Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
pri_num |
N/A |
N/A |
|
time |
N/A |
N/A |
|
IP address/hostname |
N/A |
N/A |
|
cat_name |
N/A |
N/A |
|
msg_id |
<object> |
N/A |
|
total_seg |
N/A |
N/A |
|
seg_num |
<tag2> |
N/A |
|
timestamp |
N/A |
N/A |
|
sequence_num |
N/A |
N/A |
|
msg_code |
<vmid> |
N/A |
|
msg_sev |
<severity> |
N/A |
|
msg_class |
<tag1> |
N/A |
|
msg_text |
N/A |
N/A |
|
ConfigVersionId |
<version> |
N/A |
|
N/A |
<status> |
N/A |
|
AD-Domain-Controller |
<domainorigin> |
N/A |
|
AD-IP-Address |
<sip> |
N/A |
|
Reason |
<reason> |
N/A |
|
ProfilerServer |
<sname> |
N/A |
|
DestinationIPAddress |
<dip> |
N/A |
|
DestinationPort |
<dport> |
N/A |
|
UserName |
<domain>
|
N/A |
|
Protocol |
<protname> |
N/A |
|
NetworkDeviceName |
<sname> |
N/A |
|
User-Name |
<domain>
|
N/A |
|
RadiusPacketType |
<objecttype> |
N/A |
|
Device IP Address |
<sip> |
N/A |
|
HostID |
<dip> |
N/A |
|
N/A |
<object> |
N/A |
|
IPAddress |
<sip> |
N/A |
|
EndpointIPAddress |
<sip> |
N/A |
|
EndpointMacAddress |
<dmac> |
N/A |
|
EndpointNADAddress |
<dnatip> |
N/A |
|
EndpointPolicy |
<policy> |
N/A |
|
url-redirect |
<url> |
N/A |
|
MacAddress |
<smac> |
N/A |
|
NAS-IP-Address |
<snatip> |
N/A |
|
SessionID |
<session> |
N/A |
|
SystemName |
<sname> |
N/A |
|
SystemUserDomain |
<domain> |
N/A |
|
AuthenticationIdentityStore |
<subject> |
N/A |
|
GuestStatus |
<status> |
N/A |
|
GuestCustomFields=QID |
<processid> |
N/A |
|
SelectedAccessService |
<objectname> |
N/A |
|
DetailedInfo |
<status> |
N/A |
|
AcsInstance |
<objectname> |
N/A |
|
adminIPaddress |
<sip> |
N/A |
|
adminname |
<login> |
N/A |
|
identitygroups |
<group> |
N/A |
|
objectname |
<account> |
N/A |
|
Response |
<result> |
N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1003096 |
Misc Messages |
Base Rule |
General Information Log Message |
Information |
|
ISE Process Started |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
ISE Process Stopped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
Client Provisioned |
Sub Rule |
Client Accepted |
Other Audit Success |
|
|
Posture Report Received |
Sub Rule |
Report Generation |
Information |
|
|
Started Logging Component |
Sub Rule |
Process/Service Started |
Startup and Shutdown |
|
|
Stopped Logging Component |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
|
Started: Using Default Configuration |
Sub Rule |
Configuration Loaded: System |
Configuration |
|
|
Ready For Configuration Changes |
Sub Rule |
Configuration Modified: System |
Configuration |
|
|
Node Registered |
Sub Rule |
Client Connected |
Other Audit Success |
|
|
Client Provisioning Failed |
Sub Rule |
Modify Object Failure |
Access Failure |
|
|
Received Posture Report |
Sub Rule |
Report Delivered |
Information |
|
|
Profiler Event Occurred |
Sub Rule |
Endpoint Profiling Activity |
Information |
|
|
Change Of Authorization Request |
Sub Rule |
Request Received |
Information |
|
|
Profiler SNMP Request Failed |
Sub Rule |
Request Rejected Due To Error |
Information |
|
|
External Active Directory Warning |
Sub Rule |
General Active Directory Warning |
Warning |
|
|
Changed Configuration |
Sub Rule |
Configuration Change Confirmed |
Warning |
|
|
EAP Timeout |
Sub Rule |
Timeout |
Warning |
|
|
Accounting Request Dropped |
Sub Rule |
Accounting Request Dropped |
Warning |
|
|
Supplicant Provisioning Failed |
Sub Rule |
Provisioning Failed |
Warning |
|
|
Supplicant Provisioning In Progress |
Sub Rule |
Provisioning Updated |
Information |
|
|
Supplicant Provisioning Succeeded |
Sub Rule |
Provisioning Finished |
Information |
|
|
Posture Update Success |
Sub Rule |
Update Successful |
Information |
|
|
Auth Messages |
Sub Rule |
Authentication Provisioning Failed |
Warning |
|
|
Authentication Susseccful Messages |
Sub Rule |
Authorization Success |
Other Audit Success |
|
|
User Policy Messages |
Sub Rule |
Password Modified |
Account Modified |
|
|
Account Updated Messages |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
|
User Account Deleted Messages |
Sub Rule |
User Account Deleted |
Account Deleted |
|
|
Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
DACL Download Succeeded |
Sub Rule |
Object Downloaded |
Access Success |
|
|
NAS Problem Fixed |
Sub Rule |
General NAS Message |
Information |
|
|
Radius Request Dropped |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
NAS Authentication Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
Authentication Session Ended |
Sub Rule |
Authentication Session Ended |
Other Audit |
|
|
EVID 25047: Authentication Domain Is Unavailable |
Sub Rule |
Authentication Server Unable to Process Request |
Error |
|
|
EVID 25113: No Of Bad Pass Attempts Above AD Config |
Sub Rule |
Num Of Authentication Failures Above High Boundary |
Warning |
|
|
EVID 25114: No Of Bad Pass Attempts Below AD Config |
Sub Rule |
Num Of Authentication Failures Below Low Boundary |
Information |
|
|
EVID 25115: Cannot Fetch User Attributes From AD |
Sub Rule |
General Authentication Warning |
Warning |
|
|
EVID 25116: Cannot Determine Current Bad Password |
Sub Rule |
General Authentication Warning |
Warning |
|
|
EVID 51000: Administrator Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 51001: Administrator Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 51005: Admin Auth Failed. Account Disabled. |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 51006: Admin Auth Failed. Inactive Account. |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 51007: Admin Auth Failed. Password Expired. |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 51008: Acc Disabled Due To Failed Auth Attempt |
Sub Rule |
User Logon Failure: Account Disabled |
Authentication Failure |
|
|
EVID 51009: Auth Failed. ISE Runtime Not Running. |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 51020: Login Username Does Not Exist. |
Sub Rule |
User Logon Failure: Bad Username |
Authentication Failure |
|
|
EVID 51021: Admin Auth Failed. Wrong Password. |
Sub Rule |
User Logon Failure: Bad Password |
Authentication Failure |
|
|
EVID 51022: Admin Auth Failed. System Error |
Sub Rule |
Authentication Failed - Internal Error |
Error |
|
|
EVID 51106: Authentication For Web Services Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 60075: Sponsor Has Successfully Authenticated |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 60076: Sponsor Authentication Has Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 60077: MyDevices User Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 60078: MyDevices User Has Successfull Auth |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 61013: ISE Failed To Authenticate Against APIC |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 61014: ISE Refreshed Auth Against APIC Success |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 61015: ISE Failed To Refresh Auth Against APIC |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 60507: ERS Request Rejected Due To Unauth User |
Sub Rule |
Failed Unauthorized Activity |
Failed Misuse |
|
|
EVID 61054: ISE Found Invalid Authorization Profile |
Sub Rule |
Invalid Authorization Settings |
Warning |
|
|
EVID 51025: Authentication For Web Services Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 61235: SDA Authenticated Against ACI Success |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 61012: ISE Auth Against APIC Succesfully |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 61236: SDA Failed To Authenticate Against ACI |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 10003: Internal Error: Blank Admin Name |
Sub Rule |
Authentication Failed - Internal Error |
Error |
|
|
EVID 10004: Internal Error: Blank Admin Password |
Sub Rule |
Authentication Failed - Internal Error |
Error |
|
|
EVID 10005: Administrator Auth Successfully |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 10006: Administrator Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 10007: Administrator Auth Failed - DB Error |
Sub Rule |
Authentication Failed Due To Database Error |
Error |
|
|
EVID 22000: Auth Resulted In Internal Error |
Sub Rule |
Authentication Failed - Internal Error |
Error |
|
|
EVID 22007: Username Attribute Missing In Auth Req |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 22028: Auth Failed & Advanced Options Ignored |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 22091: Auth Failed. User Account Disabled |
Sub Rule |
User Logon Failure: Account Disabled |
Authentication Failure |
|
|
EVID 5400: Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 5401: Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 5402: Command Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5403: Session Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5404: Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5407: TACACS+ Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5408: Command Auth Encountered An Error |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5409: Session Auth Encountered An Error |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5410: TACACS+ Auth Encountered An Error |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5412: TACACS+ Auth Req Ended With Error |
Sub Rule |
General Authentication Error |
Error |
|
|
EVID 5417: Dynamic Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5418: Guest Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 5423: Device Registration Web Auth Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 5434: Endpoint Conducted Several Failed Auth |
Sub Rule |
Num Of Authentication Failures Above High Boundary |
Warning |
|
|
EVID 5435: NAS Conducted Several Failed Auth |
Sub Rule |
Num Of Authentication Failures Above High Boundary |
Warning |
|
|
EVID 5447: MDM Authentication Passed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5448: MDM Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 5449: Endpoint Failed Auth Several Times |
Sub Rule |
Num Of Authentication Failures Above High Boundary |
Warning |
|
|
EVID 86010: Guest User Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 86018: Guest Change Of Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 24021: User Authentication Ended With An Error |
Sub Rule |
General Authentication Error |
Error |
|
|
EVID 24050: Cannot Authenticate With LDAP Identity |
Sub Rule |
General Authentication Warning |
Warning |
|
|
EVID 24056: User Auth Detected Expired Password |
Sub Rule |
General Authentication Warning |
Warning |
|
|
EVID 24057: Pass Failure Limit Reached & Acc Locked |
Sub Rule |
User Logon Failure: Account Disabled |
Authentication Failure |
|
|
EVID 24402: User Auth Against AD Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 24403: User Authentication Against AD Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 24418: Machine Auth Against AD Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 24454: User Auth Against AD Timeout |
Sub Rule |
Authentication Timeout |
Other Audit |
|
|
EVID 24470: Machine Auth Against AD Is Successful |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 24492: Machine Auth Against AD Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 24496: Auth Rejected Due To White/Black List |
Sub Rule |
General Authentication Warning |
Warning |
|
|
EVID 24612: Auth Against Radius Token Server Succ |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 24613: Auth Against Radius Token Server Fail |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 24814: Responding Provider Failed To Auth Prin |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 24716: AD Kerberos Ticket Auth Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 24717: AD Kerberos Ticket Auth Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 89157: CMCS Authentication Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 89159: APNS Authentication Failure |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 89160: MDM User Authentication Completed |
Sub Rule |
Authentication Complete |
Information |
|
|
EVID 35008: Smart Licensing Authorization Expired |
Sub Rule |
License Expired - Warning |
Warning |
|
|
EVID 35017: Smart Licensing Auth Renewal Success |
Sub Rule |
License Allocated |
Information |
|
|
EVID 35018: Smart Licensing Auth Renewal Failure |
Sub Rule |
License Update Failed |
Error |
|
|
EVID 35044: Auth Renewal To Satellite Server Succ |
Sub Rule |
Renew |
Information |
|
|
EVID 35045: Auth Renewal To Satellite Server Fail |
Sub Rule |
Update Failed |
Error |
|
|
EVID 35047: Permanent License Reservation |
Sub Rule |
License Allocated |
Information |
|
|
EVID 89202: Auth Failed For Mob Device Enrollment |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 89203: Auth Failed For Mob Device Enrollment |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 89204: Auth Failed For Mob Device Enrollment |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 89208: Max Num Of Auth Attempts Exceeded |
Sub Rule |
Num Of Authentication Failures Above High Boundary |
Warning |
|
|
EVID 89216: Auth Failed Fr Profile Provisioning Req |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 5200: Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5201: Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 5202: Command Authorization Succeeded |
Sub Rule |
Authorization Success |
Other Audit Success |
|
|
EVID 5203: Session Authorization Succeeded |
Sub Rule |
Authorization Success |
Other Audit Success |
|
|
EVID 5205: Dynamic Authorization Succeeded |
Sub Rule |
Authorization Success |
Other Audit Success |
|
|
EVID 5237: Device Registration Web Auth Passed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 90202: Authentication Request Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 15009: Exception Auth Policy Not Configured |
Sub Rule |
Policy Not Configured |
Error |
|
|
EVID 15011: Authorization Policy Not Configured |
Sub Rule |
Policy Not Configured |
Error |
|
|
EVID 15016: Selected Authorization Profile |
Sub Rule |
Authorization Profile Selected |
Information |
|
|
EVID 15019: Could Not Find Selected Auth Profiles |
Sub Rule |
Authorization Profiles Not Found |
Error |
|
|
EVID 15035: Evaluating Exception Auth Policy |
Sub Rule |
General Authorization Warning |
Warning |
|
|
EVID 15036: Evaluating Authorization Policy |
Sub Rule |
General Authorization Warning |
Warning |
|
|
EVID 15039: Rejected Per Authorization Profile |
Sub Rule |
Connection Rejected |
Information |
|
|
EVID 15052: Auth Profile Specified Are Not Suited |
Sub Rule |
Insufficient Privileges |
Error |
|
|
EVID 83015: Posture Service Is Triggering CoA Req |
Sub Rule |
General Information |
Information |
|
|
EVID 85000: Endpoint Prot Servic Triggering CoA Req |
Sub Rule |
General Information |
Information |
|
|
EVID 80006: Profiler Is Triggering CoA Req |
Sub Rule |
General Information |
Information |
|
|
EVID 11020: Radius Sess Auth Not Return Valid Res |
Sub Rule |
Sess Authorization Did Not Return A Valid Result |
Error |
|
|
EVID 11022: Added DACL Specified In Auth Profile |
Sub Rule |
General Information |
Information |
|
|
EVID 11039: Radius Auth Req Rejected |
Sub Rule |
General Authentication Information |
Information |
|
|
EVID 11052: Auth Req Dropped-Unsupported Port Num |
Sub Rule |
Request Dropped |
Warning |
|
|
EVID 11200: Received Invalid Dynamic Auth Req |
Sub Rule |
Invalid Dynamic Authorization Request Received |
Error |
|
|
EVID 11201: Received Disconnect Dynamic Auth Req |
Sub Rule |
Disconnect Dynamic Authorization Request Received |
Information |
|
|
EVID 11202: Disconn & Port Shutdown Dyn Auth Req |
Sub Rule |
Disconn And Port Shutdown Dynamic Auth Req |
Information |
|
|
EVID 11203: Disconn & Port Bounce Dynamic Auth Req |
Sub Rule |
Disconn And Port Bounce Dynamic Auth Req Received |
Information |
|
|
EVID 11207: Received Disconnect Dynamic Auth Resp |
Sub Rule |
Disconnect Dynamic Authorization Response |
Information |
|
|
EVID 11208: Disconn And Port Shutdown Dyn Auth Rsp |
Sub Rule |
Disconn And Port Shutdown Dynamic Auth Rsp |
Information |
|
|
EVID 11209: Rcvd Disconn & Port Bounce Dyn Auth Rsp |
Sub Rule |
Disconn And Port Bounce Dynamic Auth Rsp Received |
Information |
|
|
EVID 11211: Proxying Req To Dynamic Auth Clnt IES |
Sub Rule |
Proxying Request To Dynamic Authorization Clnt ACS |
Information |
|
|
EVID 11213: No Res Rcvd From Network Access Device |
Sub Rule |
No Response Received From Network Access Device |
Warning |
|
|
EVID 11215: No Res Rcvd From Dynamic Auth Clnt |
Sub Rule |
No Response Received From Network Access Device |
Warning |
|
|
EVID 11217: Prepared Disconnect Dynamic Auth Req |
Sub Rule |
Prepared Disconnect Dynamic Authorization Request |
Information |
|
|
EVID 11218: Prepared Disconn & Port Shutdown Dyn Au |
Sub Rule |
Prepared Disconn And Port Shutdown Dynamic Auth |
Information |
|
|
EVID 11219: Prepared Disconn & Port Bounce Dyn Auth |
Sub Rule |
Prepared Disconn And Port Bounce Dynamic Auth Req |
Information |
|
|
EVID 11221: Received Disconn Dynamic Auth ACK Rsp |
Sub Rule |
Disconnect Dynamic Authorization ACK Rsp Received |
Information |
|
|
EVID 11222: Received Disconn Dynamic Auth NAK Rsp |
Sub Rule |
Disconnect Dynamic Authorization NAK Rsp Received |
Information |
|
|
EVID 11223: Received Dynamic Auth CoA ACK Rsp |
Sub Rule |
Dynamic Authorization CoA ACK Response Received |
Information |
|
|
EVID 11224: Received Dynamic Auth CoA NAK Rsp |
Sub Rule |
Dynamic Authorization CoA NAK Response Received |
Information |
|
|
EVID 11225: Dyn Auth Req Rej - Critical Logging Err |
Sub Rule |
Dynamic Auth Req Rejected - Critical Logging Err |
Critical |
|
|
EVID 11226: ISE Proxy Node Deregistered |
Sub Rule |
ACS Proxy Node Deregistered |
Error |
|
|
EVID 11227: ISE Proxy Node Marked Inactive |
Sub Rule |
ACS Proxy Node Marked Inactive |
Error |
|
|
EVID 11361: Valid Incoming Authentication Request |
Sub Rule |
General Authentication Information |
Information |
|
|
EVID 11510: EAP Negotiation Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 11812: EAP-MSCHAP Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 11813: EAP-MSCHAP Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 11814: Inner EAP-MSCHAP Auth Succeeded |
Sub Rule |
Authorization Success |
Other Audit Success |
|
|
EVID 11815: Inner EAP-MSCHAP Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 11823: EAP-MSCHAP Auth Attempt Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12005: EAP-MD5 Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12006: EAP-MD5 Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12106: EAP-FAST Auth Phase Finished Success |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12108: EAP-FAST Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12136: Sent NDAC Authentication To Client |
Sub Rule |
Authentication Request Sent |
Information |
|
|
EVID 12137: Received NDAC Authentication Response |
Sub Rule |
Authentication Response Received |
Information |
|
|
EVID 12138: Received Authorization PAC |
Sub Rule |
Authorization Received |
Information |
|
|
EVID 12147: Machine Authentication Is Disabled |
Sub Rule |
Machine Authentication Disabled |
Warning |
|
|
EVID 12161: Cannot Provision Authorization PAC |
Sub Rule |
Authentication Provisioning Failed |
Warning |
|
|
EVID 12162: Cannot Provision Auth PAC - Anonymous |
Sub Rule |
Authentication Provisioning Failed |
Warning |
|
|
EVID 12163: One Auth PAC Already Requested |
Sub Rule |
Authorization Request Received |
Other Audit |
|
|
EVID 12165: Auth PAC I-ID Not Match User Identity |
Sub Rule |
General Authorization Warning |
Warning |
|
|
EVID 12167: Auth PAC Provided Only With Tunnel PAC |
Sub Rule |
General Authorization Warning |
Warning |
|
|
EVID 12171: EAP-FAST User Auth PAC Provisioned |
Sub Rule |
PAC Provisioned |
Information |
|
|
EVID 12179: EAP-FAST Machine Auth PAC Provisioned |
Sub Rule |
PAC Provisioned |
Information |
|
|
EVID 12202: Approved EAP-FAST Client Auth PAC Req |
Sub Rule |
Request Approved |
Other Audit Success |
|
|
EVID 12208: Client Certificate Rcvd But Auth Fail |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12210: Received User Authorization PAC |
Sub Rule |
Authorization Received |
Information |
|
|
EVID 12211: Received Machine Authorization PAC |
Sub Rule |
Authorization Received |
Information |
|
|
EVID 12224: User Auth PAC Request Ignored |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 12225: Machine Auth PAC Request Ignored |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 12227: User Authorization PAC Has Expired |
Sub Rule |
General Information |
Information |
|
|
EVID 12228: Machine Authorization PAC Has Expired |
Sub Rule |
General Information |
Information |
|
|
EVID 12231: Ignore Mac Auth PAC Req-No EAP Chaining |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 12236: Mac Auth PAC I-ID Not Match User Id |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 12306: PEAP Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12307: PEAP Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12506: EAP-TLS Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12507: EAP-TLS Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12528: Inner EAP-TLS Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12529: Inner EAP-TLS Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12557: User Auth Failed - OCSP Status Unknown |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12612: EAP-GTC Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12613: EAP-GTC Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12614: Inner EAP-GTC Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12615: Inner EAP-GTC Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12623: EAP-GTC Authentication Attempt Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12705: LEAP Authentication Passed |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12706: LEAP Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12707: LEAP Authentication Error |
Sub Rule |
Authentication Error |
Error |
|
|
EVID 12855: Pac Was Not Sent Due To Auth Failure |
Sub Rule |
Authorization Failed |
Warning |
|
|
EVID 12857: Client Certificate Auth Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12962: Reject User Authorization PAC |
Sub Rule |
PAC Rejected |
Warning |
|
|
EVID 12975: EAP-TTLS Authentication Succeeded |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 12976: EAP-TTLS Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 12993: User Auth Failed - OCSP Unreachable |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 11529: TEAP User Auth PAC Provisioned |
Sub Rule |
PAC Provisioned |
Information |
|
|
EVID 11530: TEAP Machine Auth PAC Provisioned |
Sub Rule |
PAC Provisioned |
Information |
|
|
EVID 11539: One Auth PAC Already Requested |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 11542: User Auth PAC Request Ignored |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 11543: Machine Auth PAC Request Ignored |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 11544: Ignore Mac Auth PAC Req-No EAP Chaining |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 11545: Machine Authentication Is Disabled |
Sub Rule |
Machine Authentication Disabled |
Warning |
|
|
EVID 11548: Cannot Provision Authorization PAC |
Sub Rule |
Authentication Provisioning Failed |
Warning |
|
|
EVID 11549: Cannot Provision Auth PAC - Anonymous |
Sub Rule |
Authentication Provisioning Failed |
Warning |
|
|
EVID 11550: Auth PAC Provided Only With Tunnel PAC |
Sub Rule |
General Authorization Warning |
Warning |
|
|
EVID 11551: Auth PAC I-ID Not Match User Identity |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 11553: Reject User Authorization PAC |
Sub Rule |
PAC Rejected |
Warning |
|
|
EVID 11554: Received Authorization PAC |
Sub Rule |
Authorization Received |
Information |
|
|
EVID 11555: Received User Authorization PAC |
Sub Rule |
Authorization Received |
Information |
|
|
EVID 11556: Received Machine Authorization PAC |
Sub Rule |
Authorization Received |
Information |
|
|
EVID 11562: Client Certificate Rcvd But Auth Fail |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 11584: Approved TEAP Client Auth PAC Request |
Sub Rule |
Request Approved |
Other Audit Success |
|
|
EVID 11594: Client Certificate Auth Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 11597: TEAP Auth Phase Finished Successfully |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 11598: TEAP Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
|
EVID 11607: User Authorization PAC Has Expired |
Sub Rule |
PAC Expired |
Warning |
|
|
EVID 11608: Machine Authorization PAC Has Expired |
Sub Rule |
PAC Expired |
Warning |
|
|
EVID 11629: Mac Auth PAC I-ID Not Match User Id |
Sub Rule |
Request Ignored |
Warning |
|
|
EVID 13000: Invalid TACACS+ Authorization Request |
Sub Rule |
Invalid Authorization Request |
Warning |
|
|
EVID 13005: Received TACACS+ Authorization Request |
Sub Rule |
Authorization Request Received |
Other Audit |
|
|
EVID 13027: TACACS+ Auth Req Missing Attributes |
Sub Rule |
Invalid Authorization Request |
Warning |
|
|
EVID 13034: Returned TACACS+ Authorization Reply |
Sub Rule |
Authorization Reply |
Information |
|
|
EVID 13066: TACACS Proxy Rcvd Incoming Auth Req |
Sub Rule |
Authorization Received |
Information |
|
|
EVID 13078: Invalid TACACS+ Authorization Request |
Sub Rule |
Invalid Authorization Request |
Warning |
|
|
EVID 91111: High Authentication Load Detected |
Sub Rule |
General Authentication Warning |
Warning |
|
|
EVID 86006: Guest User Account Is Created |
Sub Rule |
User Account Created |
Account Created |
|
|
EVID 86029: Failed To Perform A CoA Termination |
Sub Rule |
General Authorization Warning |
Warning |
|
|
EVID 88012: Successfully Performed CoA Termination |
Sub Rule |
General Authorization Warning |
Warning |
|
|
EVID 88014: Successful CoA Re-Authentication |
Sub Rule |
Authentication Activity |
Authentication Success |
|
|
EVID 88015: Failed To Perform CoA Re-Authentication |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
LogRhythm Default v2.0
N/A