Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
Event ID | <vmid> | Number | Event ID 4601, 4602, 4603, 4604, 4605, 4606, 4607, 4608, 4609, 4610, 4611, 4612, 4613, 4614, 4615, 4616, 4617, 4618, 4619, 4620, 4621, 4622, 4623, 4624, 4625, 4626, 4627, 4628, 4629, 4630, 4631, 4632, 4633, 4634, 4635, 4636, 4637, 4638, 4639, 4640, 4641, 4642, 4643, 4644, 4645, 4646, 4647, 4648, 4649, 4650, 4651, 4652, 4653, 4654 |
Severity | <severity> | Text/String | For All: Information
For 4601, 4606, 4631, 4637, 4640, 4649: Error
For 4612, 4624, 4652: Warning
For 4603: Critical |
Message | <subject>
<account
<session> | Text/String | Event ID 4601:
logs a failed authentication attempt of a user via REST |
| <subject>
<account
<session> | Text/String | Event ID 4602:
logs a successful authentication attempt of a user via REST |
| <subject>
<objecttype>
<url> | Text/String | Event ID 4603:
logs an authorization configuration conflict |
| <subject>
<account
<session> | Text/String | Event ID 4604:
logs the start of a REST user session |
| <subject>
<account
<session> | Text/String | Event ID 4605:
logs the end of a REST user session |
| <subject>
<account>
<object>
<action> | Text/String | Event ID 4606:
logs a failed authorization attempt of a user via REST |
| <subject>
<account>
<object>
<action> | Text/String | Event ID 4607:
logs a successful authorization attempt of a user via REST |
| <subject>
<account>
<object>
<action> | Text/String | Event ID 4608:
logs an allowed authorization attempt of a user via REST |
| <subject>
<login>
<account>
<policy> | Text/String | Event ID 4609:
logs a successful add of a user via REST |
| <subject>
<login>
<account> | Text/String | Event ID 4610:
logs a successful deletion of a user via REST |
| <subject>
<account> | Text/String | Event ID 4611:
logs a successful password change for a user via REST |
| <subject>
<account> | Text/String | Event ID 4612:
logs an unsuccessful password change for a user via REST |
| <subject>
<account>
<object> | Text/String | Event ID 4613:
logs a success config write operation |
| <subject>
<account> | Text/String | Event ID 4614:
logs a success copy of saved |
| <subject>
<account>
<objectname>
<object> | Text/String | Event ID 4615:
logs a success when the nameserver is written to ovsdb |
| <subject>
<account> | Text/String | Event ID 4616:
logs a success when the nameserver is deleted from ovsdb |
| <subject>
<account>
<url> | Text/String | Event ID 4617:
A user has successfully created a new resource in OVSDB. |
| <subject>
<account>
<url> | Text/String | Event ID 4618:
A user has successfully deleted a resource in OVSDB. |
| <subject>
<account>
<url> | Text/String | Event ID 4619:
A user has successfully modified a resource in OVSDB. |
| <subject>
<account>
<object> | Text/String | Event ID 4620:
A user has added new notification subscriber. |
| <subject>
<account> | Text/String | Event ID 4621:
A user has removed notification subscriber. |
| <subject>
<objectname>
<object> | Text/String | Event ID 4622:
A subscriber has added new subscription. |
| <subject>
<objectname>
<object> | Text/String | Event ID 4623:
A subscriber has removed subscription. |
| <subject> | Text/String | Event ID 4624:
Unable to add new subscriber as max number reached. |
| <subject>
<object> | Text/String | Event ID 4625:
Unable to add new subscription as max number reached for the specified subscriber. |
| <subject>
<login>
<object> | Text/String | Event ID 4626:
NAE Script has been created successfully. |
| <subject>
<login>
<object> | Text/String | Event ID 4627:
NAE Script has been deleted successfully. |
| <subject>
<login>
<object> | Text/String | Event ID 4628:
NAE Agent has been created successfully. |
| <subject>
<login>
<object> | Text/String | Event ID 4629:
NAE Agent has been updated successfully. |
| <subject>
<login>
<object> | Text/String | Event ID 4630:
NAE Agent has been deleted successfully. |
| <subject>
<command>
<result> | Text/String | Event ID 4631:
Logs an error if a reboot fails. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4632:
Connection is established with Aruba Central. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4633:
Connection to Aruba Central has been closed by Aruba Central. Request to get new location from CLI/DHCP/Activate. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4634:
Connection to Aruba Central has been closed by Aruba Central. Trying to reconnect. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4635:
Received new Aruba Central location. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4636:
Received new Aruba Central location. Closing existing connection with Aruba Central. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4637:
Internal error. Closing connection to Aruba Central. |
| <subject> | Text/String | Event ID 4638:
Waiting for Aruba Central location from Central Source (CLI/DHCP/Aruba Activate Server). |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4639:
Connecting to Aruba Central. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4640:
Failed to connect to Aruba Central. |
| <subject> | Text/String | Event ID 4641:
The Aruba Central feature is disabled. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4642:
The Aruba Central feature is disabled. |
| <subject> | Text/String | Event ID 4643:
The Aruba Central feature is enabled. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4645:
Aruba Activate server is reachable via an active VRF. |
| <subject>
<sip> | Text/String/IP Address | Event ID 4646:
Aruba Activate server is not reachable through any supported VRF. |
| <subject> | Text/String | Event ID 4647:
Switch time is synced with NTP Servers. |
| <subject>
<sip> | Text/String/IP Address | Event ID 4648:
Switch time is synced with Aruba Activate Server. |
| <subject>
<object>
<sip> | Text/String/IP Address | Event ID 4649:
Unable to sync switch time with Aruba Activate Server. |
| <subject>
<object>
<sname> | Text/String | Event ID 4650:
Unable to fetch Aruba Central location from Central Source (CLI/DHCP/Aruba Activate Server). |
| <subject>
<object>
<sname> | Text/String | Event ID 4651:
Aruba Central location successfully fetched from Central Source (CLI/DHCP/Aruba Activate Server) via VRF. |
| <subject> | Text/String | Event ID 4652:
Aruba Central connected, any config change through rest may not be persistent, aruba central can overwrite the change |
| <subject>
<login>
<action> | Text/String | Event ID 4653:
Logs a message when a user changes the REST configuration lockout mode |
| <subject>
<action> | Text/String | Event ID 4654:
Logs a message when a Aruba Central support mode is enabled or disabled |
