA Failed	Sub Rule	Authorization Failed	Warning
	V 2.0 EVID 86019 Guest User Restricted	Sub Rule	Access Revoked Activity	Access Revoked
	V 2.0 EVID 86020 Guest Unknown Error	Sub Rule	Unknown Error	Error
	V 2.0 EVID 86021 Entering Device Reg Web Auth	Sub Rule	Device Registered	Information
	V 2.0 EVID 86022 Device Reg Web Auth AUP Accept	Sub Rule	Device Registered	Other Audit Success
	V 2.0 EVID 86023 Device Re Web Auth AUP Declined	Sub Rule	Policy Disabled Domain	Policy
	V 2.0 EVID 86024 Dev Reg WAP EP Creation Passed	Sub Rule	Device Registered	Other Audit Success
	V 2.0 EVID 86025 Dev Reg WAP EP Creation Failed	Sub Rule	Communication Endpoint Creation Failure	Error
	V 2.0 EVID 86026 Dev Reg WAP CoA Termination Fail	Sub Rule	Process Termination Failed	Error
	V 2.0 EVID 86027 Dev Reg WAP Send CoA Termination	Sub Rule	Registration	Information
	V 2.0 EVID 86028 CoA Termination Success	Sub Rule	User Session Terminated	Information
	V 2.0 EVID 86029 CoA Termination Failed	Sub Rule	Process Termination Failed	Error
	V 2.0 EVID 86030 Policy Accepted By Sponsor User	Sub Rule	User Account Created	Account Created
	V 2.0 EVID 86031 Policy Declined By Sponsor User	Sub Rule	Policy Disabled User/Password	Policy