Skip to main content
Skip table of contents

V 2.0 Admin Authentication And Authorization Event

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule NameRule TypeCommon EventClassification
V 2.0 Admin Authentication And Authorization EventBase RuleGeneral Authentication EventOther Audit
V 2.0 EVID 10000: Handle Incoming Admin Auth ReqSub RuleAdministrator Authentication RequestInformation
V 2.0 EVID 10001: Incorrect Configuration VersionSub RuleIncorrect Configuration VersionError
V 2.0 EVID 10002: Failure To Load Appropriate SvcSub RuleGeneral Failed ActivityFailed Activity
V 2.0 EVID 10003: Admin Auth Rcvd Blank Admin NameSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 10004: Admin Auth Rcvd Blank Admin PwdSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 10005: Admin Authenticated SuccessfullSub RuleAuthentication ActivityAuthentication Success
V 2.0 EVID 10006: Admin Authentication FailedSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 10007: Admin Auth Failed DB ErrorSub RuleAuthentication Failure ActivityAuthentication Failure
V 2.0 EVID 10008: Received Valid Admin Auth ReqSub RuleAdministrator Authentication RequestInformation
V 2.0 EVID 10009: Received Admin Auth RequestSub RuleAdministrator Authentication RequestInformation
V 2.0 EVID 10010: Admin Password Change ReminderSub RulePassword Change RequestedInformation
V 2.0 EVID 10011: Pwd Expired Admin Pwd Change ReqSub RulePassword Change RequiredInformation
V 2.0 EVID 10012: A/C Inactivity Admin Pwd ChangeSub RulePassword Change RequiredInformation
V 2.0 EVID 10013: Admin A/C Set As Never DisabledSub RuleGeneral Admin InformationInformation
V 2.0 EVID 10014: Admin Account Set To Change PwdSub RulePassword Change RequiredInformation

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
pri_numN/AN/APriority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value.
The facility code valid options are:
LOCAL0 (Code = 16)
LOCAL1 (Code = 17)
LOCAL2 (Code = 18)
LOCAL3 (Code = 19)
LOCAL4 (Code = 20)
LOCAL5 (Code = 21)
LOCAL6 (Code = 22; default)
LOCAL7 (Code = 23)
timeN/AN/ADate of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostnameN/AN/AIP address of the originating Cisco ISE node, or the hostname.
cat_name<vendorinfo>Text/StringLogging category name preceded by the CSCOxxx string.
msg_idN/AN/AUnique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_segN/AN/ATotal number of segments in a log message. Long messages are divided into more than one segment.
Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_numN/AN/ASegment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestampN/AN/ADate of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: 
YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_numN/AN/AGlobal counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code<vmid>
<tag1>		NumberMessage code as defined in the logging categories.
msg_sev<severity>Text/StringMessage severity level of a log message.
msg_class<subject>Text/StringMessage class, which identifies groups of messages with the same context.
msg_text<action>Text/StringEnglish language descriptive text message.
Key1N/AN/AN/A
Key2N/AN/AN/A
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close