Breadcrumbs

Reason [7.2]


The justification for an action or result. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String

Aliases

Use

Alias

Client Console Full Name

Reason

Client Console Short Name

Reason

Web Console Tab/Name

Reason

Elasticsearch Field Name

reason

Rule Builder Column Name

Reason

Regex Pattern

<reason>

NetMon Name

Not applicable

Field Relationships

  • Action

  • Command

  • Policy

  • Result

  • ResponseCode

Common Applications

Understanding why an action or command was executed, or why a result or ResponseCode was generated. 

Use Case

  • IDS/IPS

  • Email filtering

  • Firewall blocking

  • Antivirus

  • Vulnerability scanning

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • If the log explicitly calls out a policy, use policy instead.

  • Reason should be free text. If it is an industry standard code use ResponseCode.

  • Result should be used for what and Reason should be used for why.

Examples

  • eSafe Email Security

05 01 2012 16:21:21 1.1.1.1 <LOC5:ERRR> eSafeCR: Alert from eSafe    Scan result: SMTP error  Protocol: SMTP  File Name\Mail Subject:  Business Plan & Financials  Source: 1.1.1.1  Destination: 1.1.1.1  Mail Sender: Peter.Store@recordflow.biz  Mail Recipients: pete.store@recordflow.biz  Details: Delivery Msg #911 - Email b0eeb3e8 NOT sent after multiple retries, likely reason: 554 delivery error: dd This user doesn't have a recordflow.biz account (pete.store@recordflow.biz) [0] - recordflow.biz

The Reason field (554) parses into ResponseCode because 554 is an SMTP response. The text after could be parsed into Reason. Obtain other samples to determine whether there is a legitimate pattern in the log.

  • Alcatel-Lucent Wireless Controller

12 10 2012 09:08:56 1.1.1.1 <LOC1:DBUG> Dec 10 09:09:03 DAVE authmgr[1600]: <124004> <DBUG> <DAVE-03 1.1.1.1>  Setting user 00:00:00:00:00:00 aaa profile to default-dot1x, reason: bbq_set_aaa_profile_defaults

This is an assumed Policy, but additional logs and product knowledge is needed to confirm. There would not be a Reason in this log because the reason is that it is policy.

  • NetApp CIFS Security Audit Event Log

04/11/2016 16:55 TYPE=FailureAudit USER= COMP=Computer SORC=Security CATG=Logon/Logoff EVID=537 MESG=Logon Failure:        Reason:           An unexpected error occurred during logon    User Name:  -     Domain:           -        Logon Type: 3     Logon Process:    Data ONTAP        Authentication Package:    Extended Security       Workstation Name: -     Status code:      -        Substatus code:   -     Caller User Name: -     Caller Domain:    -        Caller Logon ID:  -     Caller Process ID:      3170862     Transited Services:   -     Source Network Address: 1.1.1.1     Source Port:      0        Caller Process Name:

Logon failure is the event, and unexpected error parses into Reason.