TACACS Diagnostics

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field	LogRhythm Default	LogRhythm Default v2.0
pri_num	N/A	N/A
time	N/A	N/A
IP address/hostname	N/A	N/A
cat_name	N/A	<vendorinfo>
msg_id	N/A	N/A
total_seg	N/A	N/A
seg_num	N/A	N/A
timestamp	N/A	N/A
sequence_num	N/A	N/A
msg_code	N/A	<vmid> <tag1>
msg_sev	<severity>	<severity>
msg_class	<process>	<subject>
msg_text	<status> <tag1>	<action>
ConfigVersionId	<version>	N/A
Device IP Address	<dip>	<sip>
Device Port	<dport>	<sport>
CmdSet	N/A	N/A
MatchedCommandSet	N/A	N/A
MatchedRule	N/A	N/A
MajorVersion	N/A	N/A
MinorVersion	N/A	N/A
Type	N/A	<objecttype>
Sequence-Number	N/A	N/A
Header-Flags	N/A	N/A
SessionId	<session>	<session>
Action	N/A	<object>
Privilege-Level	N/A	N/A
Authen-Type	N/A	N/A
Service	N/A	N/A
User	N/A	<account>
Port	N/A	<dport>
Remote-Address	N/A	<dip>
Authen-Method	N/A	N/A
Service-Argument	N/A	N/A
EnableSingleConnect	N/A	N/A
CiscoIOS	N/A	N/A
UseSingleConnect	N/A	N/A
AcsSessionID	N/A	N/A
SelectedAccessService	N/A	N/A
SelectedCommandSet	N/A	N/A
Sequence-Number	N/A	N/A
SelectedShellProfile	N/A	N/A
CPMSessionID	N/A	N/A
Response	N/A	<result>
	N/A	<reason>
	N/A	<status>
Key1	N/A	N/A
Key2	N/A	N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID	Rule Name	Rule Type	Common Event	Classification
1012194	TACACS Diagnostics	Base Rule	General TACACS Message	Information
1012194	Received TACACS+ Accounting Request	Sub Rule	TACACS+ Accounting With Command	Information

LogRhythm Default v2.0

Regex ID	Rule Name	Rule Type	Common Event	Classification
1012658	V 2.0 TACACS Diagnostics Event	Base Rule	General TACACS Message	Information
	V 2.0 EVID 13000 Invalid TACACS+ Auth Request	Sub Rule	Invalid Authorization Request	Warning
	V 2.0 EVID 13001 Invalid TACACS+ Accounting Req	Sub Rule	Invalid Accounting Request	Error
	V 2.0 EVID 13002 TACACS+ Listener Start	Sub Rule	Listener Message	Information
	V 2.0 EVID 13003 TACACS+ Listener Stop	Sub Rule	Listener Message	Information
	V 2.0 EVID 13004 TACACS+ Listener Fail	Sub Rule	Listener Failed	Error
	V 2.0 EVID 13005 TACACS+ Auth Request Receive	Sub Rule	Authorization Request Received	Other Audit
	V 2.0 EVID 13006 TACACS+ Accounting Req Receive	Sub Rule	Accounting Request Received	Information
	V 2.0 EVID 13007 TACACS+ Packet Header Invalid	Sub Rule	Invalid Packet Header	Warning
	V 2.0 EVID 13008 TACACS+ Max Client Limit Reach	Sub Rule	Maximum Clients Reached	Warning
	V 2.0 EVID 13009 TACACS+ Client Connection Fail	Sub Rule	Client Connection Failed	Warning
	V 2.0 EVID 13010 TACACS+ Packet Invalid Length	Sub Rule	Bad Packet Length	Warning
	V 2.0 EVID 13011 Invalid TACACS+ Packet Request	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13013 TACACS+ Authentication START Req	Sub Rule	Authorization Request Received	Other Audit
	V 2.0 EVID 13014 TACACS+ Auth CONTINUE Request	Sub Rule	Authorization Request Received	Other Audit
	V 2.0 EVID 13015 TACACS+ Auth Reply Returned	Sub Rule	Authentication Reply Returned	Information
	V 2.0 EVID 13017 TACACS+ Packet Rcv Unknown Dev	Sub Rule	Request Packet Received From Unknown Host	Network Traffic
	V 2.0 EVID 13019 TACACS+ Settings Obtain Fail	Sub Rule	Failed To Obtain Settings	Error
	V 2.0 EVID 13020 TACACS+ Default NW Dev Setting	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13021 System Overload TACACS+ Req Drop	Sub Rule	Request Dropped - System Overloaded	Warning
	V 2.0 EVID 13023 Deny-Always Rule Command Match	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13024 Permit Rule Command Match	Sub Rule	General Information Log Message	Information
	V 2.0 EVID:13025 Permit Rule Command Fail To Match	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13027 TACACS+ Auth Request Missing	Sub Rule	General Authorization Warning	Warning
	V 2.0 EVID 13029 Privilege Level Too High	Sub Rule	Requested Privilege Level Too High	Error
	V 2.0 EVID 13030 TACACS+ Auth Req Missing U/N	Sub Rule	Authorization Request Received	Other Audit
	V 2.0 EVID 13031 TACACS+ Auth Request Missing	Sub Rule	Authorization Request Received	Other Audit
	V 2.0 EVID 13032 TACACS+ Configuration Fatal Err	Sub Rule	Configuration Access Error	Error
	V 2.0 EVID 13034 TACACS+ Authorization Reply	Sub Rule	Authentication Reply Returned	Information
	V 2.0 EVID 13035 TACACS+ Accounting Reply	Sub Rule	Accounting Reply	Information
	V 2.0 EVID 13036 Shell Profile DenyAccess	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13037 Shell Profile Priv. Not Config.	Sub Rule	Shell Profile Object Not Configured	Information
	V 2.0 EVID 13038 Request Fail - Crit Logging Err	Sub Rule	Request Failed - Logging Error	Error
	V 2.0 EVID 13039 Auth Req Not Contain New User PW	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13040 Empty String In The New PW Field	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13041 Request Switches From Login	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13042 Auth Req Confirm User New PW	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13043 Authentication Type Not Support	Sub Rule	Authentication Method Not Supported	Error
	V 2.0 EVID 13044 TACACS Use Password Prompt	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13045 Use PW Prompt From Global TACACS	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13046 ASCII Password Change Request	Sub Rule	Password Change Requested	Information
	V 2.0 EVID 13050 MSCHAP Invalid Flag Value	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13051 TACACS Small Data Fieid Size	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13052 TACACS Small Data Fieid Size	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13060 Failed To Read TACACS Proxy Con	Sub Rule	Dropping Request - Failed To Read Configuration	Error
	V 2.0 EVID 13061 Accounting Request Received	Sub Rule	Accounting Request Received	Information
	V 2.0 EVID 13062 TACACS Servers Failover Perform	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13063 Remote TACACS Server Forwarding	Sub Rule	General TACACS Message	Information
	V 2.0 EVID 13064 TACACS Proxy Rcv Incoming Req	Sub Rule	General Proxy Information	Information
	V 2.0 EVID 13065 TACACS Proxy Rcv I/C Auth Req	Sub Rule	Authentication Request Received	Information
	V 2.0 EVID 13066 TACACS Proxy Rcv I/C Auth Req	Sub Rule	Authorization Request Received	Other Audit
	V 2.0 EVID 13067 TACACS Proxy Rcv I/C Acc. Req	Sub Rule	Accounting Request Received	Information
	V 2.0 EVID 13068 TACACS Proxy Local Acc. Perform	Sub Rule	Proxy Performing Local Accounting	Information
	V 2.0 EVID 13069 TACACS Proxy Remote Acc. Perform	Sub Rule	Proxy Performing Remote Accounting	Information
	V 2.0 EVID 13070 TACACS Server Forward Req Fail	Sub Rule	Request To Forward To Remote RADIUS Server Failed	Error
	V 2.0 EVID 13071 Continue Flow (Seq_No>1)	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13072 TACACS Server Forward Req Fail	Sub Rule	Request To Forward To Remote RADIUS Server Failed	Error
	V 2.0 EVID 13073 TACACS+ Proxy Request Failed	Sub Rule	General Proxy Failure	Error
	V 2.0 EVID 13074 TACACS Proxy Req Finish To Proc	Sub Rule	General Proxy Success	Information
	V 2.0 EVID 13075 TACACS+ Proxy Req Won't Continue	Sub Rule	General Proxy Information	Information
	V 2.0 EVID 13076 Rule Command Not Set	Sub Rule	General Information Log Message	Information
	V 2.0 EVID 13077 TACACS+ Acc. Invalid Packet Req	Sub Rule	Invalid Accounting Request	Error
	V 2.0 EVID 13078 TACACS+ Auth Invalid Packet Req	Sub Rule	Invalid Authorization Request	Warning