Reason [7.2]
The justification for an action or result.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Reason |
Client Console Short Name | Reason |
Web Console Tab/Name | Reason |
Elasticsearch Field Name | reason |
Rule Builder Column Name | Reason |
Regex Pattern | <reason> |
NetMon Name | Not applicable |
Field Relationships
- Action
- Command
- Policy
- Result
- ResponseCode
Common Applications
Understanding why an action or command was executed, or why a result or ResponseCode was generated.
Use Case
- IDS/IPS
- Email filtering
- Firewall blocking
- Antivirus
- Vulnerability scanning
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- If the log explicitly calls out a policy, use policy instead.
- Reason should be free text. If it is an industry standard code use ResponseCode.
- Result should be used for what and Reason should be used for why.
Examples
- eSafe Email Security
05 01 2012 16:21:21 1.1.1.1 <LOC5:ERRR> eSafeCR: Alert from eSafe Scan result: SMTP error Protocol: SMTP File Name\Mail Subject: Business Plan & Financials Source: 1.1.1.1 Destination: 1.1.1.1 Mail Sender: Peter.Store@recordflow.biz Mail Recipients: pete.store@recordflow.biz Details: Delivery Msg #911 - Email b0eeb3e8 NOT sent after multiple retries, likely reason: 554 delivery error: dd This user doesn't have a recordflow.biz account (pete.store@recordflow.biz) [0] - recordflow.biz.
The Reason field (554) parses into ResponseCode because 554 is an SMTP response. The text after could be parsed into Reason. Obtain other samples to determine whether there is a legitimate pattern in the log.
- Alcatel-Lucent Wireless Controller
12 10 2012 09:08:56 1.1.1.1 <LOC1:DBUG> Dec 10 09:09:03 DAVE authmgr[1600]: <124004> <DBUG> <DAVE-03 1.1.1.1> Setting user 00:00:00:00:00:00 aaa profile to default-dot1x, reason: bbq_set_aaa_profile_defaults
This is an assumed Policy, but additional logs and product knowledge is needed to confirm. There would not be a Reason in this log because the reason is that it is policy.
- NetApp CIFS Security Audit Event Log
04/11/2016 16:55 TYPE=FailureAudit USER= COMP=Computer SORC=Security CATG=Logon/Logoff EVID=537 MESG=Logon Failure: Reason: An unexpected error occurred during logon User Name: - Domain: - Logon Type: 3 Logon Process: Data ONTAP Authentication Package: Extended Security Workstation Name: - Status code: - Substatus code: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: 3170862 Transited Services: - Source Network Address: 1.1.1.1 Source Port: 0 Caller Process Name:
Logon failure is the event, and unexpected error parses into Reason.