V 2.0 Distributed Management Event

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 Distributed Management Event	Base Rule	General Application Management Information	Information
V 2.0 EVID: 41000 Memory Statistics Not Found	Sub Rule	Memory Statistics Not Found	Warning
V 2.0 EVID: 41001 Total Memory Not Found	Sub Rule	Total Memory Not Found	Warning
V 2.0 EVID: 41002 Total Swap Not Found	Sub Rule	Total Swap Not Found	Warning
V 2.0 EVID: 41003 Disk Size Not Found	Sub Rule	Disk Size Not Found	Error
V 2.0 EVID: 41004 Disk Device Not Found	Sub Rule	Disk Device Not Found	Error
V 2.0 EVID: 41005 ISE Version Not Found	Sub Rule	Software Version Not Found	Error
V 2.0 EVID: 41007 ISE Node Record Found	Sub Rule	Generic Record	Information
V 2.0 EVID: 41008 ISE Node Record Override	Sub Rule	Object Overridden	Information
V 2.0 EVID: 41009 Default ISE Deployment Created	Sub Rule	Object Created	Access Success
V 2.0 EVID: 41010 Default ISE Node Created	Sub Rule	Object Created	Access Success
V 2.0 EVID: 41011 Node Status Initialized	Sub Rule	Node Status Initialized	Information
V 2.0 EVID: 41012 Secondary ISE Registered	Sub Rule	Device Registered	Other Audit Success
V 2.0 EVID: 41013 ISE Node Deregistered	Sub Rule	Device Unregistered	Warning
V 2.0 EVID: 41014 Software Version Not Found	Sub Rule	Software Version Not Found	Error
V 2.0 EVID: 41015 System Call Could Not Run	Sub Rule	Failed System Call	Error
V 2.0 EVID: 41016 System Call Could Not Run Stdout	Sub Rule	Failed System Call	Error
V 2.0 EVID: 41017 Hostname Not Found	Sub Rule	Hostname Not Found	Warning
V 2.0 EVID: 41018 Svc Selection Policy Update Fail	Sub Rule	Update Failed	Error
V 2.0 EVID: 41019 Relation Not Added	Sub Rule	Could Not Add Relation To Service Selection Policy	Error
V 2.0 EVID: 41020 Svc Selection Policy Init. Fail	Sub Rule	Initialization Failed	Error
V 2.0 EVID: 41021 ISE Node Object Not Updated	Sub Rule	Object Update Failed	Error
V 2.0 EVID: 41022 NodeInfo Collection Error Occur	Sub Rule	NodeInfo Collection Error	Error
V 2.0 EVID: 41023 Replication Status Collec Error	Sub Rule	Replication Status Error	Error
V 2.0 EVID: 41024 Error Loading Nodeinfo	Sub Rule	NodeInfo Loading Error	Error
V 2.0 EVID: 41025 NodeInfo Incomplete Information	Sub Rule	NodeInfo File Incomplete	Error
V 2.0 EVID: 41026 Mgmt Config Directory Not Create	Sub Rule	Directory Not Found	Other Operations
V 2.0 EVID: 41027 Nodinfo Could Not Be Created	Sub Rule	ACSNodeInfo Could Not Be Created	Error
V 2.0 EVID: 41028 MAC Address Not Found	Sub Rule	MAC Address Not Found	Warning
V 2.0 EVID: 41029 ISE Not Start As Record Unfound	Sub Rule	Error Retrieving Record	Error
V 2.0 EVID: 41030 MAC ID Not Found In ACSNodeInfo	Sub Rule	Invalid MAC Address	Error
V 2.0 EVID: 41031 Secondary Hostname Already Exist	Sub Rule	Hostname Already Exists	Warning
V 2.0 EVID: 41032 Secondary MAC Addr Already Exist	Sub Rule	MAC Address Already Exists	Warning
V 2.0 EVID: 41033 Deregistration Failed	Sub Rule	Deregister Failed	Error
V 2.0 EVID: 41034 Activation Failed	Sub Rule	Activation Failed	Error
V 2.0 EVID: 41035 Connection Failed	Sub Rule	Connection Failure	Error
V 2.0 EVID: 41036 ISE Node Deregistration Failed	Sub Rule	Deregister Failed	Error
V 2.0 EVID: 41037 Initialization Failed	Sub Rule	Initialization Failed	Error
V 2.0 EVID: 41038 Interface Config Not Found	Sub Rule	Configuration Notification Message Error	Error
V 2.0 EVID: 41039 Interface Eth0 Not Found	Sub Rule	Interface Not Found	Warning
V 2.0 EVID: 41040 Eth0 Hardware Address Not Found	Sub Rule	Default Address Not Found	Error
V 2.0 EVID: 41041 Eth0 Inet Address Not Found	Sub Rule	Default Address Not Found	Error
V 2.0 EVID: 41042 Eth0 Mask Not Found	Sub Rule	Invalid Mask	Warning
V 2.0 EVID: 41043 ACSNodeInfo Not Created	Sub Rule	ACSNodeInfo Could Not Be Created	Error
V 2.0 EVID: 41044 ACS Instance Reconnection Failed	Sub Rule	Reconnection ACS Instance Could Not Be Found	Error
V 2.0 EVID: 41045 Replacement Keyword Already Reg	Sub Rule	Keyword Associated With Instance	Error
V 2.0 EVID: 41046 ISE Instance Reg To Primary Node	Sub Rule	Instance Information	Information
V 2.0 EVID: 41047 Primary Node Full Data Sync	Sub Rule	Sync Started	Information
V 2.0 EVID: 41048 ACSNode Replace Success	Sub Rule	ACSNode Replaced	Information
V 2.0 EVID: 41049 ACSNode Reg To Primary Node	Sub Rule	Register Node	Information
V 2.0 EVID: 41050 ACSNode Activated On Primary	Sub Rule	Activating ACSNode	Information
V 2.0 EVID: 41051 ACSNode Deactivated On Primary	Sub Rule	ACS Node Deregistered	Information
V 2.0 EVID: 41053 ISE Inst Promoted To Prim. Node	Sub Rule	Instance Information	Information
V 2.0 EVID: 41054 ISE Inst Swtiching To Local Mode	Sub Rule	Instance Information	Information
V 2.0 EVID: 41055 Node Upgrading To New Version	Sub Rule	Upgrade Started	Information
V 2.0 EVID: 41056 Software Upgared Applied To ISE	Sub Rule	Upgrade Information	Information
V 2.0 EVID: 41057 Automatic Backup Being Created	Sub Rule	Creating Automatic Backup	Other Audit Success
V 2.0 EVID: 41058 Downloading Bundle For Primary	Sub Rule	Downloading Bundle	Information
V 2.0 EVID: 41059 Node Upgrade Complete	Sub Rule	Upgrade Complete	Information
V 2.0 EVID: 41060 Enabling Log Collector Target	Sub Rule	Enabled	Information
V 2.0 EVID: 41061 Disabling Log Collector Target	Sub Rule	Disabling Log Collector Target	Information
V 2.0 EVID: 41062 Log Collector Node Selected	Sub Rule	Log Collector Set	Information
V 2.0 EVID: 41063 Remote Syslog Target Created	Sub Rule	General Syslog Information	Information
V 2.0 EVID: 41064 Log Collector Deregister Failed	Sub Rule	Deregister Failed	Error
V 2.0 EVID: 41065 Apply Upgrade Diagnostic Message	Sub Rule	Apply Upgrade Diagnostic Message	Information

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
pri_num	N/A	N/A	Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23)
time	N/A	N/A	Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostname	N/A	N/A	IP address of the originating Cisco ISE node, or the hostname.
cat_name	<vendorinfo>	Text/String	Logging category name preceded by the CSCOxxx string.
msg_id	N/A	N/A	Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_seg	N/A	N/A	Total number of segments in a log message. Long messages are divided into more than one segment. Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_num	N/A	N/A	Segment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestamp	N/A	N/A	Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_num	N/A	N/A	Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code	<vmid> <tag1>	Number	Message code as defined in the logging categories.
msg_sev	<severity>	Text/String	Message severity level of a log message.
msg_class	<subject>	Text/String	Message class, which identifies groups of messages with the same context.
msg_text	<action>	Text/String	English language descriptive text message.
Key1	N/A	N/A	N/A
Key2	N/A	N/A	N/A