V 2.0 Posture And Client Provisioning Audit Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 Posture And Client Provisioning Audit Event | Base Rule | Audit Message | Other Audit |
| V 2.0 EVID 87000 Endpoint Posture Report Received | Sub Rule | General Endpoint Message | Information |
| V 2.0 EVID 87001 EP Reassessment Report Receive | Sub Rule | General Endpoint Message | Information |
| V 2.0 EVID 87002 Endpoint Session Termination | Sub Rule | General Endpoint Message | Information |
| V 2.0 EVID 87004 EP USB-Check Report Received | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87500 Client Provisioning Success | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 87501 Client Provisioning Fail Event | Sub Rule | Provisioning Failed | Warning |
| V 2.0 EVID 87600 Supplicant Provisioning Success | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 87601 Supplicant Provisioning Fail | Sub Rule | Provisioning Failed | Warning |
| V 2.0 EVID 87602 Supplicant Provision Inprogress | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87603 Supplicant Provisioning Disable | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87604 CA Server Down | Sub Rule | The Server Is Down | Information |
| V 2.0 EVID 87605 CA Server Up | Sub Rule | Server Is Up | Information |
| V 2.0 EVID 87606 Certificate Request Forwarding | Sub Rule | Certificate Verification Failure | Error |
| V 2.0 EVID 87607 OCSP Transactions High Volume | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87608 EST Service Down | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87609 EST Service Up | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87750 EP Protection Svc Perform Op. | Sub Rule | General Endpoint Message | Information |
| V 2.0 EVID 87751 EP Protection Svc Operation Res | Sub Rule | General Endpoint Message | Information |
| V 2.0 EVID 87752 Provisioning Portal -Req Submit | Sub Rule | Certificate Request | Activity |
| V 2.0 EVID 87753 Provisioning Portal-Status Update | Sub Rule | Certificate Update Request | Activity |
| V 2.0 EVID 87754 Provisioning Portal -User Login | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87901 EP Scripts Provisioned New Job | Sub Rule | General Endpoint Message | Information |
| V 2.0 EVID 87921 EndPoint Scripts Execution Res | Sub Rule | General Endpoint Message | Information |
| V 2.0 EVID 87005 PSN Posture Compliant State | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 87006 Posture Queries For MNT Session | Sub Rule | General Information Log Message | Information |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| pri_num | N/A | N/A | Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) |
| time | N/A | N/A | Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
| IP address/hostname | N/A | N/A | IP address of the originating Cisco ISE node, or the hostname. |
| cat_name | <vendorinfo> | Text/String | Logging category name preceded by the CSCOxxx string. |
| msg_id | N/A | N/A | Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
| total_seg | N/A | N/A | Total number of segments in a log message. Long messages are divided into more than one segment. Note : The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings. |
| seg_num | N/A | N/A | Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
| timestamp | N/A | N/A | Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format : YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm. |
| sequence_num | N/A | N/A | Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
| msg_code | <vmid> <tag1> | Number | Message code as defined in the logging categories. |
| msg_sev | <severity> | Text/String | Message severity level of a log message. |
| msg_class | <subject> | Text/String | Message class, which identifies groups of messages with the same context. |
| msg_text | <action> | Text/String | English language descriptive text message. |
| ConfigVersionId | N/A | N/A | N/A |
| NetworkDeviceGroups | N/A | N/A | N/A |
| RequestTime | N/A | N/A | N/A |
| ResponseTime | N/A | N/A | N/A |
| FailureReason | <reason> | Text/String | N/A |
| MacAddress | <dmac> | Text/String | N/A |
| OperatingSystem | N/A | N/A | N/A |
| PostureAgentVersion | N/A | N/A | N/A |
| PosturePolicyMatched | N/A | N/A | N/A |
| UserName | <account> | Text/String | N/A |
| SessionId | <session> | Text/String | N/A |
| IpAddress | <dip> | IP Address | N/A |
| SupplicantProfile | N/A | N/A | N/A |
| AntiVirusInstalled | N/A | N/A | N/A |
| AntiSpywareInstalled | N/A | N/A | N/A |
| FeedUrl | <url> | Text/String | N/A |
| NumOfUpdates | N/A | N/A | N/A |
| Key1 | N/A | N/A | N/A |
| Key2 | N/A | N/A | N/A |