Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
|
Log Field |
LogRhythm Default |
LogRhythm Default v2.0 |
|---|---|---|
|
pri_num |
N/A |
N/A |
|
time |
N/A |
N/A |
|
IP address/hostname |
N/A |
N/A |
|
cat_name |
N/A |
<vendorinfo> |
|
msg_id |
N/A |
N/A |
|
total_seg |
N/A |
N/A |
|
seg_num |
N/A |
N/A |
|
timestamp |
N/A |
N/A |
|
sequence_num |
N/A |
N/A |
|
msg_code |
<vmid> |
<vmid>
|
|
msg_sev |
<severity> |
<severity> |
|
msg_class |
N/A |
<subject> |
|
msg_text |
N/A |
<action> |
|
Key1 |
N/A |
N/A |
|
Key2 |
N/A |
N/A |
|
ConfigVersionId |
<version> |
N/A |
|
Device IP Address |
<sip> |
N/A |
|
UserName |
<sname> |
<login> |
|
Protocol |
<protname> |
<protname> |
|
RequestReceivedTime |
N/A |
N/A |
|
PolicyType |
<policy> |
N/A |
|
OriginalUserName |
<login> |
N/A |
|
AcsSessionID |
<session> |
<session> |
|
SelectedAccessService |
<process> |
N/A |
|
SelectedAuthorizationProfiles |
<action> |
N/A |
|
IdentityPolicyMatchedRule |
<subject> |
N/A |
|
AuthorizationPolicyMatchedRule |
<result> |
N/A |
|
CPMSessionID |
N/A |
N/A |
|
ISEPolicySetName |
<objectname> |
<policy> |
|
IdentitySelectionMatchedRule |
N/A |
N/A |
|
HostIdentityGroup |
<group> |
<group> |
|
Name |
<object> |
N/A |
|
Response |
N/A |
<result> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1010530 |
Radius Authorization Policy Messages |
Base Rule |
RADIUS Access-Reject Received |
Information |
LogRhythm Default v2.0
|
Regex ID |
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|---|
|
1012731 |
V 2.0 Policy Diagnostics Event |
Base Rule |
Diagnostic Information |
Information |
|
V 2.0 EVID 15001 Adapter Contain Atleast One Val |
Sub Rule |
Incorrect Database Configuration |
Error |
|
|
V 2.0 EVID 15002 Configured Operator Failed |
Sub Rule |
Database Configuration Change Failed |
Error |
|
|
V 2.0 EVID 15003 Incorrect Database Configuration |
Sub Rule |
Incorrect Database Configuration |
Error |
|
|
V 2.0 EVID 15004 Matched Rule |
Sub Rule |
Matched Rule |
Information |
|
|
V 2.0 EVID 15005 Matched Monitored Rule |
Sub Rule |
Matched Monitored Rule |
Information |
|
|
V 2.0 EVID 15006 Matched Default Rule |
Sub Rule |
Matched Default Rule |
Information |
|
|
V 2.0 EVID 15007 Policy Result Type Unmatched |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15008 Evaluating Svc Selection Policy |
Sub Rule |
Evaluating Policy |
Other Audit |
|
|
V 2.0 EVID 15009 Authorization Policy Not Config |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 15010 Policy Not Configured |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 15011 Authorization Policy Not Config |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 15012 Selected Access Service |
Sub Rule |
Access Service Selected |
Information |
|
|
V 2.0 EVID 15013 Selected Identity Source |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15015 Could Not Find ID Store |
Sub Rule |
ID Store Not Found |
Error |
|
|
V 2.0 EVID 15016 Selected Authorization Profile |
Sub Rule |
Authorization Profile Selected |
Information |
|
|
V 2.0 EVID 15017 Selected Shell Profile |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15018 Selected Command Set |
Sub Rule |
Command Set Selected |
Information |
|
|
V 2.0 EVID 15019 Authorization Profiles Not Find |
Sub Rule |
Authorization Profiles Not Found |
Error |
|
|
V 2.0 EVID 15020 Shell Profiles Not Find |
Sub Rule |
Shell Profiles Not Found |
Error |
|
|
V 2.0 EVID 15021 Command Set Not Find |
Sub Rule |
Command Set Not Found |
Warning |
|
|
V 2.0 EVID 15022 Access Service Not Find |
Sub Rule |
Access Service Not Found |
Error |
|
|
V 2.0 EVID 15023 Could Not Match Rule |
Sub Rule |
Rule Not Matched |
Information |
|
|
V 2.0 EVID 15024 PAP Not Allowed |
Sub Rule |
PAP Not Allowed |
Information |
|
|
V 2.0 EVID 15025 Policy Not Configured |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 15026 External Policy Server Not Found |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 15027 External Policy Server Selected |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15028 Sending Request To Ext. Server |
Sub Rule |
Sending Request |
Information |
|
|
V 20 EVID 15029 Attr Not Retrieve Frm Ext Policy |
Sub Rule |
Attributes Not Retrieved |
Error |
|
|
V 2.0 EVID 15030 Misconfig Of Ext. Policy Server |
Sub Rule |
Apparent Misconfiguration |
Error |
|
|
V 2.0 EVID 15031 Ext Policy Attributes Retrieved |
Sub Rule |
Attributes Retrieved |
Information |
|
|
V 2.0 EVID 15032 Evaluating External Policy Check |
Sub Rule |
Evaluating Policy |
Other Audit |
|
|
V 2.0 EVID 15033 Mapping Policy Not Configured |
Sub Rule |
Policy Not Configured |
Error |
|
|
V 2.0 EVID 15034 Skip External Policy Check |
Sub Rule |
Policy Check Skipped |
Warning |
|
|
V 2.0 EVID :15035 Evaluating Exception Auth Policy |
Sub Rule |
Evaluating Policy |
Other Audit |
|
|
V 2.0 EVID 15036 Evaluating Authorization Policy |
Sub Rule |
Evaluating Policy |
Other Audit |
|
|
V 2.0 EVID 15037 Access Service |
Sub Rule |
Access Service Selected |
Information |
|
|
V 2.0 EVID 15038 Skipping External Policy |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15039 Rejected Per Auth. Profile |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15040 Attribute Not Defined Cert. |
Sub Rule |
Missing Attribute |
Warning |
|
|
V 2.0 EVID 15041 Evaluating Identity Policy |
Sub Rule |
Evaluating Policy |
Other Audit |
|
|
V 2.0 EVID 15042 No Rule Was Matched |
Sub Rule |
Rule Not Matched |
Information |
|
|
V 2.0 EVID 15043 Attribute Value Unavailable |
Sub Rule |
Missing Attribute |
Warning |
|
|
V 2.0 EVID 15044 Evaluating Group Mapping Policy |
Sub Rule |
Evaluating Policy |
Other Audit |
|
|
V 2.0 EVID 15045 CHAP Not Allowed |
Sub Rule |
CHAP Not Allowed |
Warning |
|
|
V2.0 EVID 15046 MS-CHAP V1 Disabled |
Sub Rule |
Protocol Disabled |
Information |
|
|
V2.0 EVID 15047 MS-CHAP V2 Disabled |
Sub Rule |
Protocol Disabled |
Information |
|
|
V 2.0 EVID 15048 Queried PIP |
Sub Rule |
Query Information |
Information |
|
|
V 2.0 EVID 15049 Evaluating Policy Group |
Sub Rule |
Evaluating Policy |
Other Audit |
|
|
V 2.0 EVID 15050 Dev. Not Support Config Of VLAN |
Sub Rule |
Caution Message Concerning Vlan Configuration |
Information |
|
|
V 2.0 EVID 15051 Device Not Support Config Of ACL |
Sub Rule |
Unsupported ACL |
Warning |
|
|
V 2.0 EVID 15052 Authorization Profile Not Suited |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15053 N/W Access Dev. Not Support CoA |
Sub Rule |
General Audit Message |
Other Audit |
|
|
V 2.0 EVID 15054 Sending SNMP Set |
Sub Rule |
SNMPD Debug Message |
Information |
|
|
V 2.0 EVID 15055 SNMP CoA Failed |
Sub Rule |
SNMPD Debug Message |
Information |
|
|
V 2.0 EVID 15056 Portal Settings Undefined |
Sub Rule |
Interface Configuration Error |
Error |