Skip to main content
Skip table of contents

Reason [7.2]

The justification for an action or result. 

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type




Client Console Full Name


Client Console Short Name


Web Console Tab/Name


Elasticsearch Field Name


Rule Builder Column Name


Regex Pattern


NetMon Name

Not applicable

Field Relationships

  • Action
  • Command
  • Policy
  • Result
  • ResponseCode

Common Applications

Understanding why an action or command was executed, or why a result or ResponseCode was generated. 

Use Case

  • Email filtering
  • Firewall blocking
  • Antivirus
  • Vulnerability scanning

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • If the log explicitly calls out a policy, use policy instead.
  • Reason should be free text. If it is an industry standard code use ResponseCode.
  • Result should be used for what and Reason should be used for why.


  • eSafe Email Security

05 01 2012 16:21:21 <LOC5:ERRR> eSafeCR: Alert from eSafe    Scan result: SMTP error  Protocol: SMTP  File Name\Mail Subject:  Business Plan & Financials  Source:  Destination:  Mail Sender:  Mail Recipients:  Details: Delivery Msg #911 - Email b0eeb3e8 NOT sent after multiple retries, likely reason: 554 delivery error: dd This user doesn't have a account ( [0] -

The Reason field (554) parses into ResponseCode because 554 is an SMTP response. The text after could be parsed into Reason. Obtain other samples to determine whether there is a legitimate pattern in the log.

  • Alcatel-Lucent Wireless Controller

12 10 2012 09:08:56 <LOC1:DBUG> Dec 10 09:09:03 DAVE authmgr[1600]: <124004> <DBUG> <DAVE-03>  Setting user 00:00:00:00:00:00 aaa profile to default-dot1x, reason: bbq_set_aaa_profile_defaults

This is an assumed Policy, but additional logs and product knowledge is needed to confirm. There would not be a Reason in this log because the reason is that it is policy.

  • NetApp CIFS Security Audit Event Log

04/11/2016 16:55 TYPE=FailureAudit USER= COMP=Computer SORC=Security CATG=Logon/Logoff EVID=537 MESG=Logon Failure:        Reason:           An unexpected error occurred during logon    User Name:  -     Domain:           -        Logon Type: 3     Logon Process:    Data ONTAP        Authentication Package:    Extended Security       Workstation Name: -     Status code:      -        Substatus code:   -     Caller User Name: -     Caller Domain:    -        Caller Logon ID:  -     Caller Process ID:      3170862     Transited Services:   -     Source Network Address:     Source Port:      0        Caller Process Name:

Logon failure is the event, and unexpected error parses into Reason.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.