Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 Passive ID Event |
Base Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 90046 Internal Error |
Sub Rule |
An Internal Error Has Occurred |
Error |
|
V 2.0 EVID 90047 PassiveID Now Primary Node |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90048 PassiveID No Longer Primary Node |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90049 PassiveID Primary Node Elected |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90050 Primary Node Unresponsive |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90051 Service Started |
Sub Rule |
Service Started |
Information |
|
V 2.0 EVID 90052 PassiveID Services Unavailable |
Sub Rule |
Service Unavailable |
Error |
|
V 2.0 EVID 90053 PassiveID Svc Name Not Resolve |
Sub Rule |
General Service Information |
Information |
|
V 2.0 EVID 90054 Active PassiveID Service Set |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90055 Standby PassiveID Service Set |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90056 Config Failed, Svc Unavailable |
Sub Rule |
Service Unavailable |
Error |
|
V 2.0 EVID 90057 Service Applied Configuration |
Sub Rule |
General Service Information |
Information |
|
V 2.0 EVID 90058 Hostname Not Resolve |
Sub Rule |
Failed To Resolve Host |
Error |
|
V 2.0 EVID 90059 Cannot Get Dom Contr. Win Ver |
Sub Rule |
Cannot Retrieve Version Information |
Error |
|
V 2.0 EVID 90060 Domain Controller Win Ver Unsup |
Sub Rule |
General Version Information |
Information |
|
V 2.0 EVID 90061 Cannot Get Domain Contr NetBIOS |
Sub Rule |
General NetBIOS Error |
Error |
|
V 2.0 EVID 90062 Domain Controller Not Connected |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
V 2.0 EVID 90063 Conn Establish Domain Controller |
Sub Rule |
Successful Activity |
Other Audit Success |
|
V 2.0 EVID 90064 Cannot Get History Login Events |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
V 2.0 EVID 90065 Received History Login Events |
Sub Rule |
Successful Activity |
Other Audit Success |
|
V 2.0 EVID 90066 Conn Lost With Domain Controller |
Sub Rule |
Connection Lost |
Network Traffic |
|
V 2.0 EVID 90067 Received Login |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90068 Received Machine Login |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90069 Local IP Replaced |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90070 Received Incorrect Login |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90071 Received Unsupported Login |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90072 Filtered Login |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90073 Login Dropped Due To Size Exceed |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90074 Forwarded Login |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90075 Cannot Forward Login |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
V 2.0 EVID 90076 Events Handled In Last 24 Hours |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90077 Events Handled In Last Hour |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90078 Connection Closed |
Sub Rule |
Session Closing : Server Closed Connection |
Information |
|
V 2.0 EVID 90079 Service Shutdown |
Sub Rule |
Service Shutdown |
Startup and Shutdown |
|
V 2.0 EVID 90080 PassiveID Service Collected |
Sub Rule |
General Service Information |
Information |
|
V 2.0 EVID 90081 Failed To Start REST Server |
Sub Rule |
Server Failed To Start |
Error |
|
V 2.0 EVID 90082 Failed To Open Syslog Port |
Sub Rule |
Port Access Failure |
Other Audit Failure |
|
V 2.0 EVID 90083 Forwarded Logout Events |
Sub Rule |
Successful Activity |
Other Audit Success |
|
V 2.0 EVID 90084 Endpoint Probe Service Starting |
Sub Rule |
Process/Service Starting |
Startup and Shutdown |
|
V 2.0 EVID 90085 Endpoint Probe Service Stoped |
Sub Rule |
Process/Service Stopped |
Startup and Shutdown |
|
V 2.0 EVID 90086 Unexpected Service Termination |
Sub Rule |
General Service Information |
Information |
|
V 2.0 EVID 90088 Probe Config Update Dom Adm List |
Sub Rule |
Content Successfully Updated |
Information |
|
V 2.0 EVID 90089 Probe Config Update Domain Info |
Sub Rule |
Content Successfully Updated |
Information |
|
V 2.0 EVID 90090 Probe Configuration Deleted |
Sub Rule |
Content Successfully Updated |
Information |
|
V 2.0 EVID 90091 Probe Svc Status Chg To Disable |
Sub Rule |
Service Status Change |
Other Audit Success |
|
V 2.0 EVID 90092 Probe Svc Status Chg To Enable |
Sub Rule |
Service Status Change |
Other Audit Success |
|
V 2.0 EVID 90093 Probe Svc Status Chg With ERROR |
Sub Rule |
Service Status Change |
Other Audit Success |
|
V 2.0 EVID 90094 Probe Svc Status Chg With ERROR |
Sub Rule |
Service Status Change |
Other Audit Success |
|
V 2.0 EVID 90095 Service Status Enabled |
Sub Rule |
Service Status Change |
Other Audit Success |
|
V 2.0 EVID 90096 Service Status Disabled |
Sub Rule |
Service Status Change |
Other Audit Success |
|
V 2.0 EVID 90097 Probe Config Resulted With Err |
Sub Rule |
Configuration Error |
Error |
|
V 2.0 EVID 90098 Probe Delete Configuration |
Sub Rule |
Configuration Error |
Error |
|
V 2.0 EVID 90099 Probe Update Configuration |
Sub Rule |
Configuration Error |
Error |
|
V 2.0 EVID 90100 Probe Man Chk Complete With Err |
Sub Rule |
Unexpected Error |
Error |
|
V 2.0 EVID 90101 Probe Manual Check Starting |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90102 Scheduler Starting |
Sub Rule |
Process/Service Starting |
Startup and Shutdown |
|
V 2.0 EVID 90103 Probe Complete Fetching |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90104 Probe Monitor Chk Complete Succ |
Sub Rule |
Successful Activity |
Other Audit Success |
|
V 2.0 EVID 90105 Probe Mon Chk Complete With Err |
Sub Rule |
Unsuccessful Activity |
Other Audit Failure |
|
V 2.0 EVID 90106 Probe Scheduler Manager Started |
Sub Rule |
General SCHEDULER Message |
Information |
|
V 2.0 EVID 90107 Probe Scheduler Manager Cancel |
Sub Rule |
General SCHEDULER Message |
Information |
|
V 2.0 EVID 90108 Probe Enabling WMI |
Sub Rule |
General Wmi Information |
Information |
|
V 2.0 EVID 90109 Probe Failed To Enable WMI |
Sub Rule |
General Wmi Information |
Information |
|
V 2.0 EVID 90110 Probe Enabling WMI |
Sub Rule |
General Wmi Information |
Information |
|
V 2.0 EVID 90111 Adm Credentials Not Knnown Dom |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90112 Probe Chk Res With User Active |
Sub Rule |
User Still Logged In |
Information |
|
V 2.0 EVID 90113 Probe Chk Res With User Active |
Sub Rule |
Session Closed For User |
Other Audit Success |
|
V 2.0 EVID 90114 Probe Chk Res With Unreachable |
Sub Rule |
Error Connecting To Host |
Error |
|
V 2.0 EVID 90115 DNS Reverse Lookup Failed |
Sub Rule |
General DNS Warning |
Warning |
|
V 2.0 EVID 90116 Probe Config List Of Endpoints |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90117 Valid Login User Required |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90118 Fatal Err Occur During SYSLOG |
Sub Rule |
General Syslog Error |
Error |
|
V 2.0 EVID 90119 Start Listening To TCP Port |
Sub Rule |
TCP Connection Established |
Network Traffic |
|
V 2.0 EVID 90120 Start Listening To UDP Port |
Sub Rule |
UDP Communication Information |
Activity |
|
V 2.0 EVID 90121 Applied Template For Hostname |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90122 DNS Resolution Failed |
Sub Rule |
DNS Query Failed |
Error |
|
V 2.0 EVID 90123 Msg Received Frm Unknown Client |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0 EVID 90124 Receive Unkown Syslog Format Msg |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0 EVID 90125 Couldn't Find Session ID In ISE |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90126 Couldn't Find IP Address In ISE |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90127 Receive ISE/ACS Start/Update Rad |
Sub Rule |
General RADIUS Warning |
Warning |
|
V 2.0 EVID 90128 Apply Configuration Failed |
Sub Rule |
Failed Configuration |
Other Audit Failure |
|
V 2.0 EVID 90129 Failed To Publish DHCP Event |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90130 Failed To Ret AD User's Info |
Sub Rule |
User Lookup Failed |
Error |
|
V 2.0 EVID 90131 Cannot Resolve Syslog Provider |
Sub Rule |
Failed To Resolve Host |
Error |
|
V 2.0 EVID 90132 Could Not Parse Syslog Message |
Sub Rule |
Parse Error |
Error |
|
V 2.0 EVID 90133 Invalid Syslog Message Format |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90134 Could Not Parse Syslog Hostname |
Sub Rule |
Cannot Parse Attribute |
Error |
|
V 2.0 EVID 90135 Message Received |
Sub Rule |
General Syslog Message |
Information |
|
V 2.0 EVID 90136 Syslog Protocol Server Error |
Sub Rule |
General Syslog Error |
Error |
|
V 2.0 EVID 90137 Syslog Listener Up |
Sub Rule |
General Syslog Message |
Information |
|
V 2.0 EVID 90138 Syslog Listener Down |
Sub Rule |
General Syslog Notice |
Information |
|
V 2.0 EVID 90139 Mapping Msg Received, Dropped |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90140 Message Parsed |
Sub Rule |
Successful Activity |
Other Audit Success |
|
V 2.0 EVID 90141 Incomplete Msg Received, Dropped |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90142 No AD With Credentials |
Sub Rule |
General Active Directory Information |
Information |
|
V 2.0 EVID 90143 Configured Subnet |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90200 REST Server Started Succesfully |
Sub Rule |
System Started |
Startup and Shutdown |
|
V 2.0 EVID 90201 New Authentication Token |
Sub Rule |
Successful Activity |
Other Audit Success |
|
V 2.0 EVID 90202 Authentication Request Failed |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90203 Token Revoked |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90204 Resolve IP To Hostname Failed |
Sub Rule |
Failed To Resolve Host |
Error |
|
V 2.0 EVID 90205 Request From Unknown Client |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0 EVID 90206 Request Dropped - Invalid Token |
Sub Rule |
Invalid Profile Token |
Error |
|
V 2.0 EVID 90300 Probe Not Receive Keep-Alive Sig |
Sub Rule |
Keepalive Error |
Error |
|
V 2.0 EVID 90301 Probe Received Incorrect Number |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90500 New Identity Mapping |
Sub Rule |
Object Created |
Access Success |
|
V 2.0 EVID 90501 Update Identity Mapping |
Sub Rule |
Object Modified |
Access Success |
|
V 2.0 EVID 90502 Remove Identity Mapping |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
V 2.0 EVID 90504 PassiveID NO Identity Mapping |
Sub Rule |
General Audit Message |
Other Audit |
|
V 2.0 EVID 90505 Latency Detected |
Sub Rule |
Latency Activity |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
pri_num |
N/A |
N/A |
Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value.
|
|
time |
N/A |
N/A |
Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
|
IP address/hostname |
N/A |
N/A |
IP address of the originating Cisco ISE node, or the hostname. |
|
cat_name |
<vendorinfo> |
Text/String |
Logging category name preceded by the CSCOxxx string. |
|
msg_id |
N/A |
N/A |
Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
|
total_seg |
N/A |
N/A |
Total number of segments in a log message. Long messages are divided into more than one segment.
|
|
seg_num |
N/A |
N/A |
Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
|
timestamp |
N/A |
N/A |
Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format :
|
|
sequence_num |
N/A |
N/A |
Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
|
msg_code |
<vmid>
|
Number |
Message code as defined in the logging categories. |
|
msg_sev |
<severity> |
Text/String |
Message severity level of a log message. |
|
msg_class |
<subject> |
Text/String |
Message class, which identifies groups of messages with the same context. |
|
msg_text |
<action> |
Text/String |
English language descriptive text message. |
|
Key1 |
N/A |
N/A |
N/A |
|
Key2 |
N/A |
N/A |
N/A |
|
ConfigVersionId |
N/A |
N/A |
N/A |
|
dc-name |
<sname> |
Text/String |
N/A |
|
dc-host |
<sip> |
IP Address |
N/A |
|
dc-domainname |
<domainorigin> |
Text/String |
N/A |
|
dc-connection-type |
N/A |
N/A |
N/A |
|
event-info |
<result> |
Text/String |
N/A |
|
exception-message |
<result> |
Text/String |
N/A |
|
server |
N/A |
N/A |
N/A |
|
NTLMv2 |
N/A |
N/A |
N/A |
|
probe |
N/A |
N/A |
N/A |