Skip to main content
Skip table of contents

RADIUS Accounting

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
pri_numN/AN/A
timeN/AN/A
IP address/hostnameN/AN/A
cat_nameN/A<vendorinfo>
msg_idN/AN/A
total_segN/AN/A
seg_numN/AN/A
timestampN/AN/A
sequence_numN/AN/A
msg_codeN/A<vmid>
<tag1>
msg_sevN/A<severity>
msg_class<process><subject> 
msg_text<status>
<tag1>		<action> 
ConfigVersionId<version>N/A
Device IP Address<sip><sip>
UserNameN/A<domainimpacted> / <account>
RequestLatencyN/AN/A
NetworkDeviceName<sname>N/A
User-Name<login><domainimpacted> / <account>
NAS-IP-Address<snatip>N/A
NAS-PortN/AN/A
Service-Type<objecttype>N/A
Framed-IP-Address<dip>N/A
Class<object>N/A
Called-Station-ID<dmac>N/A
Calling-Station-ID<smac>N/A
NAS-IdentifierN/AN/A
Acct-Status-Type<subject> <status>
Acct-Delay-TimeN/AN/A
Acct-Input-OctetsN/AN/A
Acct-Output-OctetsN/AN/A
Acct-Session-Id<session><session>
Acct-AuthenticN/AN/A
Acct-Session-TimeN/AN/A
Acct-Input-PacketsN/AN/A
Acct-Output-Packets<packetsout>N/A
Acct-Terminate-CauseN/AN/A
Event-TimestampN/AN/A
NAS-Port-TypeN/AN/A
NAS-Port-IdN/AN/A
attribute-151N/AN/A
Tunnel-TypeN/AN/A
Tunnel-Medium-TypeN/AN/A
Tunnel-Private-Group-IDN/AN/A
cisco-av-pair=audit-session-idN/AN/A
cisco-av-pair=nas-updateN/AN/A
cisco-av-pair=disc-cause-extN/AN/A
cisco-av-pair=connect-progressN/AN/A
cisco-av-pair=methodN/AN/A
Airespace-Wlan-IdN/AN/A
AcsSessionID<session>N/A
SelectedAccessServiceN/AN/A
StepN/AN/A
StepN/AN/A
StepN/AN/A
NetworkDeviceGroupsN/AN/A
NetworkDeviceGroupsN/AN/A
ServiceSelectionMatchedRuleN/AN/A
CPMSessionIDN/AN/A
Device TypeN/AN/A
LocationN/AN/A
Model NameN/AN/A
Software VersionN/AN/A
Key1N/AN/A
Key2N/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1010150RADIUS AccountingBase RuleAccounting RequestInformation
Accounting Stop RequestSub RuleAccounting RequestInformation
Accounting Start RequestSub RuleRADIUS Accounting-Request ReceivedInformation
Accounting Watchdog UpdateSub RuleTACACS+ Accounting WatchdogInformation

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1012914V 2.0 RADIUS Accounting EventBase RuleRADIUS InformationInformation
V 2.0 EVID  3000 RADIUS Accounting Request StartSub RuleRADIUS Accounting-Request ReceivedInformation
V 2.0 EVID  3001 RADIUS Accounting Request StopSub RuleRADIUS Accounting-Request ReceivedInformation
V 2.0 EVID  3002 RADIUS Accounting Watchdog UpdatSub RuleGeneral RADIUS MessageInformation
V 2.0 EVID  3003 RADIUS Accounting OnSub RuleGeneral RADIUS MessageInformation
V 2.0 EVID  3004 RADIUS Accounting OffSub RuleGeneral RADIUS MessageInformation
V 2.0 EVID  3005 RADIUS Accounting Tunnel StartSub RuleRADIUS Accounting-Request ReceivedInformation
V 2.0 EVID  3006 RADIUS Accounting Tunnel StopSub RuleRADIUS Accounting-Request ReceivedInformation
V 2.0 EVID  3007 RADIUS Accounting Tunnel RejectSub RuleGeneral RADIUS MessageInformation
V 2.0 EVID  3008 RADIUS Acc. Tunnel Link StartSub RuleGeneral RADIUS MessageInformation
V 2.0 EVID  3009 RADIUS Acc. Tunnel Link StopSub RuleGeneral RADIUS MessageInformation
V 2.0 EVID  3010 RADIUS Acc. Tunnel Link RejectSub RuleGeneral RADIUS MessageInformation
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close