The justification for an action or result.
This field is not available in LogRhythm versions earlier than 7.2.1.
Client Console Full Name
Client Console Short Name
Web Console Tab/Name
Elasticsearch Field Name
Rule Builder Column Name
Understanding why an action or command was executed, or why a result or ResponseCode was generated.
- Email filtering
- Firewall blocking
- Vulnerability scanning
MPE/Data Masking Manipulations
- If the log explicitly calls out a policy, use policy instead.
- Reason should be free text. If it is an industry standard code use ResponseCode.
- Result should be used for what and Reason should be used for why.
- eSafe Email Security
05 01 2012 16:21:21 18.104.22.168 <LOC5:ERRR> eSafeCR: Alert from eSafe Scan result: SMTP error Protocol: SMTP File Name\Mail Subject: Business Plan & Financials Source: 22.214.171.124 Destination: 126.96.36.199 Mail Sender: Peter.Store@recordflow.biz Mail Recipients: email@example.com Details: Delivery Msg #911 - Email b0eeb3e8 NOT sent after multiple retries, likely reason: 554 delivery error: dd This user doesn't have a recordflow.biz account (firstname.lastname@example.org)  - recordflow.biz.
The Reason field (554) parses into ResponseCode because 554 is an SMTP response. The text after could be parsed into Reason. Obtain other samples to determine whether there is a legitimate pattern in the log.
- Alcatel-Lucent Wireless Controller
12 10 2012 09:08:56 188.8.131.52 <LOC1:DBUG> Dec 10 09:09:03 DAVE authmgr: <124004> <DBUG> <DAVE-03 184.108.40.206> Setting user 00:00:00:00:00:00 aaa profile to default-dot1x, reason: bbq_set_aaa_profile_defaults
This is an assumed Policy, but additional logs and product knowledge is needed to confirm. There would not be a Reason in this log because the reason is that it is policy.
- NetApp CIFS Security Audit Event Log
04/11/2016 16:55 TYPE=FailureAudit USER= COMP=Computer SORC=Security CATG=Logon/Logoff EVID=537 MESG=Logon Failure: Reason: An unexpected error occurred during logon User Name: - Domain: - Logon Type: 3 Logon Process: Data ONTAP Authentication Package: Extended Security Workstation Name: - Status code: - Substatus code: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: 3170862 Transited Services: - Source Network Address: 220.127.116.11 Source Port: 0 Caller Process Name:
Logon failure is the event, and unexpected error parses into Reason.