Skip to main content

 

 

Cisco Defense Orchestrator

EventName Attributes for Syslog Events

Some syslog events will have the additional attribute “EventName". You will be able to filter the events table to find events using the EventName attribute by filtering by attribute:value pairs. For example, you could filter events for a "Denied IP packet" by entering EventName:"Denied IP Packet" in the search field of the Event Logging table. 

Syslog Event ID and Event Names Tables

AAA Syslog Event IDs and Event Names

EventID EventName
109001 AAA Begin
109002 AAA Failed
109003 AAA Server Failed
109005 Authentication Success
109006 Authentication Failed
109007 Authorization Success
109008 Authorization Failed
109010 AAA Pending
109011 AAA Session Started
109012 AAA Session Ended
109013 AAA
109014 AAA Failed
109016 AAA ACL not found
109017 AAA Limit Reach
109018 AAA ACL Empty
109019 AAA ACL error
109020 AAA ACL error
109021 AAA error
109022 AAA HTTP limit reached
109023 AAA auth required
109024 Authorization Failed
109025 Authorization Failed
109026 AAA error
109027 AAA Server error
109028 AAA Bypassed
109029 AAA ACL error
109030 AAA ACL error
109031 Authentication Failed
109032 AAA ACL error
109033 Authentication Failed
109034 Authentication Failed
109035 AAA Limit Reach
113001 AAA Session limit reach
113003 AAA overridden
113004 AAA Successful
113005 Authorization Rejected
113006 AAA user locked
113007 AAA User unlocked
113008 AAA successful
113009 AAA retrieved
113010 AAA Challenge received
113011 AAA retrieved
113012 Authentication Successful
113013 AAA error
113014 AAA error
113015 Authentication Rejected
113016 AAA Rejected
113017 AAA Rejected
113018 AAA ACL error
113019 AAA Disconnected
113020 AAA error
113021 AAA Logging Fail
113022 AAA Failed
113023 AAA reactivated
113024 AAA Client certification
113025 AAA Authentication fail
113026 AAA error
113027 AAA error

Botnet Syslog Event IDs and Event Names

EventID EventName
338001 Botnet Source Block List
338002 Botnet Destination Block List
338003 Botnet Source Block List
338004 Botnet Destination Block List
338101 Botnet Source Allow List
338102 Botnet destination Allow List
338202 Botnet destination Grey
338203 Botnet Source Grey
338204 Botnet Destination Grey
338301 Botnet DNS Intercepted
338302 Botnet DNS
338303 Botnet DNS
338304 Botnet Download successful
338305 Botnet Download failed
338306 Botnet Authentication failed
338307 Botnet Decrypt failed
338308 Botnet Client
338309 Botnet Client
338310 Botnet dyn filter failed

Failover Syslog Event IDs and Event Names

EventID EventName
101001 Failover Cable OK
101002 Failover Cable BAD
101003 Failover Cable not connected
101004 Failover Cable not connected
101005 Failover Cable reading error
102001 Failover Power failure
103001 No response from failover mate
103002 Failover mate interface OK
103003 Failover mate interface BAD
103004 Failover mate reports failure
103005 Failover mate reports self failure
103006 Failover version incompatible
103007 Failover version difference
104001 Failover role switch
104002 Failover role switch
104003 Failover unit failed
104004 Failover unit OK
210001 Stateful Failover error
210002 Stateful Failover error
210003 Stateful Failover error
210005 Stateful Failover error
210006 Stateful Failover error
210007 Stateful Failover error
210008 Stateful Failover error
210010 Stateful Failover error
210020 Stateful Failover error
210021 Stateful Failover error
210022 Stateful Failover error
311001 Stateful Failover update
311002 Stateful Failover update
311003 Stateful Failover update
311004 Stateful Failover update
709001 Failover replication error
709002 Failover replication error
709003 Failover replication start
709004 Failover replication complete
709005 Failover receive replication start
709006 Failover receive replication complete
709007 Failover replication failure
418001 Denied Packet to Management
710003 Denied access to Device
106100 Permit/Denied by ACL

Firewall Denied Syslog Event IDs and Event Names

EventID EventName
106001 Denied by Security Policy
106002 Outbound Deny
106006 Denied by Security Policy
106007 Denied Inbound UDP
106008 Denied by Security Policy
106010 Denied by Security Policy
106011 Denied Inbound
106012 Denied due to Bad IP option
106013 Dropped Ping to PAT IP
106014 Denied Inbound ICMP
106015 Denied by Security Policy
106016 Denied IP Spoof
106017 Denied due to Land Attack
106018 Denied outbound ICMP
106020 Denied IP Packet
106021 Denied TCP
106022 Denied Spoof packet
106023 Denied IP packet
106025 Dropped Packet failed to Detect context
106026 Dropped Packet failed to Detect context
106027 Dropped Packet failed to Detect context
418001 Denied Packet to Management
710003 Denied access to Device
106100 Permit/Denied by ACL

Firewall Traffic Syslog Event IDs and Event Names

EventID EventName
110002 No Router found
110003 Failed to Find Next hop
209003 Fragment Limit Reach
209004 Fragment invalid Length
209005 Fragment IP discard
313001 ICMP Denied
313004 ICMP Drop
313005 ICMP Error Msg Drop
313008 ICMP ipv6 Denied
324000 GTP Pkt Drop
324001 GTP Pkt Error
324002 Memory Error
324003 GTP Pkt Drop
324004 GTP Version Not Supported
324005 GTP Tunnel Failed
324006 GTP Tunnel Failed
324007 GTP Tunnel Failed
337001 Phone Proxy SRTP Failed
337002 Phone Proxy SRTP Failed
337003 Phone Proxy SRTP Auth Fail
337004 Phone Proxy SRTP Auth Fail
337005 Phone Proxy SRTP no Media Session
337006 Phone Proxy TFTP Unable to Create File
337007 Phone Proxy TFTP Unable to Find File
337008 Phone Proxy Call Failed
337009 Phone Proxy Unable to Create Phone Entry
302003 H245 Connection Start
302004 H323 Connection start
302009 Restart TCP
302010 Connection USAGE
302012 H225 CALL SIGNAL CONN
302013 Built TCP
302014 Teardown TCP
302015 Built UDP
302016 Teardown UDP
302017 Built GRE
302018 Teardown GRE
302019 H323 Failed
302020 Built ICMP
302021 Teardown ICMP
302022 Built TCP Stub
302023 Teardown TCP Stub
302024 Built UDP Stub
302025 Teardown UDP Stub
302026 Built ICMP Stub
302027 Teardown ICMP Stub
302033 Connection H323
302034 H323 Connection Failed
302035 Built SCTP
302036 Teardown SCTP
302303 Built TCP
302304 Teardown TCP
302305 Built SCTP
302306 Teardown SCTP
431001 Dropped RTP
431002 Dropped RTCP
407001 Host Limit Reach
407002 Embryonic limit Reached
407003 Established limit Reached
416001 Inspect SNMP dropped
419001 Dropped packet
419002 Duplicate TCP SYN
419003 Packet modified
424001 Denied Packet
424002 Dropped Packet
609001 Built Local-Host
609002 Teardown Local Host
508001 Inspect DCERPC Dropped
508002 Inspect DCERPC Dropped
509001 Prevented No Forward Cmd
726001 Inspect Instant Message
608001 Inspect Skinny
608002 Inspect Skinny dropped
608003 Inspect Skinny dropped
608004 Inspect Skinny dropped
608005 Inspect Skinny dropped
607001 Inspect SIP
607002 Inspect SIP
607003 Inspect SIP
703001 H225 Unsupported Version
703002 H225 Connection
500001 Inspect ActiveX
500002 Inspect Java
500003 Inspect TCP Header
500004 Inspect TCP Header
500005 Inspect Connection Terminated
406001 Inspect FTP Dropped
406002 Inspect FTP Dropped
303002 FTP file download/upload
303003 Inspect FTP Dropped
303004 Inspect FTP Dropped
303005 Inspect FTP reset
108001 Inspect SMTP
108002 Inspect SMTP
108003 Inspect ESMTP Dropped
108004 Inspect ESMTP
108005 Inspect ESMTP
108006 Inspect ESMTP Violation
108007 Inspect ESMTP
415001 Inspect Http Header Field Count
415002 Inspect Http Header Field Length
415003 Inspect Http body Length
415004 Inspect Http content-type
415005 Inspect Http URL length
415006 Inspect Http URL Match
415007 Inspect Http Body Match
415008 Inspect Http Header match
415009 Inspect Http Method match
415010 Inspect transfer encode match
415011 Inspect Http Protocol Violation
415012 Inspect Http Content-type
415013 Inspect Http Malformed
415014 Inspect Http Mime-Type
415015 Inspect Http Transfer-encoding
415016 Inspect Http Unanswered
415017 Inspect Http Argument match
415018 Inspect Http Header length
415019 Inspect Http status Matched
415020 Inspect Http non-ASCII
400000 IPS IP options-Bad Option List
400001 IPS IP options-Record Packet Route
400002 IPS IP options-Timestamp
400003 IPS IP options-Security
400004 IPS IP options-Loose Source Route
400005 IPS IP options-SATNET ID
400006 IPS IP options-Strict Source Route
400007 IPS IP Fragment Attack
400008 IPS IP Impossible Packet
400009 IPS IP Fragments Overlap
400010 IPS ICMP Echo Reply
400011 IPS ICMP Host Unreachable
400012 IPS ICMP Source Quench
400013 IPS ICMP Redirect
400014 IPS ICMP Echo Request
400015 IPS ICMP Time Exceeded for a Datagram
400016 IPS ICMP Parameter Problem on Datagram
400017 IPS ICMP Timestamp Request
400018 IPS ICMP Timestamp Reply
400019 IPS ICMP Information Request
400020 IPS ICMP Information Reply
400021 IPS ICMP Address Mask Request
400022 IPS ICMP Address Mask Reply
400023 IPS Fragmented ICMP Traffic
400024 IPS Large ICMP Traffic
400025 IPS Ping of Death Attack
400026 IPS TCP NULL flags
400027 IPS TCP SYN+FIN flags
400028 IPS TCP FIN only flags
400029 IPS FTP Improper Address Specified
400030 IPS FTP Improper Port Specified
400031 IPS UDP Bomb attack
400032 IPS UDP Snork attack
400033 IPS UDP Chargen DoS attack
400034 IPS DNS HINFO Request
400035 IPS DNS Zone Transfer
400036 IPS DNS Zone Transfer from High Port
400037 IPS DNS Request for All Records
400038 IPS RPC Port Registration
400039 IPS RPC Port Unregistration
400040 IPS RPC Dump
400041 IPS Proxied RPC Request
400042 IPS YP server Portmap Request
400043 IPS YP bind Portmap Request
400044 IPS YP password Portmap Request
400045 IPS YP update Portmap Request
400046 IPS YP transfer Portmap Request
400047 IPS Mount Portmap Request
400048 IPS Remote execution Portmap Request
400049 IPS Remote execution Attempt
400050 IPS Statd Buffer Overflow

Identity Based Firewall Syslog Event IDs and Event Names

EventID EventName
746001 Import started
746002 Import complete
746003 Import failed
746004 Exceed user group limit
746005 AD Agent down
746006 AD Agent out of sync
746007 Netbios response failed
746008 Netbios started
746009 Netbios stopped
746010 Import user failed
746011 Exceed user limit
746012 User IP add
746013 User IP delete
746014 FQDN Obsolete
746015 FQDN resolved
746016 DNS lookup failed
746017 Import user issued
746018 Import user done
746019 Update AD Agent failed

IPSec Syslog Event IDs and Event Names

EventID EventName
402114 Invalid SPI received
402115 Unexpected protocol received
402116 Packet doesn't match identity
402117 Non-IPSEC packet received
402118 Invalid fragment offset
402119 Anti-Replay check failure
402120 Authentication failure
402121 Packet dropped
426101 cLACP Port Bundle
426102 cLACP Port Standby
426103 cLACP Port Moved To Bundle From Standby
426104 cLACP Port Unbundled
602103 Path MTU updated
602104 Path MTU exceeded
602303 New SA created
602304 SA deleted
702305 SA expiration - Sequence rollover
702307 SA expiration - Data rollover

NAT Syslog Event ID and Event Names

EventID EventName
202001 Global NAT exhausted
202005 Embryonic connection error
202011 Connection limit exceeded
201002 Max connection Exceeded for host
201003 Embryonic limit exceed
201004 UDP connection limit exceed
201005 FTP connection failed
201006 RCMD connection failed
201008 New connection Disallowed
201009 Connection Limit exceed
201010 Embryonic Connection limit exceeded
201011 Connection Limit exceeded
201012 Per-client embryonic connection limit exceeded
201013 Per-client connection limit exceeded
305005 No NAT group found
305006 Translation failed
305007 Connection dropped
305008 NAT allocation issue
305009 NAT Created
305010 NAT teardown
305011 PAT created
305012 PAT teardown
305013 Connection denied

SSL VPN Syslog Event IDs and Event Names

EventID EventName
725001 SSL handshake Started
725002 SSL Handshake completed
725003 SSL Client session resume
725004 SSL Client request Authentication
725005 SSL Server request authentication
725006 SSL Handshake failed
725007 SSL Session terminated
725008 SSL Client Cipher
725009 SSL Server Cipher
725010 SSL Cipher
725011 SSL Device choose Cipher
725012 SSL Device choose Cipher
725013 SSL Server choose cipher
725014 SSL LIB error
725015 SSL client certificate failed
716001 WebVPN Session Started
716002 WebVPN Session Terminated
716003 WebVPN User URL access
716004 WebVPN User URL access denied
716005 WebVPN ACL error
716006 WebVPN User Disabled
716007 WebVPN Unable to Create
716008 WebVPN Debug
716009 WebVPN ACL error
716010 WebVPN User access network
716011 WebVPN User access
716012 WebVPN User Directory access
716013 WebVPN User file access
716014 WebVPN User file access
716015 WebVPN User file access
716016 WebVPN User file access
716017 WebVPN User file access
716018 WebVPN User file access
716019 WebVPN User file access
716020 WebVPN User file access
716021 WebVPN user access file denied
716022 WebVPN Unable to connect proxy
716023 WebVPN session limit reached
716024 WebVPN User access error
716025 WebVPN User access error
716026 WebVPN User access error
716027 WebVPN User access error
716028 WebVPN User access error
716029 WebVPN User access error
716030 WebVPN User access error
716031 WebVPN User access error
716032 WebVPN User access error
716033 WebVPN User access error
716034 WebVPN User access error
716035 WebVPN User access error
716036 WebVPN User login successful
716037 WebVPN User login failed
716038 WebVPN User Authentication Successful
716039 WebVPN User Authentication Rejected
716040 WebVPN User logging denied
716041 WebVPN ACL hit count
716042 WebVPN ACL hit
716043 WebVPN Port forwarding
716044 WebVPN Bad Parameter
716045 WebVPN Invalid Parameter
716046 WebVPN connection terminated
716047 WebVPN ACL usage
716048 WebVPN memory issue
716049 WebVPN Empty SVC ACL
716050 WebVPN ACL error
716051 WebVPN ACL error
716052 WebVPN Session Terminated
716053 WebVPN SSO Server added
716054 WebVPN SSO Server deleted
716055 WebVPN Authentication Successful
716056 WebVPN Authentication Failed
716057 WebVPN Session terminated
716058 WebVPN Session lost
716059 WebVPN Session resumed
716060 WebVPN Session Terminated
722001 WebVPN SVC Connect request error
722002 WebVPN SVC Connect request error
722003 WebVPN SVC Connect request error
722004 WebVPN SVC Connect request error
722005 WebVPN SVC Connect update issue
722006 WebVPN SVC Invalid address
722007 WebVPN SVC Message
722008 WebVPN SVC Message
722009 WebVPN SVC Message
722010 WebVPN SVC Message
722011 WebVPN SVC Message
722012 WebVPN SVC Message
722013 WebVPN SVC Message
722014 WebVPN SVC Message
722015 WebVPN SVC invalid frame
722016 WebVPN SVC invalid frame
722017 WebVPN SVC invalid frame
722018 WebVPN SVC invalid frame
722019 WebVPN SVC Not Enough Data
722020 WebVPN SVC no address
722021 WebVPN Memory issue
722022 WebVPN SVC connection established
722023 WebVPN SVC connection terminated
722024 WebVPN Compression Enabled
722025 WebVPN Compression Disabled
722026 WebVPN Compression reset
722027 WebVPN Decompression reset
722028 WebVPN Connection Closed
722029 WebVPN SVC Session terminated
722030 WebVPN SVC Session terminated
722031 WebVPN SVC Session terminated
722032 WebVPN SVC connection Replacement
722033 WebVPN SVC Connection established
722034 WebVPN SVC New connection
722035 WebVPN Received Large packet
722036 WebVPN transmitting Large packet
722037 WebVPN SVC connection closed
722038 WebVPN SVC session terminated
722039 WebVPN SVC invalid ACL
722040 WebVPN SVC invalid ACL
722041 WebVPN SVC IPv6 not available
722042 WebVPN invalid protocol
722043 WebVPN DTLS disabled
722044 WebVPN unable to request address
722045 WebVPN Connection terminated
722046 WebVPN Session terminated
722047 WebVPN Tunnel terminated
722048 WebVPN Tunnel terminated
722049 WebVPN Session terminated
722050 WebVPN Session terminated
722051 WebVPN address assigned
722053 WebVPN Unknown client
723001 WebVPN Citrix connection Up
723002 WebVPN Citrix connection Down
723003 WebVPN Citrix no memory issue
723004 WebVPN Citrix bad flow control
723005 WebVPN Citrix no channel
723006 WebVPN Citrix SOCKS error
723007 WebVPN Citrix connection list broken
723008 WebVPN Citrix invalid SOCKS
723009 WebVPN Citrix invalid connection
723010 WebVPN Citrix invalid connection
723011 WebVPN citrix Bad SOCKS
723012 WebVPN Citrix Bad SOCKS
723013 WebVPN Citrix invalid connection
723014 WebVPN Citrix connected to Server
724001 WebVPN Session not allowed
724002 WebVPN Session terminated
724003 WebVPN CSD
724004 WebVPN CSD