V 2.0 Authentication Flow Diagnostics Event
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Authentication Flow Diagnostics Event | Base Rule | Diagnostic Information | Information |
V 2.0 EVID 22000: Auth Resulted In Internal Error | Sub Rule | General Authentication Error | Error |
V 2.0 EVID 22001: Restricted Attribute(s) Found | Sub Rule | Object Attributes Listed | Information |
V 2.0 EVID 22002: Authentication Completed | Sub Rule | Authentication Activity | Authentication Success |
V 2.0 EVID 22003: Missing Attribute For Auth | Sub Rule | Attribute Missing | Warning |
V 2.0 EVID 22004: Authentication Wrong Password | Sub Rule | Failed Unauthorized Activity | Failed Misuse |
V 2.0 EVID 22005: Could Not Get Shell Profile Obj | Sub Rule | Shell Profiles Not Found | Error |
V 2.0 EVID 22006: Shell Profile Object Not Config | Sub Rule | Shell Profile Object Not Configured | Information |
V 2.0 EVID 22007: Username Attribute Not Present | Sub Rule | Attributes Not Found | Error |
V 2.0 EVID 22008: Changing Enable Pwd Not Allowed | Sub Rule | Password Change Failed | Error |
V 2.0 EVID 22015: Identity Seq Continues To Next | Sub Rule | Continuing Identity Sequence | Information |
V 2.0 EVID 22016: Identity Seq Completed Iterating | Sub Rule | Successful Activity | Other Audit Success |
V 2.0 EVID 22017: Selected Identity Src DenyAccess | Sub Rule | Access Denied | Warning |
V 2.0 EVID 22019: Identity Policy Evaluated Before | Sub Rule | General POLICY Information | Information |
V 2.0 EVID 22020: Config Error Identity Src Blank | Sub Rule | Identity Source Blank | Error |
V 2.0 EVID 22021: Config Error Auth IDStores List | Sub Rule | Configuration Error | Error |
V 2.0 EVID 22022: Setting Err Failed To Open Opt | Sub Rule | General Failed Activity | Failed Activity |
V 2.0 EVID 22023: Proceed To Attribute Retrieval | Sub Rule | Proceed To Attribute Retrieval | Information |
V 2.0 EVID 22028: Auth Failed Advanced Opt Ignored | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22034: Attribute Retrieval Failed | Sub Rule | Attribute Retrieval Failed | Error |
V 2.0 EVID 22036: Retrieved Attributes Successful | Sub Rule | Attribute Retrieval Succeeded | Information |
V 2.0 EVID 22037: Authentication Passed | Sub Rule | Authentication Activity | Authentication Success |
V 2.0 EVID 22038: Skipping IDStore For Attr Retr. | Sub Rule | Skipping IDStore For Attribute Retrieval | Information |
V 2.0 EVID 22039: Invalid Workflow Sequence Type | Sub Rule | Invalid Sequence Type | Error |
V 2.0 EVID 22040: Wrong Pwd/Invalid Shared Secret | Sub Rule | Failed Unauthorized Activity | Failed Misuse |
V 2.0 EVID 22043: Auth Method Not Supported | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22044: Identity Policy Res Not Config | Sub Rule | Policy Not Configured | Error |
V 2.0 EVID 22045: Identity Policy Res Not Config | Sub Rule | Policy Not Configured | Error |
V 2.0 EVID 22046: Identity Sequence Received CAR | Sub Rule | Authentication Request Received | Information |
V 2.0 EVID 22047: Username Attribute Missing | Sub Rule | Attribute Missing | Warning |
V 2.0 EVID 22048: Client Cert. Binary Missing | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22049: Binary Comparison Of Cert. Fail | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22050:User/Host Disable In Curr IDStore | Sub Rule | Host Disabled | Other Audit |
V 2.0 EVID 22051: User/Host Disable In Int IDStore | Sub Rule | Host Disabled | Other Audit |
V 2.0 EVID 22052: Authentication IDStore Empty | Sub Rule | IDStore Empty | Error |
V 2.0 EVID 22054: Binary Comparison Of Cert. Pass | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22055: Failed To Find Expected Username | Sub Rule | General Failed Activity | Failed Activity |
V 2.0 EVID 22056: Subject Not Found In Applicable | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22057: Used Adv Opt Config For Failed | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22058: Used Adv Opt Config For Unknown | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22059: Used Adv Opt Config For Process | Sub Rule | Process Failed | Error |
V 2.0 EVID 22060: Continue Advanced Option Config | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22061: Reject Advanced Option Config | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22062: Drop Advanced Option Config | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22063: Wrong Password | Sub Rule | Failed Unauthorized Activity | Failed Misuse |
V 2.0 EVID 22064: Auth Method Not Supported | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22065: Guest Session Limit Not Enforced | Sub Rule | Session Information | Information |
V 2.0 EVID 22066: Removing Older Guest Sessions | Sub Rule | Object Deleted/Removed | Access Success |
V 2.0 EVID 22067: Missing Relevant Information | Sub Rule | Session Information | Information |
V 2.0 EVID 22068: Binary Comparison Of Cert. Skip | Sub Rule | Session Information | Information |
V 2.0 EVID 22069: AD Account Search Attr. Missing | Sub Rule | Attribute Missing | Warning |
V 2.0 EVID 22070: Identity Name Taken From Cert. | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22071: Identity Name Taken From AD Acc | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22072: Selected Identity Source Seq. | Sub Rule | General Audit Message | Other Audit |
V 2.0 EVID 22073: Removing Newest Guest Session | Sub Rule | Object Deleted/Removed | Access Success |
V 2.0 EVID 22074: Protocol Disabled In FIPS Mode | Sub Rule | Protocol Disabled | Information |
V 2.0 EVID 22080: New Accounting Session Created | Sub Rule | Object Created | Access Success |
V 2.0 EVID 22081: Max Sessions Policy Passed | Sub Rule | General POLICY Information | Information |
V 2.0 EVID 22082: Max Sessions Policy Disabled | Sub Rule | General POLICY Information | Information |
V 2.0 EVID 22083: User/Grp Session Counters Inc. | Sub Rule | Process/Service Started | Startup and Shutdown |
V 2.0 EVID 22084: User/Grp Session Counters Dec. | Sub Rule | Process/Service Stopped | Startup and Shutdown |
V 2.0 EVID 22085: Accounting Session Updated | Sub Rule | Object Modified | Access Success |
V 2.0 EVID 22086: Active Session Purged For Device | Sub Rule | Session Information | Information |
V 2.0 EVID 22087: Accounting Session Timed Out | Sub Rule | Session Timed Out | Warning |
V 2.0 EVID 22088: Accounting Session Purged | Sub Rule | Session Information | Information |
V 2.0 EVID 22089: Session Limit Reached New User | Sub Rule | Session Information | Information |
V 2.0 EVID 22090: One Or More Attributes Missing | Sub Rule | Attribute Missing | Warning |
V 2.0 EVID 22091: Excessive Failed Auth Attempts | Sub Rule | Authentication Failure Activity | Authentication Failure |
V 2.0 EVID 22092: No Accounting Start Received | Sub Rule | Session Information | Information |
V 2.0 EVID 22093: Duplicate Session Found | Sub Rule | Duplicate Event | Information |
V 2.0 EVID 22094: Audit Session Not Found | Sub Rule | Session Information | Information |
V 2.0 EVID 22095: Accounting Start Received | Sub Rule | Session Information | Information |
V 2.0 EVID 22096: Max Session Policy Not Available | Sub Rule | Session Information | Information |
V 2.0 EVID 22097: Max Session Group Limit Reached | Sub Rule | Session Information | Information |
V 2.0 EVID 22098: Max Sess User In Grp Limit Reach | Sub Rule | Session Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
pri_num | N/A | N/A | Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) |
time | N/A | N/A | Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
IP address/hostname | N/A | N/A | IP address of the originating Cisco ISE node, or the hostname. |
cat_name | <vendorinfo> | Text/String | Logging category name preceded by the CSCOxxx string. |
msg_id | N/A | N/A | Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
total_seg | N/A | N/A | Total number of segments in a log message. Long messages are divided into more than one segment. Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings. |
seg_num | N/A | N/A | Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
timestamp | N/A | N/A | Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm. |
sequence_num | N/A | N/A | Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
msg_code | <vmid> <tag1> | Number | Message code as defined in the logging categories. |
msg_sev | <severity> | Text/String | Message severity level of a log message. |
msg_class | <subject> | Text/String | Message class, which identifies groups of messages with the same context. |
msg_text | <action> | Text/String | English language descriptive text message. |
ConfigVersionId | N/A | N/A | N/A |
DestinationIPAddress | <dip> | IP Address | N/A |
UserName | <account> | Text/String | N/A |
NAS-IP-Address | N/A | N/A | N/A |
AcsSessionID | <session> | Text/String | N/A |
AuthenticationIdentityStore | N/A | N/A | N/A |
AuthenticationMethod | N/A | N/A | N/A |
SelectedAccessService | N/A | N/A | N/A |
WorkflowCurrentIDStoreIndex | N/A | N/A | N/A |
WorkflowSequenceType | N/A | N/A | N/A |
CurrentIDStoreName | N/A | N/A | N/A |
WorkflowIfUserNotFound | N/A | N/A | N/A |
WorkflowIfProcessError | <result> | Text/String | N/A |
WorkflowIfAuthenticationFailed | <status> | Text/String | N/A |
CPMSessionID | N/A | N/A | N/A |
StepLatency | N/A | N/A | N/A |
Response | N/A | N/A | N/A |
Key1 | N/A | N/A | N/A |
Key2 | N/A | N/A | N/A |