Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0 TACACS Diagnostics Event |
Base Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13000 Invalid TACACS+ Auth Request |
Sub Rule |
Invalid Authorization Request |
Warning |
|
V 2.0 EVID 13001 Invalid TACACS+ Accounting Req |
Sub Rule |
Invalid Accounting Request |
Error |
|
V 2.0 EVID 13002 TACACS+ Listener Start |
Sub Rule |
Listener Message |
Information |
|
V 2.0 EVID 13003 TACACS+ Listener Stop |
Sub Rule |
Listener Message |
Information |
|
V 2.0 EVID 13004 TACACS+ Listener Fail |
Sub Rule |
Listener Failed |
Error |
|
V 2.0 EVID 13005 TACACS+ Auth Request Receive |
Sub Rule |
Authorization Request Received |
Other Audit |
|
V 2.0 EVID 13006 TACACS+ Accounting Req Receive |
Sub Rule |
Accounting Request Received |
Information |
|
V 2.0 EVID 13007 TACACS+ Packet Header Invalid |
Sub Rule |
Invalid Packet Header |
Warning |
|
V 2.0 EVID 13008 TACACS+ Max Client Limit Reach |
Sub Rule |
Maximum Clients Reached |
Warning |
|
V 2.0 EVID 13009 TACACS+ Client Connection Fail |
Sub Rule |
Client Connection Failed |
Warning |
|
V 2.0 EVID 13010 TACACS+ Packet Invalid Length |
Sub Rule |
Bad Packet Length |
Warning |
|
V 2.0 EVID 13011 Invalid TACACS+ Packet Request |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13013 TACACS+ Authentication START Req |
Sub Rule |
Authorization Request Received |
Other Audit |
|
V 2.0 EVID 13014 TACACS+ Auth CONTINUE Request |
Sub Rule |
Authorization Request Received |
Other Audit |
|
V 2.0 EVID 13015 TACACS+ Auth Reply Returned |
Sub Rule |
Authentication Reply Returned |
Information |
|
V 2.0 EVID 13017 TACACS+ Packet Rcv Unknown Dev |
Sub Rule |
Request Packet Received From Unknown Host |
Network Traffic |
|
V 2.0 EVID 13019 TACACS+ Settings Obtain Fail |
Sub Rule |
Failed To Obtain Settings |
Error |
|
V 2.0 EVID 13020 TACACS+ Default NW Dev Setting |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13021 System Overload TACACS+ Req Drop |
Sub Rule |
Request Dropped - System Overloaded |
Warning |
|
V 2.0 EVID 13023 Deny-Always Rule Command Match |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13024 Permit Rule Command Match |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13025 Permit Rule Command Fail To Match |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13027 TACACS+ Auth Request Missing |
Sub Rule |
General Authorization Warning |
Warning |
|
V 2.0 EVID 13029 Privilege Level Too High |
Sub Rule |
Requested Privilege Level Too High |
Error |
|
V 2.0 EVID 13030 TACACS+ Auth Req Missing U/N |
Sub Rule |
Authorization Request Received |
Other Audit |
|
V 2.0 EVID 13031 TACACS+ Auth Request Missing |
Sub Rule |
Authorization Request Received |
Other Audit |
|
V 2.0 EVID 13032 TACACS+ Configuration Fatal Err |
Sub Rule |
Configuration Access Error |
Error |
|
V 2.0 EVID 13034 TACACS+ Authorization Reply |
Sub Rule |
Authentication Reply Returned |
Information |
|
V 2.0 EVID 13035 TACACS+ Accounting Reply |
Sub Rule |
Accounting Reply |
Information |
|
V 2.0 EVID 13036 Shell Profile DenyAccess |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13037 Shell Profile Priv. Not Config. |
Sub Rule |
Shell Profile Object Not Configured |
Information |
|
V 2.0 EVID 13038 Request Fail - Crit Logging Err |
Sub Rule |
Request Failed - Logging Error |
Error |
|
V 2.0 EVID 13039 Auth Req Not Contain New User PW |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13040 Empty String In The New PW Field |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13041 Request Switches From Login |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13042 Auth Req Confirm User New PW |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13043 Authentication Type Not Support |
Sub Rule |
Authentication Method Not Supported |
Error |
|
V 2.0 EVID 13044 TACACS Use Password Prompt |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13045 Use PW Prompt From Global TACACS |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13046 ASCII Password Change Request |
Sub Rule |
Password Change Requested |
Information |
|
V 2.0 EVID 13050 MSCHAP Invalid Flag Value |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13051 TACACS Small Data Fieid Size |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13052 TACACS Small Data Fieid Size |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13060 Failed To Read TACACS Proxy Con |
Sub Rule |
Dropping Request - Failed To Read Configuration |
Error |
|
V 2.0 EVID 13061 Accounting Request Received |
Sub Rule |
Accounting Request Received |
Information |
|
V 2.0 EVID 13062 TACACS Servers Failover Perform |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13063 Remote TACACS Server Forwarding |
Sub Rule |
General TACACS Message |
Information |
|
V 2.0 EVID 13064 TACACS Proxy Rcv Incoming Req |
Sub Rule |
General Proxy Information |
Information |
|
V 2.0 EVID 13065 TACACS Proxy Rcv I/C Auth Req |
Sub Rule |
Authentication Request Received |
Information |
|
V 2.0 EVID 13066 TACACS Proxy Rcv I/C Auth Req |
Sub Rule |
Authorization Request Received |
Other Audit |
|
V 2.0 EVID 13067 TACACS Proxy Rcv I/C Acc. Req |
Sub Rule |
Accounting Request Received |
Information |
|
V 2.0 EVID 13068 TACACS Proxy Local Acc. Perform |
Sub Rule |
Proxy Performing Local Accounting |
Information |
|
V 2.0 EVID 13069 TACACS Proxy Remote Acc. Perform |
Sub Rule |
Proxy Performing Remote Accounting |
Information |
|
V 2.0 EVID 13070 TACACS Server Forward Req Fail |
Sub Rule |
Request To Forward To Remote RADIUS Server Failed |
Error |
|
V 2.0 EVID 13071 Continue Flow (Seq_No>1) |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13072 TACACS Server Forward Req Fail |
Sub Rule |
Request To Forward To Remote RADIUS Server Failed |
Error |
|
V 2.0 EVID 13073 TACACS+ Proxy Request Failed |
Sub Rule |
General Proxy Failure |
Error |
|
V 2.0 EVID 13074 TACACS Proxy Req Finish To Proc |
Sub Rule |
General Proxy Success |
Information |
|
V 2.0 EVID 13075 TACACS+ Proxy Req Won't Continue |
Sub Rule |
General Proxy Information |
Information |
|
V 2.0 EVID 13076 Rule Command Not Set |
Sub Rule |
General Information Log Message |
Information |
|
V 2.0 EVID 13077 TACACS+ Acc. Invalid Packet Req |
Sub Rule |
Invalid Accounting Request |
Error |
|
V 2.0 EVID 13078 TACACS+ Auth Invalid Packet Req |
Sub Rule |
Invalid Authorization Request |
Warning |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
pri_num |
N/A |
N/A |
Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value.
|
|
time |
N/A |
N/A |
Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
|
IP address/hostname |
N/A |
N/A |
IP address of the originating Cisco ISE node, or the hostname. |
|
cat_name |
<vendorinfo> |
Text/String |
Logging category name preceded by the CSCOxxx string. |
|
msg_id |
N/A |
N/A |
Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
|
total_seg |
N/A |
N/A |
Total number of segments in a log message. Long messages are divided into more than one segment.
|
|
seg_num |
N/A |
N/A |
Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
|
timestamp |
N/A |
N/A |
Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format : YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm. |
|
sequence_num |
N/A |
N/A |
Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
|
msg_code |
<vmid>
|
Number |
Message code as defined in the logging categories. |
|
msg_sev |
<severity> |
Text/String |
Message severity level of a log message. |
|
msg_class |
<subject> |
Text/String |
Message class, which identifies groups of messages with the same context. |
|
msg_text |
<action> |
Text/String |
English language descriptive text message. |
|
ConfigVersionId |
N/A |
N/A |
N/A |
|
Device IP Address |
<sip> |
IP Address |
N/A |
|
Device Port |
<sport> |
Number |
N/A |
|
CmdSet |
N/A |
N/A |
N/A |
|
MatchedCommandSet |
N/A |
N/A |
N/A |
|
MatchedRule |
N/A |
N/A |
N/A |
|
MajorVersion |
N/A |
N/A |
N/A |
|
MinorVersion |
N/A |
N/A |
N/A |
|
Type |
<objecttype> |
Text/String |
N/A |
|
Sequence-Number |
N/A |
N/A |
N/A |
|
Header-Flags |
N/A |
N/A |
N/A |
|
SessionId |
<session> |
Text/String |
N/A |
|
Action |
<object> |
Text/String |
N/A |
|
Privilege-Level |
N/A |
N/A |
N/A |
|
Authen-Type |
N/A |
N/A |
N/A |
|
Service |
N/A |
N/A |
N/A |
|
User |
<account> |
Text/String |
N/A |
|
Port |
<dport> |
Number |
N/A |
|
Remote-Address |
<dip> |
IP Address |
N/A |
|
Authen-Method |
N/A |
N/A |
N/A |
|
Service-Argument |
N/A |
N/A |
N/A |
|
EnableSingleConnect |
N/A |
N/A |
N/A |
|
CiscoIOS |
N/A |
N/A |
N/A |
|
UseSingleConnect |
N/A |
N/A |
N/A |
|
AcsSessionID |
N/A |
N/A |
N/A |
|
SelectedAccessService |
N/A |
N/A |
N/A |
|
SelectedCommandSet |
N/A |
N/A |
N/A |
|
Sequence-Number |
N/A |
N/A |
N/A |
|
SelectedShellProfile |
N/A |
N/A |
N/A |
|
CPMSessionID |
N/A |
N/A |
N/A |
|
Response |
<result> |
Text/String |
N/A |
|
<reason> |
Text/String |
N/A |
|
|
<status> |
Text/String |
N/A |
|
|
Key1 |
N/A |
N/A |
N/A |
|
Key2 |
N/A |
N/A |
N/A |