V 2.0 My Devices Event | LogRhythm Documentation

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 My Devices Event	Base Rule	General Information Log Message	Information
V 2.0 EVID 88000 Successfully Added A Device	Sub Rule	Object Added	Access Success
V 2.0 EVID 88001 Failed To Added A Device	Sub Rule	Device Communication Failure	Error
V 2.0 EVID 88002 Successfully Modified The Dev.	Sub Rule	Object Modified	Access Success
V 2.0 EVID 88003 Failed To Modify The Device	Sub Rule	Device Communication Failure	Error
V 2.0 EVID 88004 Successfully Deleted The Device	Sub Rule	Object Deleted/Removed	Access Success
V 2.0 EVID 88005 Failed To Delete The Device	Sub Rule	Device Communication Failure	Error
V 2.0 EVID 88006 Successfully Blacklisted Device	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 88007 Failed To Blacklist The Device	Sub Rule	Device Communication Failure	Error
V 2.0 EVID 88008 Successfully Reinstated The Dev	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 88009 Failed To Reinstate The Device	Sub Rule	Device Communication Failure	Error
V 2.0 EVID 88010 Successfully Reg/Prov The Device	Sub Rule	Device Registered	Other Audit Success
V 2.0 EVID 88011 Failed To Reg/Prov The Device	Sub Rule	Device Communication Failure	Error
V 2.0 EVID 88012 Successfully Performed CoA Term	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 88013 Failed To Perform CoA Terminat.	Sub Rule	Device Communication Failure	Error
V 2.0 EVID 88014 Success Performed CoA Re-Auth	Sub Rule	Successful Activity	Other Audit Success
V 2.0 EVID 88015 Failed To Perform A CoA Re-auth	Sub Rule	Device Communication Failure	Error

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
pri_num	N/A	N/A	Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23)
time	N/A	N/A	Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostname	N/A	N/A	IP address of the originating Cisco ISE node, or the hostname.
cat_name	<vendorinfo>	Text/String	Logging category name preceded by the CSCOxxx string.
msg_id	N/A	N/A	Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_seg	N/A	N/A	Total number of segments in a log message. Long messages are divided into more than one segment. Note: The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_num	N/A	N/A	Segment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestamp	N/A	N/A	Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format: YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_num	N/A	N/A	Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code	<vmid> <tag1>	Number	Message code as defined in the logging categories.
msg_sev	<severity>	Text/String	Message severity level of a log message.
msg_class	<subject>	Text/String	Message class, which identifies groups of messages with the same context.
msg_text	<action>	Text/String	English language descriptive text message.
ConfigVersionId	N/A	N/A	N/A
UserName	<login>	Text/String	N/A
Firstname	N/A	N/A	N/A
Lastname	N/A	N/A	N/A
PhoneNumber	N/A	N/A	N/A
MacAddress	<smac>	Text/String	N/A
IpAddress	<sip>	IP Address	N/A
AuthenticationIdentityStore	N/A	N/A	N/A
PortalName	N/A	N/A	N/A
IdentityGroup	<group>	Text/String	N/A
PsnHostName	<sname>	Text/String	N/A
GuestUserName	N/A	N/A	N/A
EPMacAddress	<smac>	Text/String	N/A
NADAddress	<sip>	IP Address	N/A
EPIdentityGroup	N/A	N/A	N/A
Staticassignment	N/A	N/A	N/A
EndPointProfiler	N/A	N/A	N/A
EndPointPolicy	N/A	N/A	N/A
DeviceName	N/A	N/A	N/A
DeviceRegistrationStatus	<status>	Text/String	N/A
AuditSessionId	<session>	Text/String	N/A
ResponseTime	N/A	N/A	N/A
cisco-av-pair=audit-session-id	N/A	N/A	N/A
EndpointCoA	N/A	N/A	N/A
CPMSessionID	<session>	Text/String	N/A
Key1	N/A	N/A	N/A
Key2	N/A	N/A	N/A