V 2.0 Profiler Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 Profiler Event | Base Rule | Diagnostic Information | Information |
| V 2.0 EVID 80001 Profiler EndPoint Collection | Sub Rule | Endpoint Profiling Activity | Information |
| V 2.0 EVID 80002 Profiler EndPoint Profiling | Sub Rule | Endpoint Profiling Activity | Information |
| V 2.0 EVID 80003 Profiler Probe Fail | Sub Rule | Probing Failure | Error |
| V 2.0 EVID 80004 Profiler Performance Counters | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 80005 Profiler Exception Action Exec. | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 80006 Profiler Change Auth Request | Sub Rule | Authorization Request Received | Other Audit |
| V 2.0 EVID 80007 Profiler SNMP Request Sent | Sub Rule | General SNMP Information | Information |
| V 2.0 EVID 80008 Profiler Receive SNMP Response | Sub Rule | General SNMP Information | Information |
| V 2.0 EVID 80009 Profiler SNMP Request Failure | Sub Rule | General SNMP Information | Information |
| V 2.0 EVID 80010 Profiler DNS Request Sent | Sub Rule | DNS Request | Network Traffic |
| V 2.0 EVID :80013 Profiler EndPoint Feed Profiling | Sub Rule | Endpoint Profiling Activity | Information |
| V 2.0 EVID 80014 Profiler EndPoint Purge | Sub Rule | Endpoint Profiling Activity | Information |
| V 2.0 EVID 80015 Profiler Queue Size Limit Reach | Sub Rule | Endpoint Profiling Activity | Information |
| V 2.0 EVID 80016 Anomalous Behavior Detected | Sub Rule | General Information Log Message | Information |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| pri_num | N/A | N/A | Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) |
| time | N/A | N/A | Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
| IP address/hostname | N/A | N/A | IP address of the originating Cisco ISE node, or the hostname. |
| cat_name | <vendorinfo> | Text/String | Logging category name preceded by the CSCOxxx string. |
| msg_id | N/A | N/A | Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
| total_seg | N/A | N/A | Total number of segments in a log message. Long messages are divided into more than one segment. Note : The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings. |
| seg_num | N/A | N/A | Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
| timestamp | N/A | N/A | Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format : YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm. |
| sequence_num | N/A | N/A | Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
| msg_code | <vmid> <tag1> | Number | Message code as defined in the logging categories. |
| msg_sev | <severity> | Text/String | Message severity level of a log message. |
| msg_class | <subject> | Text/String | Message class, which identifies groups of messages with the same context. |
| msg_text | <action> | Text/String | English language descriptive text message. |
| ConfigVersionId | N/A | N/A | N/A |
| OperatingSystem | N/A | N/A | N/A |
| EndpointCertainityMetric | N/A | N/A | N/A |
| EndpointIPAddress | <sip> | IP Address | N/A |
| EndpointCoA | N/A | N/A | N/A |
| EndpointMacAddress | <smac> | Text/String | N/A |
| EndpointMatchedPolicy | N/A | N/A | N/A |
| EndpointNADAddress | N/A | N/A | N/A |
| EndpointOUI | N/A | N/A | N/A |
| EndpointPolicy | <policy> | Text/String | N/A |
| EndpointProperty | N/A | N/A | N/A |
| AuthenticationIdentityStore | N/A | N/A | N/A |
| AuthenticationMethod | N/A | N/A | N/A |
| DestinationPort | <dport> | Number | N/A |
| PortalUser.GuestStatus | N/A | N/A | N/A |
| allowEasyWiredSession | N/A | N/A | N/A |
| User-Fetch-StreetAddress | N/A | N/A | N/A |
| PostureExpiry | N/A | N/A | N/A |
| SelectedAccessService | N/A | N/A | N/A |
| NetworkDeviceName | N/A | N/A | N/A |
| User-Fetch-Job-Title | N/A | N/A | N/A |
| DestinationIPAddress | <dip> | IP Address | N/A |
| SelectedAuthenticationIdentityStores | N/A | N/A | N/A |
| MessageCode | <result> | Number | N/A |
| EndPointPolicyID | N/A | N/A | N/A |
| UseCase | N/A | N/A | N/A |
| NAS-Port-Id | N/A | N/A | N/A |
| NAS-Port-Type | N/A | N/A | N/A |
| Response | <account> <status> | Text/String | N/A |
| ProfilerServer | N/A | N/A | N/A |
| ProfilerErrorMessage | <result> | Text/String | N/A |
| SNMPOIDValue | N/A | N/A | N/A |
| PortalUser.PhoneNumber | N/A | N/A | N/A |
| User-Fetch-Organizational-Unit | N/A | N/A | N/A |
| Key1 | N/A | N/A | N/A |
| Key2 | N/A | N/A | N/A |