Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 Failed Attempts Event |
Base Rule |
General Failed Activity |
Failed Activity |
|
V 2.0 EVID 5400 Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5401 Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5402 Command Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
V 2.0 EVID 5403 Session Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
V 2.0 EVID 5404 Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
V 2.0 EVID 5405 RADIUS Request Dropped |
Sub Rule |
RADIUS Request Failure |
Warning |
|
V 2.0 EVID 5406 TACACS+ Request Dropped |
Sub Rule |
TACACS+ Accounting Request Rejected |
Information |
|
V 2.0 EVID 5407 TACACS+ Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
V 2.0 EVID 5408 Command Authorization Error |
Sub Rule |
General Authorization Warning |
Warning |
|
V 2.0 EVID 5409 Session Authorization Error |
Sub Rule |
General Authorization Warning |
Warning |
|
V 2.0 EVID 5410 TACACS+ Authorization Error |
Sub Rule |
General Authorization Warning |
Warning |
|
V 2.0 EVID 5411 Supplicant Stopped Responding |
Sub Rule |
Host Not Responding |
Warning |
|
V 2.0 EVID 5412 TACACS+ Auth Req Ended With Err |
Sub Rule |
Authentication Error |
Error |
|
V 2.0 EVID 5413 RADIUS Accounting-Req Dropped |
Sub Rule |
Accounting Request Dropped |
Warning |
|
V 2.0 EVID 5414 TACACS+ Accounting Failed |
Sub Rule |
Accounting Failure |
Error |
|
V 2.0 EVID 5415 Change Password Failed |
Sub Rule |
Password Change Failed |
Error |
|
V 2.0 EVID 5416 RADIUS PAP Session Cleaned Up |
Sub Rule |
PAP Session Cleaned Up |
Information |
|
V 2.0 EVID 5417 Dynamic Authorization Failed |
Sub Rule |
Authorization Failed |
Warning |
|
V 2.0 EVID 5418 Guest Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5419 DACL Download Failed |
Sub Rule |
Download Object Failure |
Access Failure |
|
V 2.0 EVID 5420 Trustsec Data Download Failed |
Sub Rule |
Download Object Failure |
Access Failure |
|
V 2.0 EVID 5421 Trustsec Peer Policy Dwnld Fail |
Sub Rule |
Download Object Failure |
Access Failure |
|
V 2.0 EVID 5422 Authorize-Only Failed |
Sub Rule |
Authorization Failed |
Warning |
|
V 2.0 EVID 5423 Device Registration Web Auth Fail |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5434 Endpoint Multiple Failed Auth |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5435 NAS Multiple Failed Auth |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5436 RADIUS Packet Already In Process |
Sub Rule |
Packet Already In Process |
Information |
|
V 2.0 EVID 5437 Dup. RADIUS Pkt For Mult Paramet |
Sub Rule |
Duplicate Packet |
Error |
|
V 2.0 EVID 5438 RADIUS Pkt Session Doesnot Exist |
Sub Rule |
Cannot Establish Session |
Error |
|
V 2.0 EVID 5439 RADIUS Packet Session Not Start |
Sub Rule |
Failed To Create Session |
Error |
|
V 2.0 EVID 5440 Endpoint EAP Session Abandoned |
Sub Rule |
Session Terminated Due To Error |
Error |
|
V 2.0 EVID 5441 Endpoint New Session Dropped |
Sub Rule |
Failed To Create Session |
Error |
|
V 2.0 EVID 5442 RADIUS Req Drop- System Overload |
Sub Rule |
Request Rejected |
Error |
|
V 2.0 EVID 5443 RADIUS Req Drop- EAP Session Lim |
Sub Rule |
Request Rejected |
Error |
|
V 2.0 EVID 5447 MDM Authentication Passed |
Sub Rule |
Authentication Complete |
Information |
|
V 2.0 EVID 5448 MDM Authentication Failed |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5449 Endpoint Multiple Failed Auth |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
V 2.0 EVID 5450 RADIUS DTLS Handshake Failed |
Sub Rule |
Handshake Failed |
Warning |
|
V 2.0 EVID 5451 Social Login Permission Denied |
Sub Rule |
Social Media Activity |
Misuse |
|
V 2.0 EVID 5452 Social Login User Info Error |
Sub Rule |
LOGIN Error |
Error |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
pri_num |
N/A |
N/A |
Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value.
|
|
time |
N/A |
N/A |
Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
|
IP address/hostname |
N/A |
N/A |
IP address of the originating Cisco ISE node, or the hostname. |
|
cat_name |
<vendorinfo> |
Text/String |
Logging category name preceded by the CSCOxxx string. |
|
msg_id |
N/A |
N/A |
Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
|
total_seg |
N/A |
N/A |
Total number of segments in a log message. Long messages are divided into more than one segment.
|
|
seg_num |
N/A |
N/A |
Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
|
timestamp |
N/A |
N/A |
Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format:
|
|
sequence_num |
N/A |
N/A |
Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
|
msg_code |
<vmid>
|
Number |
Message code as defined in the logging categories. |
|
msg_sev |
<severity> |
Text/String |
Message severity level of a log message. |
|
msg_class |
<subject> |
Text/String |
Message class, which identifies groups of messages with the same context. |
|
msg_text |
<action> |
Text/String |
English language descriptive text message. |
|
ConfigVersionId |
N/A |
N/A |
N/A |
|
DeviceIPAddress |
<sip> |
IP Address |
N/A |
|
DevicePort |
<sport> |
Number |
N/A |
|
DestinationIPAddress |
<dip> |
IP Address |
N/A |
|
DestinationPort |
<dport> |
Number |
N/A |
|
RadiusPacketType |
N/A |
N/A |
N/A |
|
UserName |
<account> |
Text/String |
N/A |
|
MacAddress |
N/A |
N/A |
N/A |
|
IpAddress |
<sip> |
IP Address |
N/A |
|
CmdSet |
N/A |
N/A |
N/A |
|
Protocol |
<protnum>/<protname> |
Number/Text/String |
N/A |
|
RequestLatency |
N/A |
N/A |
N/A |
|
NetworkDeviceName |
N/A |
N/A |
N/A |
|
Type |
N/A |
N/A |
N/A |
|
Action |
<status> |
Text/String |
N/A |
|
Privilege-Level |
N/A |
N/A |
N/A |
|
Authen-Type |
N/A |
N/A |
N/A |
|
Service |
N/A |
N/A |
N/A |
|
User |
N/A |
N/A |
N/A |
|
Port |
N/A |
N/A |
N/A |
|
Remote-Address |
N/A |
N/A |
N/A |
|
User-Name |
<account> |
Text/String |
N/A |
|
NAS-IP-Address |
N/A |
N/A |
N/A |
|
NAS-Port |
N/A |
N/A |
N/A |
|
Service-Type |
N/A |
N/A |
N/A |
|
Framed-MTU |
N/A |
N/A |
N/A |
|
State |
<status> |
Text/String |
N/A |
|
Called-Station-ID |
<dnatip>,<dmac> |
IP Address/Text/String |
N/A |
|
Calling-Station-ID |
<snatip>,<smac> |
IP Address/Text/String |
N/A |
|
Acct-Session-Id |
<session> |
N/A |
N/A |
|
NAS-Port-Type |
N/A |
N/A |
N/A |
|
cisco-av-pair |
N/A |
N/A |
N/A |
|
NetworkDeviceProfileName |
N/A |
N/A |
N/A |
|
NetworkDeviceProfileId |
N/A |
N/A |
N/A |
|
IsThirdPartyDeviceFlow |
N/A |
N/A |
N/A |
|
PostureStatus |
<status> |
Text/String |
N/A |
|
AcsSessionID |
<session> |
Text/String |
N/A |
|
AuthenticationMethod |
N/A |
N/A |
N/A |
|
SelectedAccessService |
N/A |
N/A |
N/A |
|
FailureReason |
<reason> |
Text/String |
N/A |
|
Step |
N/A |
N/A |
N/A |
|
SelectedAuthenticationIdentityStores |
N/A |
N/A |
N/A |
|
EndPointMACAddress |
<dnatip>,<dmac> |
Text/String |
N/A |
|
Key1 |
N/A |
N/A |
N/A |
|
Key2 |
N/A |
N/A |
N/A |