Skip to main content
Skip table of contents

V 2.0 Passive ID Event

Vendor Documentation

https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html

Classification

Rule NameRule TypeCommon EventClassification
V 2.0 Passive ID EventBase RuleGeneral Information Log MessageInformation
V 2.0 EVID 90046 Internal ErrorSub RuleAn Internal Error Has OccurredError
V 2.0 EVID 90047 PassiveID Now Primary NodeSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90048 PassiveID No Longer Primary NodeSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90049 PassiveID Primary Node ElectedSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90050 Primary Node UnresponsiveSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90051 Service StartedSub RuleService StartedInformation
V 2.0 EVID 90052 PassiveID Services UnavailableSub RuleService UnavailableError
V 2.0 EVID 90053 PassiveID Svc Name Not ResolveSub RuleGeneral Service InformationInformation
V 2.0 EVID 90054 Active PassiveID Service SetSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90055 Standby PassiveID Service SetSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90056 Config Failed, Svc UnavailableSub RuleService UnavailableError
V 2.0 EVID 90057 Service Applied ConfigurationSub RuleGeneral Service InformationInformation
V 2.0 EVID 90058 Hostname Not ResolveSub RuleFailed To Resolve HostError
V 2.0 EVID 90059 Cannot Get Dom Contr. Win VerSub RuleCannot Retrieve Version InformationError
V 2.0 EVID 90060 Domain Controller Win Ver UnsupSub RuleGeneral Version InformationInformation
V 2.0 EVID 90061 Cannot Get Domain Contr NetBIOSSub RuleGeneral NetBIOS ErrorError
V 2.0 EVID 90062 Domain Controller Not ConnectedSub RuleUnsuccessful ActivityOther Audit Failure
V 2.0 EVID 90063 Conn Establish Domain ControllerSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 90064 Cannot Get History Login EventsSub RuleUnsuccessful ActivityOther Audit Failure
V 2.0 EVID 90065 Received History Login EventsSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 90066 Conn Lost With Domain ControllerSub RuleConnection LostNetwork Traffic
V 2.0 EVID 90067 Received LoginSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90068 Received Machine LoginSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90069 Local IP ReplacedSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90070 Received Incorrect LoginSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90071 Received Unsupported LoginSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90072 Filtered LoginSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90073 Login Dropped Due To Size ExceedSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90074 Forwarded LoginSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90075 Cannot Forward LoginSub RuleLOGIN_INFORMATIONInformation
V 2.0 EVID 90076 Events Handled In Last 24 HoursSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90077 Events Handled In Last HourSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90078 Connection ClosedSub RuleSession Closing : Server Closed ConnectionInformation
V 2.0 EVID 90079 Service ShutdownSub RuleService ShutdownStartup and Shutdown
V 2.0 EVID 90080 PassiveID Service CollectedSub RuleGeneral Service InformationInformation
V 2.0 EVID 90081 Failed To Start REST ServerSub RuleServer Failed To StartError
V 2.0 EVID 90082 Failed To Open Syslog PortSub RulePort Access FailureOther Audit Failure
V 2.0 EVID 90083 Forwarded Logout EventsSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 90084 Endpoint Probe Service StartingSub RuleProcess/Service StartingStartup and Shutdown
V 2.0 EVID 90085 Endpoint Probe Service StopedSub RuleProcess/Service StoppedStartup and Shutdown
V 2.0 EVID 90086 Unexpected Service TerminationSub RuleGeneral Service InformationInformation
V 2.0 EVID 90088 Probe Config Update Dom Adm ListSub RuleContent Successfully UpdatedInformation
V 2.0 EVID 90089 Probe Config Update Domain InfoSub RuleContent Successfully UpdatedInformation
V 2.0 EVID 90090 Probe Configuration DeletedSub RuleContent Successfully UpdatedInformation
V 2.0 EVID 90091 Probe Svc Status Chg To DisableSub RuleService Status ChangeOther Audit Success
V 2.0 EVID 90092 Probe Svc Status Chg To EnableSub RuleService Status ChangeOther Audit Success
V 2.0 EVID 90093 Probe Svc Status Chg With ERRORSub RuleService Status ChangeOther Audit Success
V 2.0 EVID 90094 Probe Svc Status Chg With ERRORSub RuleService Status ChangeOther Audit Success
V 2.0 EVID 90095 Service Status EnabledSub RuleService Status ChangeOther Audit Success
V 2.0 EVID 90096 Service Status DisabledSub RuleService Status ChangeOther Audit Success
V 2.0 EVID 90097 Probe Config Resulted With ErrSub RuleConfiguration ErrorError
V 2.0 EVID 90098 Probe Delete ConfigurationSub RuleConfiguration ErrorError
V 2.0 EVID 90099 Probe Update ConfigurationSub RuleConfiguration ErrorError
V 2.0 EVID 90100 Probe Man Chk Complete With ErrSub RuleUnexpected ErrorError
V 2.0 EVID 90101 Probe Manual Check StartingSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90102 Scheduler StartingSub RuleProcess/Service StartingStartup and Shutdown
V 2.0 EVID 90103 Probe Complete FetchingSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90104 Probe Monitor Chk Complete SuccSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 90105 Probe Mon Chk Complete With ErrSub RuleUnsuccessful ActivityOther Audit Failure
V 2.0 EVID 90106 Probe Scheduler Manager StartedSub RuleGeneral SCHEDULER MessageInformation
V 2.0 EVID 90107 Probe Scheduler Manager CancelSub RuleGeneral SCHEDULER MessageInformation
V 2.0 EVID 90108 Probe Enabling WMISub RuleGeneral Wmi InformationInformation
V 2.0 EVID 90109 Probe Failed To Enable WMISub RuleGeneral Wmi InformationInformation
V 2.0 EVID 90110 Probe Enabling WMISub RuleGeneral Wmi InformationInformation
V 2.0 EVID 90111 Adm Credentials Not Knnown DomSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90112 Probe Chk Res With User ActiveSub RuleUser Still Logged InInformation
V 2.0 EVID 90113 Probe Chk Res With User ActiveSub RuleSession Closed For UserOther Audit Success
V 2.0 EVID 90114 Probe Chk Res With UnreachableSub RuleError Connecting To HostError
V 2.0 EVID 90115 DNS Reverse Lookup FailedSub RuleGeneral DNS WarningWarning
V 2.0 EVID 90116 Probe Config List Of EndpointsSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90117 Valid Login User RequiredSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90118 Fatal Err Occur During SYSLOGSub RuleGeneral Syslog ErrorError
V 2.0 EVID 90119 Start Listening To TCP PortSub RuleTCP Connection EstablishedNetwork Traffic
V 2.0 EVID 90120 Start Listening To UDP PortSub RuleUDP Communication InformationActivity
V 2.0 EVID 90121 Applied Template For HostnameSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90122 DNS Resolution FailedSub RuleDNS Query FailedError
V 2.0 EVID 90123 Msg Received Frm Unknown ClientSub RuleSuspicious ActivitySuspicious
V 2.0 EVID 90124 Receive Unkown Syslog Format MsgSub RuleSuspicious ActivitySuspicious
V 2.0 EVID 90125 Couldn't Find Session ID In ISESub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90126 Couldn't Find IP Address In ISESub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90127 Receive ISE/ACS Start/Update RadSub RuleGeneral RADIUS WarningWarning
V 2.0 EVID 90128 Apply Configuration FailedSub RuleFailed ConfigurationOther Audit Failure
V 2.0 EVID 90129 Failed To Publish DHCP EventSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90130 Failed To Ret AD User's InfoSub RuleUser Lookup FailedError
V 2.0 EVID 90131 Cannot Resolve Syslog ProviderSub RuleFailed To Resolve HostError
V 2.0 EVID 90132 Could Not Parse Syslog MessageSub RuleParse ErrorError
V 2.0 EVID 90133 Invalid Syslog Message FormatSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90134 Could Not Parse Syslog HostnameSub RuleCannot Parse AttributeError
V 2.0 EVID 90135 Message ReceivedSub RuleGeneral Syslog MessageInformation
V 2.0 EVID 90136 Syslog Protocol Server ErrorSub RuleGeneral Syslog ErrorError
V 2.0 EVID 90137 Syslog Listener UpSub RuleGeneral Syslog MessageInformation
V 2.0 EVID 90138 Syslog Listener DownSub RuleGeneral Syslog NoticeInformation
V 2.0 EVID 90139 Mapping Msg Received, DroppedSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90140 Message ParsedSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 90141 Incomplete Msg Received, DroppedSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90142 No AD With CredentialsSub RuleGeneral Active Directory InformationInformation
V 2.0 EVID 90143 Configured SubnetSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90200 REST Server Started SuccesfullySub RuleSystem StartedStartup and Shutdown
V 2.0 EVID 90201 New Authentication TokenSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 90202 Authentication Request FailedSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90203 Token RevokedSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90204 Resolve IP To Hostname FailedSub RuleFailed To Resolve HostError
V 2.0 EVID 90205 Request From Unknown ClientSub RuleSuspicious ActivitySuspicious
V 2.0 EVID 90206 Request Dropped - Invalid TokenSub RuleInvalid Profile TokenError
V 2.0 EVID 90300 Probe Not Receive Keep-Alive SigSub RuleKeepalive ErrorError
V 2.0 EVID 90301 Probe Received Incorrect NumberSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90500 New Identity MappingSub RuleObject CreatedAccess Success
V 2.0 EVID 90501 Update Identity MappingSub RuleObject ModifiedAccess Success
V 2.0 EVID 90502 Remove Identity MappingSub RuleObject Deleted/RemovedAccess Success
V 2.0 EVID 90504 PassiveID NO Identity MappingSub RuleGeneral Audit MessageOther Audit
V 2.0 EVID 90505 Latency DetectedSub RuleLatency ActivityInformation

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
pri_numN/AN/APriority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value.
The facility code valid options are:
LOCAL0 (Code = 16)
LOCAL1 (Code = 17)
LOCAL2 (Code = 18)
LOCAL3 (Code = 19)
LOCAL4 (Code = 20)
LOCAL5 (Code = 21)
LOCAL6 (Code = 22; default)
LOCAL7 (Code = 23)
timeN/AN/ADate of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostnameN/AN/AIP address of the originating Cisco ISE node, or the hostname.
cat_name<vendorinfo>Text/StringLogging category name preceded by the CSCOxxx string.
msg_idN/AN/AUnique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_segN/AN/ATotal number of segments in a log message. Long messages are divided into more than one segment.
Note : The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_numN/AN/ASegment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestampN/AN/ADate of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format :
YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_numN/AN/AGlobal counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code<vmid>
<tag1>		NumberMessage code as defined in the logging categories.
msg_sev<severity>Text/StringMessage severity level of a log message.
msg_class<subject> Text/StringMessage class, which identifies groups of messages with the same context.
msg_text<action> Text/StringEnglish language descriptive text message.
Key1N/AN/AN/A
Key2N/AN/AN/A
ConfigVersionIdN/AN/AN/A
dc-name<sname>Text/StringN/A
dc-host<sip>IP AddressN/A
dc-domainname<domainorigin>Text/StringN/A
dc-connection-typeN/AN/AN/A
event-info<result>Text/StringN/A
exception-message<result>Text/StringN/A
serverN/AN/AN/A
NTLMv2N/AN/AN/A
probeN/AN/AN/A
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close