V 2.0 Threat Centric NAC Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 Threat Centric NAC Event | Base Rule | General NAC Information | Information |
| V 2.0 EVID 91001 IRF Core Engine Not Running | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 91002 Adapter Lost Connection | Sub Rule | Connection Lost | Network Traffic |
| V 2.0 EVID 91003 Adapter Instance Stop | Sub Rule | Instance Information | Information |
| V 2.0 EVID 91004 Adapter Instance Start | Sub Rule | Instance Information | Information |
| V 2.0 EVID 91005 Adapter Instance Configuration | Sub Rule | Configuration Information | Information |
| V 2.0 EVID 91006 Adapter Instance Error Occur | Sub Rule | Instance Information | Information |
| V 2.0 EVID 91007 Threat Receive | Sub Rule | General Threat Message | Information |
| V 2.0 EVID 91008 Vulnerability Scan Fail | Sub Rule | General Failed Activity | Failed Activity |
| V 2.0 EVID 91009 Adapter Encounter Config Error | Sub Rule | Configuration Error | Error |
| V 2.0 EVID 91010 IRF Service Component Report Err | Sub Rule | General Error | Error |
| V 2.0 EVID 91011 IRF Service Notification Send | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 91012 IRF Service Component Down | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 91013 COA Initiate | Sub Rule | Changes To Authority | Other Audit Success |
| V 2.0 EVID 91014 COA Success | Sub Rule | Changes To Authority | Other Audit Success |
| V 2.0 EVID 91015 COA Initiate | Sub Rule | Changes To Authority | Other Audit Success |
| V 2.0 EVID 91016 Initiate Adapter Connection | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 91017 Success Adapter Connection | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 91018 Fail Adapter Connection | Sub Rule | Connection Failure | Error |
| V 2.0 EVID 91019 Vulnerability Assessment Scan | Sub Rule | Vulnerability Scanner Information | Other Security |
| V 2.0 EVID 91020 AD Dialin User Access Denied | Sub Rule | General Active Directory Information | Information |
| V 2.0 EVID 91030 RADIUS DTLS Handshake Start | Sub Rule | Handshake Started | Network Traffic |
| V 2.0 EVID 91031 RADIUS DTLS: Client Hello Msg | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91032 RADIUS DTLS: Server Hello Msg | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91033 RADIUS DTLS: Server Cert. Sent | Sub Rule | Server Certificate Issued | Information |
| V 2.0 EVID 91034 RADIUS DTLS: Client Cert. Sent | Sub Rule | Certificate Request | Activity |
| V 2.0 EVID 91035 RADIUS DTLS: Server Done Msg | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91036 RADIUS DTLS: Client Cert. Rcv | Sub Rule | Certificate Services Received Certificate Request | Other Audit Success |
| V 2.0 EVID 91037 RADIUS DTLS:Client Key Exch Msg | Sub Rule | Key Exchange Information | Information |
| V 2.0 EVID 91038 RADIUS DTLS: Cert. Verify Msg | Sub Rule | Certificate Services Information | Information |
| V 2.0 EVID 91039 RADIUS DTLS: Finish Msg Receive | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91040 RADIUS DTLS: Change Cipher Spec | Sub Rule | Cipher Information | Information |
| V 2.0 EVID 91041 RADIUS DTLS: Finish Msg Sent | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91042 RADIUS DTLS: Client Hello Msg | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91043 RADIUS DTLS: Server Hello Msg | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91044 RADIUS DTLS:Server Cert Receive | Sub Rule | Certificate Services Received Certificate Request | Other Audit Success |
| V 2.0 EVID 91045 RADIUS DTLS: Server Cert. Req | Sub Rule | Certificate Request | Activity |
| V 2.0 EVID 91046 RADIUS DTLS: Server Done Msg | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91047 RADIUS DTLS: Client Cert. Sent | Sub Rule | Server Certificate Issued | Information |
| V 2.0 EVID 91048 RADIUS DTLS:Client Key Exch Msg | Sub Rule | Key Exchange Information | Information |
| V 2.0 EVID 91049 RADIUS DTLS: Server Session Tkt | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91050 TLS Handshake Fail - Unknown CA | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91051 TLS Handshake Fail - Bad Cert. | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91052 TLS Handshake Fail - Decryption | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91053 TLS Handshake Fail-Expired Cert | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91054 TLS Handshake Fail | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91055 Encrypted RADIUS Packet | Sub Rule | Encrypt Packet | Network Traffic |
| V 2.0 EVID 91056 RADIUS DTLS: Unsupported Prot | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91057 RADIUS DTLS CoA: TLS Handshake | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91058 RADIUS DTLS CoA: Bad Cert TLS | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91059 RADIUS DTLS CoA: Decryption Err | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91060 RADIUS DTLS CoA: Expire Cert | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91061 RADIUS DTLS CoA: Unknown Cert | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91062 RADIUS DTLS CoA: Unsupported | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91063 RADIUS DTLS CoA: Client Cert Not | Sub Rule | Certificate Services Information | Information |
| V 2.0 EVID 91064 OCSP Found Revoked Cert Conn. | Sub Rule | Connection Removed Or Disabled | Information |
| V 2.0 EVID 91065 CRL Found Revoked Cert. Conn. | Sub Rule | Connection Removed Or Disabled | Information |
| V 2.0 EVID 91066 RADIUS DTLS Invalid Cert. | Sub Rule | PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID | Error |
| V 2.0 EVID 91067 CoA Conn. Disconn. Revoked Cert | Sub Rule | Connection Removed Or Disabled | Information |
| V 2.0 EVID 91068 CoA Conn. Disconn. Revoked Cert | Sub Rule | Connection Removed Or Disabled | Information |
| V 2.0 EVID 91069 Server Certificate Not Valid | Sub Rule | PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID | Error |
| V 2.0 EVID 91070 RADIUS DTLS CoA Handshake Start | Sub Rule | Handshake Started | Network Traffic |
| V 2.0 EVID 91071 RADIUS DTLS: Sent OCSP Request | Sub Rule | OCSP Request Sent | Network Traffic |
| V 2.0 EVID 91072 RADIUS DTLS: OCSP Request Sent | Sub Rule | OCSP Request Sent | Network Traffic |
| V 2.0 EVID 91073 RADIUS DTLS: Failure OCSP Server | Sub Rule | OCSP Send Request Failure | Error |
| V 2.0 EVID 91074 RADIUS DTLS: OCSP Response Rcv | Sub Rule | OCSP Response Received | Network Traffic |
| V 2.0 EVID 91075 RADIUS DTLS: OCSP Status Good | Sub Rule | Certificate Status Response | Activity |
| V 2.0 EVID 91076 RADIUS DTLS: User Cert. Revoke | Sub Rule | Revoke Certificate Request | Activity |
| V 2.0 EVID 91077 RADIUS DTLS: Unknown OCSP Status | Sub Rule | Unknown Certificate | Information |
| V 2.0 EVID 91078 RADIUS DTLS: Handshake Fail | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91079 RADIUS DTLS: Performed Fallback | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91080 RADIUS DTLS: OCSP Server Comm. | Sub Rule | Internal Communication Error | Error |
| V 2.0 EVID 91081 RADIUS DTLS: Invalid OCSP Server | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91082 RADIUS DTLS: OCSP Conn. Fail | Sub Rule | Connection Failure | Error |
| V 2.0 EVID 91083 RADIUS DTLS: Invalid OCSP Server | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91084 RADIUS DTLS: OCSP Server Error | Sub Rule | General Error | Error |
| V 2.0 EVID 91085 RADIUS DTLS: Required Nonce Not | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91086 RADIUS DTLS: OCSP Server Nonce | Sub Rule | Verification Failed | Warning |
| V 2.0 EVID 91087 RADIUS DTLS: OCSP Server Time | Sub Rule | Verification Failed | Warning |
| V 2.0 EVID 91088 RADIUS DTLS: OCSP Server Sign. | Sub Rule | Verification Failed | Warning |
| V 2.0 EVID 91089 RADIUS DTLS: Lookup Certificate | Sub Rule | Certificate Status Response | Activity |
| V 2.0 EVID 91090 Certificate Status Not Found | Sub Rule | Certificate Status Response | Activity |
| V 2.0 EVID 91091 RADIUS DTLS: Lookup Certificate | Sub Rule | Successful Activity | Other Audit Success |
| V 2.0 EVID 91092 ISE Will Continue CRL Verific. | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 91093 RADIUS DTLS: OCSP Response | Sub Rule | OCSP Response Received | Network Traffic |
| V 2.0 EVID 91094 RADIUS DTLS: Take OCSP Servers | Sub Rule | General Information Log Message | Information |
| V 2.0 EVID 91095 RADIUS DTLS: OCSP Service Config | Sub Rule | Configuration Information | Information |
| V 2.0 EVID 91096 RADIUS DTLS: OCSP Request Sent | Sub Rule | OCSP Request Sent | Network Traffic |
| V 2.0 EVID 91097 Invalid OCSP Server URLs Found | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91098 RADIUS DTLS: No More OCSP Server | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91099 RADIUS DTLS: AIA Ext Not In Cert | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91100 RADIUS DTLS: Handshake Fail | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91101 RADIUS DTLS: User Cert. Revoke | Sub Rule | Revoke Certificate Request | Activity |
| V 2.0 EVID 91102 RADIUS DTLS:Client ID Check Fail | Sub Rule | Radius Request Failed | Error |
| V 2.0 EVID 91103 RADIUS DTLS: Client ID Check Req | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91104 RADIUS DTLS: Cient ID Check Not | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91105 Client Hello Verify Req Sent | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91106 Receive Hello Verify Req Receive | Sub Rule | RADIUS Information | Information |
| V 2.0 EVID 91107 TLS Handshake Fail | Sub Rule | Handshake Failed | Warning |
| V 2.0 EVID 91110 AD Sched. Run Diag. Test Fail | Sub Rule | General Active Directory Information | Information |
| V 2.0 EVID 91111 RADIUS High Authentication Load | Sub Rule | General Authentication Warning | Warning |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| pri_num | N/A | N/A | Priority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value. The facility code valid options are: LOCAL0 (Code = 16) LOCAL1 (Code = 17) LOCAL2 (Code = 18) LOCAL3 (Code = 19) LOCAL4 (Code = 20) LOCAL5 (Code = 21) LOCAL6 (Code = 22; default) LOCAL7 (Code = 23) |
| time | N/A | N/A | Date of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss. |
| IP address/hostname | N/A | N/A | IP address of the originating Cisco ISE node, or the hostname. |
| cat_name | <vendorinfo> | Text/String | Logging category name preceded by the CSCOxxx string. |
| msg_id | N/A | N/A | Unique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted. |
| total_seg | N/A | N/A | Total number of segments in a log message. Long messages are divided into more than one segment. Note : The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings. |
| seg_num | N/A | N/A | Segment sequence number within a message. Use this number to determine what segment of the message you are viewing. |
| timestamp | N/A | N/A | Date of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format : YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm. |
| sequence_num | N/A | N/A | Global counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999. |
| msg_code | <vmid> <tag1> | Number | Message code as defined in the logging categories. |
| msg_sev | <severity> | Text/String | Message severity level of a log message. |
| msg_class | <subject> | Text/String | Message class, which identifies groups of messages with the same context. |
| msg_text | <action> | Text/String | English language descriptive text message. |
| Key1 | N/A | N/A | N/A |
| Key2 | N/A | N/A | N/A |