Skip to main content
Skip table of contents

V 2.0 Threat Centric NAC Event

Vendor Documentation

Classification

Rule NameRule TypeCommon EventClassification
V 2.0 Threat Centric NAC EventBase RuleGeneral NAC InformationInformation
V 2.0 EVID 91001 IRF Core Engine Not RunningSub RuleGeneral Information Log MessageInformation
V 2.0 EVID 91002 Adapter Lost ConnectionSub RuleConnection LostNetwork Traffic
V 2.0 EVID 91003 Adapter Instance StopSub RuleInstance InformationInformation
V 2.0 EVID 91004 Adapter Instance StartSub RuleInstance InformationInformation
V 2.0 EVID 91005 Adapter Instance ConfigurationSub RuleConfiguration InformationInformation
V 2.0 EVID 91006 Adapter Instance Error OccurSub RuleInstance InformationInformation
V 2.0 EVID 91007 Threat ReceiveSub RuleGeneral Threat MessageInformation
V 2.0 EVID 91008 Vulnerability Scan FailSub RuleGeneral Failed ActivityFailed Activity
V 2.0 EVID 91009 Adapter Encounter Config ErrorSub RuleConfiguration ErrorError
V 2.0 EVID 91010 IRF Service Component Report ErrSub RuleGeneral ErrorError
V 2.0 EVID 91011 IRF Service Notification SendSub RuleGeneral Information Log MessageInformation
V 2.0 EVID 91012 IRF Service Component DownSub RuleGeneral Information Log MessageInformation
V 2.0 EVID 91013 COA InitiateSub RuleChanges To AuthorityOther Audit Success
V 2.0 EVID 91014 COA SuccessSub RuleChanges To AuthorityOther Audit Success
V 2.0 EVID 91015 COA InitiateSub RuleChanges To AuthorityOther Audit Success
V 2.0 EVID 91016 Initiate Adapter ConnectionSub RuleGeneral Information Log MessageInformation
V 2.0 EVID 91017 Success Adapter ConnectionSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 91018 Fail Adapter ConnectionSub RuleConnection FailureError
V 2.0 EVID 91019 Vulnerability Assessment ScanSub RuleVulnerability Scanner InformationOther Security
V 2.0 EVID 91020 AD Dialin User Access DeniedSub RuleGeneral Active Directory InformationInformation
V 2.0 EVID 91030 RADIUS DTLS Handshake StartSub RuleHandshake StartedNetwork Traffic
V 2.0 EVID 91031 RADIUS DTLS: Client Hello MsgSub RuleRADIUS InformationInformation
V 2.0 EVID 91032 RADIUS DTLS: Server Hello MsgSub RuleRADIUS InformationInformation
V 2.0 EVID 91033 RADIUS DTLS: Server Cert. SentSub RuleServer Certificate IssuedInformation
V 2.0 EVID 91034 RADIUS DTLS: Client Cert. SentSub RuleCertificate RequestActivity
V 2.0 EVID 91035 RADIUS DTLS: Server Done MsgSub RuleRADIUS InformationInformation
V 2.0 EVID 91036 RADIUS DTLS: Client Cert. RcvSub RuleCertificate Services Received Certificate RequestOther Audit Success
V 2.0 EVID 91037 RADIUS DTLS:Client Key Exch MsgSub RuleKey Exchange InformationInformation
V 2.0 EVID 91038 RADIUS DTLS: Cert. Verify MsgSub RuleCertificate Services InformationInformation
V 2.0 EVID 91039 RADIUS DTLS: Finish Msg ReceiveSub RuleRADIUS InformationInformation
V 2.0 EVID 91040 RADIUS DTLS: Change Cipher SpecSub RuleCipher InformationInformation
V 2.0 EVID 91041 RADIUS DTLS: Finish Msg SentSub RuleRADIUS InformationInformation
V 2.0 EVID 91042 RADIUS DTLS: Client Hello MsgSub RuleRADIUS InformationInformation
V 2.0 EVID 91043 RADIUS DTLS: Server Hello MsgSub RuleRADIUS InformationInformation
V 2.0 EVID 91044 RADIUS DTLS:Server Cert ReceiveSub RuleCertificate Services Received Certificate RequestOther Audit Success
V 2.0 EVID 91045 RADIUS DTLS: Server Cert. ReqSub RuleCertificate RequestActivity
V 2.0 EVID 91046 RADIUS DTLS: Server Done MsgSub RuleRADIUS InformationInformation
V 2.0 EVID 91047 RADIUS DTLS: Client Cert. SentSub RuleServer Certificate IssuedInformation
V 2.0 EVID 91048 RADIUS DTLS:Client Key Exch MsgSub RuleKey Exchange InformationInformation
V 2.0 EVID 91049 RADIUS DTLS: Server Session TktSub RuleRADIUS InformationInformation
V 2.0 EVID 91050 TLS Handshake Fail - Unknown CASub RuleHandshake FailedWarning
V 2.0 EVID 91051 TLS Handshake Fail - Bad Cert.Sub RuleHandshake FailedWarning
V 2.0 EVID 91052 TLS Handshake Fail - DecryptionSub RuleHandshake FailedWarning
V 2.0 EVID 91053 TLS Handshake Fail-Expired CertSub RuleHandshake FailedWarning
V 2.0 EVID 91054 TLS Handshake FailSub RuleHandshake FailedWarning
V 2.0 EVID 91055 Encrypted RADIUS PacketSub RuleEncrypt PacketNetwork Traffic
V 2.0 EVID 91056  RADIUS DTLS: Unsupported ProtSub RuleHandshake FailedWarning
V 2.0 EVID 91057 RADIUS DTLS CoA: TLS HandshakeSub RuleHandshake FailedWarning
V 2.0 EVID 91058 RADIUS DTLS CoA: Bad Cert TLSSub RuleHandshake FailedWarning
V 2.0 EVID 91059 RADIUS DTLS CoA: Decryption ErrSub RuleHandshake FailedWarning
V 2.0 EVID 91060 RADIUS DTLS CoA: Expire CertSub RuleHandshake FailedWarning
V 2.0 EVID 91061 RADIUS DTLS CoA: Unknown CertSub RuleHandshake FailedWarning
V 2.0 EVID 91062 RADIUS DTLS CoA: UnsupportedSub RuleHandshake FailedWarning
V 2.0 EVID 91063 RADIUS DTLS CoA: Client Cert NotSub RuleCertificate Services InformationInformation
V 2.0 EVID 91064 OCSP Found Revoked Cert Conn.Sub RuleConnection Removed Or DisabledInformation
V 2.0 EVID 91065 CRL Found Revoked Cert. Conn.Sub RuleConnection Removed Or DisabledInformation
V 2.0 EVID 91066 RADIUS DTLS Invalid Cert.Sub RulePKI-3-CERTIFICATE_INVALID_NOT_YET_VALIDError
V 2.0 EVID 91067 CoA Conn. Disconn. Revoked CertSub RuleConnection Removed Or DisabledInformation
V 2.0 EVID 91068 CoA Conn. Disconn. Revoked CertSub RuleConnection Removed Or DisabledInformation
V 2.0 EVID 91069 Server Certificate Not ValidSub RulePKI-3-CERTIFICATE_INVALID_NOT_YET_VALIDError
V 2.0 EVID 91070 RADIUS DTLS CoA Handshake StartSub RuleHandshake StartedNetwork Traffic
V 2.0 EVID 91071 RADIUS DTLS: Sent OCSP RequestSub RuleOCSP Request SentNetwork Traffic
V 2.0 EVID 91072 RADIUS DTLS: OCSP Request SentSub RuleOCSP Request SentNetwork Traffic
V 2.0 EVID 91073 RADIUS DTLS: Failure OCSP ServerSub RuleOCSP Send Request FailureError
V 2.0 EVID 91074 RADIUS DTLS:  OCSP Response RcvSub RuleOCSP Response ReceivedNetwork Traffic
V 2.0 EVID 91075 RADIUS DTLS: OCSP Status GoodSub RuleCertificate Status ResponseActivity
V 2.0 EVID 91076 RADIUS DTLS: User Cert. RevokeSub RuleRevoke Certificate RequestActivity
V 2.0 EVID 91077 RADIUS DTLS: Unknown OCSP StatusSub RuleUnknown CertificateInformation
V 2.0 EVID 91078 RADIUS DTLS: Handshake FailSub RuleHandshake FailedWarning
V 2.0 EVID 91079 RADIUS DTLS: Performed FallbackSub RuleRADIUS InformationInformation
V 2.0 EVID 91080 RADIUS DTLS: OCSP Server Comm.Sub RuleInternal Communication ErrorError
V 2.0 EVID 91081 RADIUS DTLS: Invalid OCSP ServerSub RuleRADIUS InformationInformation
V 2.0 EVID 91082 RADIUS DTLS: OCSP Conn. FailSub RuleConnection FailureError
V 2.0 EVID 91083 RADIUS DTLS: Invalid OCSP ServerSub RuleRADIUS InformationInformation
V 2.0 EVID 91084 RADIUS DTLS: OCSP Server ErrorSub RuleGeneral ErrorError
V 2.0 EVID 91085 RADIUS DTLS: Required Nonce NotSub RuleRADIUS InformationInformation
V 2.0 EVID 91086 RADIUS DTLS: OCSP Server NonceSub RuleVerification FailedWarning
V 2.0 EVID 91087 RADIUS DTLS: OCSP Server TimeSub RuleVerification FailedWarning
V 2.0 EVID 91088 RADIUS DTLS: OCSP Server Sign.Sub RuleVerification FailedWarning
V 2.0 EVID 91089 RADIUS DTLS: Lookup CertificateSub RuleCertificate Status ResponseActivity
V 2.0 EVID 91090 Certificate Status Not FoundSub RuleCertificate Status ResponseActivity
V 2.0 EVID 91091 RADIUS DTLS: Lookup CertificateSub RuleSuccessful ActivityOther Audit Success
V 2.0 EVID 91092 ISE Will Continue CRL Verific.Sub RuleGeneral Information Log MessageInformation
V 2.0 EVID 91093 RADIUS DTLS: OCSP ResponseSub RuleOCSP Response ReceivedNetwork Traffic
V 2.0 EVID 91094 RADIUS DTLS: Take OCSP ServersSub RuleGeneral Information Log MessageInformation
V 2.0 EVID 91095 RADIUS DTLS: OCSP Service ConfigSub RuleConfiguration InformationInformation
V 2.0 EVID 91096 RADIUS DTLS: OCSP Request SentSub RuleOCSP Request SentNetwork Traffic
V 2.0 EVID 91097 Invalid  OCSP Server URLs FoundSub RuleRADIUS InformationInformation
V 2.0 EVID 91098 RADIUS DTLS: No More OCSP ServerSub RuleRADIUS InformationInformation
V 2.0 EVID 91099 RADIUS DTLS: AIA Ext Not In CertSub RuleRADIUS InformationInformation
V 2.0 EVID 91100 RADIUS DTLS: Handshake FailSub RuleHandshake FailedWarning
V 2.0 EVID 91101 RADIUS DTLS: User Cert. RevokeSub RuleRevoke Certificate RequestActivity
V 2.0 EVID 91102 RADIUS DTLS:Client ID Check FailSub RuleRadius Request FailedError
V 2.0 EVID 91103 RADIUS DTLS: Client ID Check ReqSub RuleRADIUS InformationInformation
V 2.0 EVID 91104 RADIUS DTLS: Cient ID Check NotSub RuleRADIUS InformationInformation
V 2.0 EVID 91105 Client Hello Verify Req SentSub RuleRADIUS InformationInformation
V 2.0 EVID 91106 Receive Hello Verify Req ReceiveSub RuleRADIUS InformationInformation
V 2.0 EVID 91107 TLS Handshake FailSub RuleHandshake FailedWarning
V 2.0 EVID 91110 AD Sched. Run Diag. Test FailSub RuleGeneral Active Directory InformationInformation
V 2.0 EVID 91111 RADIUS High Authentication LoadSub RuleGeneral Authentication WarningWarning

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
pri_numN/AN/APriority value of the message, a combination of the facility value and the severity value of the message. Priority value = (facility value * 8) + severity value.
The facility code valid options are:
LOCAL0 (Code = 16)
LOCAL1 (Code = 17)
LOCAL2 (Code = 18)
LOCAL3 (Code = 19)
LOCAL4 (Code = 20)
LOCAL5 (Code = 21)
LOCAL6 (Code = 22; default)
LOCAL7 (Code = 23)
timeN/AN/ADate of the message generation, according to the local clock of the originating Cisco ISE server, in the format Mmm DD hh:mm:ss.
IP address/hostnameN/AN/AIP address of the originating Cisco ISE node, or the hostname.
cat_name<vendorinfo>Text/StringLogging category name preceded by the CSCOxxx string.
msg_idN/AN/AUnique message ID; 1 to 4294967295. The message ID increases by 1 with each new message. Message IDs restart at 1 each time the application is restarted.
total_segN/AN/ATotal number of segments in a log message. Long messages are divided into more than one segment.
Note : The total_seg depends on the Maximum Length setting in the remote logging targets page. See Remote Logging Target Settings.
seg_numN/AN/ASegment sequence number within a message. Use this number to determine what segment of the message you are viewing.
timestampN/AN/ADate of the message generation, according to the local clock of the originating the Cisco ISE node, in the following format :
YYYY-MM-DD hh:mm:ss:xxx +/-zh:zm.
sequence_numN/AN/AGlobal counter of each message. If one message is sent to the local store and the next to the syslog server target, the counter increments by 2. Possible values are 0000000001 to 999999999.
msg_code<vmid>
<tag1>
NumberMessage code as defined in the logging categories.
msg_sev<severity>Text/StringMessage severity level of a log message.
msg_class<subject> Text/StringMessage class, which identifies groups of messages with the same context.
msg_text<action> Text/StringEnglish language descriptive text message.
Key1N/AN/AN/A
Key2N/AN/AN/A
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.