V 2.0 My Devices Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 My Devices Event | Base Rule | General Information Log Message | Information |
| V 2.0 EVID 88000 Successfully Added A Device | Sub Rule | Object Added | Access Success |
| V 2.0 EVID 88001 Failed To Added A Device | Sub Rule | Device Communication Failure | Error |
| V 2.0 EVID 88002 Successfully Modified The Dev. | Sub Rule | Object Modified | Access Success |
| V 2.0 EVID 88003 Failed To Modify The Device | Sub Rule | Device Communication Failure | Error |
| V 2.0 EVID 88004 Successfully Deleted The Device | Sub Rule | Object Deleted/Removed | Access Success |
| V 2.0 EVID 88005 Failed To Delete The Device | Sub Rule | Device Communication Failure | Error |
| V 2.0 EVID 88006 Successfully Blacklisted Device | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 88007 Failed To Blacklist The Device | Sub Rule | Device Communication Failure | Error |
| V 2.0 EVID 88008 Successfully Reinstated The Dev | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 88009 Failed To Reinstate The Device | Sub Rule | Device Communication Failure | Error |
| V 2.0 EVID 88010 Successfully Reg/Prov The Device | Sub Rule | Device Registered | Other Audit Success |
| V 2.0 EVID 88011 Failed To Reg/Prov The Device | Sub Rule | Device Communication Failure | Error |
| V 2.0 EVID 88012 Successfully Performed CoA Term | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 88013 Failed To Perform CoA Terminat. | Sub Rule | Device Communication Failure | Error |
| V 2.0 EVID 88014 Success Performed CoA Re-Auth | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 88015 Failed To Perform A CoA Re-auth | Sub Rule | Device Communication Failure | Error |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| pri_num | N/A | N/A | Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) |
| time | N/A | N/A | Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
| IP address/hostname | N/A | N/A | IP address of the originating Cisco ISE node, or the hostname. |
| cat_name | <vendorinfo> | Text/String | Logging category name preceded by the CSCOxxx string. |
| msg_id | N/A | N/A | Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
| total_seg | N/A | N/A | Total number of segments in a log message. Long messages are divided into more than one segment. Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings. |
| seg_num | N/A | N/A | Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
| timestamp | N/A | N/A | Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm. |
| sequence_num | N/A | N/A | Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
| msg_code | <vmid> <tag1> | Number | Message code as defined in the logging categories. |
| msg_sev | <severity> | Text/String | Message severity level of a log message. |
| msg_class | <subject> | Text/String | Message class, which identifies groups of messages with the same context. |
| msg_text | <action> | Text/String | English language descriptive text message. |
| ConfigVersionId | N/A | N/A | N/A |
| UserName | <login> | Text/String | N/A |
| Firstname | N/A | N/A | N/A |
| Lastname | N/A | N/A | N/A |
| PhoneNumber | N/A | N/A | N/A |
| MacAddress | <smac> | Text/String | N/A |
| IpAddress | <sip> | IP Address | N/A |
| AuthenticationIdentityStore | N/A | N/A | N/A |
| PortalName | N/A | N/A | N/A |
| IdentityGroup | <group> | Text/String | N/A |
| PsnHostName | <sname> | Text/String | N/A |
| GuestUserName | N/A | N/A | N/A |
| EPMacAddress | <smac> | Text/String | N/A |
| NADAddress | <sip> | IP Address | N/A |
| EPIdentityGroup | N/A | N/A | N/A |
| Staticassignment | N/A | N/A | N/A |
| EndPointProfiler | N/A | N/A | N/A |
| EndPointPolicy | N/A | N/A | N/A |
| DeviceName | N/A | N/A | N/A |
| DeviceRegistrationStatus | <status> | Text/String | N/A |
| AuditSessionId | <session> | Text/String | N/A |
| ResponseTime | N/A | N/A | N/A |
| cisco-av-pair=audit-session-id | N/A | N/A | N/A |
| EndpointCoA | N/A | N/A | N/A |
| CPMSessionID | <session> | Text/String | N/A |
| Key1 | N/A | N/A | N/A |
| Key2 | N/A | N/A | N/A |