REST Events | LogRhythm Documentation

Vendor Documentation

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-8214/Content/fir-int.htm

https://www.arubanetworks.com/techdocs/AOS-CX/10.07/PDF/5200-8214.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
REST Events	Base Rule	General Information Log Message	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Event ID	<vmid>	Number	Event ID 4601, 4602, 4603, 4604, 4605, 4606, 4607, 4608, 4609, 4610, 4611, 4612, 4613, 4614, 4615, 4616, 4617, 4618, 4619, 4620, 4621, 4622, 4623, 4624, 4625, 4626, 4627, 4628, 4629, 4630, 4631, 4632, 4633, 4634, 4635, 4636, 4637, 4638, 4639, 4640, 4641, 4642, 4643, 4644, 4645, 4646, 4647, 4648, 4649, 4650, 4651, 4652, 4653, 4654
Severity	<severity>	Text/String	For All: Information For 4601, 4606, 4631, 4637, 4640, 4649: Error For 4612, 4624, 4652: Warning For 4603: Critical
Message	<subject> <account <session>	Text/String	Event ID 4601: logs a failed authentication attempt of a user via REST
	<subject> <account <session>	Text/String	Event ID 4602: logs a successful authentication attempt of a user via REST
	<subject> <objecttype> <url>	Text/String	Event ID 4603: logs an authorization configuration conflict
	<subject> <account <session>	Text/String	Event ID 4604: logs the start of a REST user session
	<subject> <account <session>	Text/String	Event ID 4605: logs the end of a REST user session
	<subject> <account> <object> <action>	Text/String	Event ID 4606: logs a failed authorization attempt of a user via REST
	<subject> <account> <object> <action>	Text/String	Event ID 4607: logs a successful authorization attempt of a user via REST
	<subject> <account> <object> <action>	Text/String	Event ID 4608: logs an allowed authorization attempt of a user via REST
	<subject> <login> <account> <policy>	Text/String	Event ID 4609: logs a successful add of a user via REST
	<subject> <login> <account>	Text/String	Event ID 4610: logs a successful deletion of a user via REST
	<subject> <account>	Text/String	Event ID 4611: logs a successful password change for a user via REST
	<subject> <account>	Text/String	Event ID 4612: logs an unsuccessful password change for a user via REST
	<subject> <account> <object>	Text/String	Event ID 4613: logs a success config write operation
	<subject> <account>	Text/String	Event ID 4614: logs a success copy of saved
	<subject> <account> <objectname> <object>	Text/String	Event ID 4615: logs a success when the nameserver is written to ovsdb
	<subject> <account>	Text/String	Event ID 4616: logs a success when the nameserver is deleted from ovsdb
	<subject> <account> <url>	Text/String	Event ID 4617: A user has successfully created a new resource in OVSDB.
	<subject> <account> <url>	Text/String	Event ID 4618: A user has successfully deleted a resource in OVSDB.
	<subject> <account> <url>	Text/String	Event ID 4619: A user has successfully modified a resource in OVSDB.
	<subject> <account> <object>	Text/String	Event ID 4620: A user has added new notification subscriber.
	<subject> <account>	Text/String	Event ID 4621: A user has removed notification subscriber.
	<subject> <objectname> <object>	Text/String	Event ID 4622: A subscriber has added new subscription.
	<subject> <objectname> <object>	Text/String	Event ID 4623: A subscriber has removed subscription.
	<subject>	Text/String	Event ID 4624: Unable to add new subscriber as max number reached.
	<subject> <object>	Text/String	Event ID 4625: Unable to add new subscription as max number reached for the specified subscriber.
	<subject> <login> <object>	Text/String	Event ID 4626: NAE Script has been created successfully.
	<subject> <login> <object>	Text/String	Event ID 4627: NAE Script has been deleted successfully.
	<subject> <login> <object>	Text/String	Event ID 4628: NAE Agent has been created successfully.
	<subject> <login> <object>	Text/String	Event ID 4629: NAE Agent has been updated successfully.
	<subject> <login> <object>	Text/String	Event ID 4630: NAE Agent has been deleted successfully.
	<subject> <command> <result>	Text/String	Event ID 4631: Logs an error if a reboot fails.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4632: Connection is established with Aruba Central.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4633: Connection to Aruba Central has been closed by Aruba Central. Request to get new location from CLI/DHCP/Activate.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4634: Connection to Aruba Central has been closed by Aruba Central. Trying to reconnect.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4635: Received new Aruba Central location.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4636: Received new Aruba Central location. Closing existing connection with Aruba Central.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4637: Internal error. Closing connection to Aruba Central.
	<subject>	Text/String	Event ID 4638: Waiting for Aruba Central location from Central Source (CLI/DHCP/Aruba Activate Server).
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4639: Connecting to Aruba Central.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4640: Failed to connect to Aruba Central.
	<subject>	Text/String	Event ID 4641: The Aruba Central feature is disabled.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4642: The Aruba Central feature is disabled.
	<subject>	Text/String	Event ID 4643: The Aruba Central feature is enabled.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4645: Aruba Activate server is reachable via an active VRF.
	<subject> <sip>	Text/String/IP Address	Event ID 4646: Aruba Activate server is not reachable through any supported VRF.
	<subject>	Text/String	Event ID 4647: Switch time is synced with NTP Servers.
	<subject> <sip>	Text/String/IP Address	Event ID 4648: Switch time is synced with Aruba Activate Server.
	<subject> <object> <sip>	Text/String/IP Address	Event ID 4649: Unable to sync switch time with Aruba Activate Server.
	<subject> <object> <sname>	Text/String	Event ID 4650: Unable to fetch Aruba Central location from Central Source (CLI/DHCP/Aruba Activate Server).
	<subject> <object> <sname>	Text/String	Event ID 4651: Aruba Central location successfully fetched from Central Source (CLI/DHCP/Aruba Activate Server) via VRF.
	<subject>	Text/String	Event ID 4652: Aruba Central connected, any config change through rest may not be persistent, aruba central can overwrite the change
	<subject> <login> <action>	Text/String	Event ID 4653: Logs a message when a user changes the REST configuration lockout mode
	<subject> <action>	Text/String	Event ID 4654: Logs a message when a Aruba Central support mode is enabled or disabled