Authentication
The authentication category contains events that are related to authentication, sessions, and access controls that monitor users on the network.
The following table describes the low-level event categories and associated severity levels for the authentication category.
Low-level event category |
Category ID |
Description |
Severity level (0 - 10) |
|---|---|---|---|
Unknown Authentication |
3001 |
Indicates unknown authentication. |
1 |
Host Login Succeeded |
3002 |
Indicates a successful host login. |
1 |
Host Login Failed |
3003 |
Indicates that the host login failed. |
3 |
Misc Login Succeeded |
3004 |
Indicates that the login sequence succeeded. |
1 |
Misc Login Failed |
3005 |
Indicates that login sequence failed. |
3 |
Privilege Escalation Failed |
3006 |
Indicates that the privileged escalation failed. |
3 |
Privilege Escalation Succeeded |
3007 |
Indicates that the privilege escalation succeeded. |
1 |
Mail Service Login Succeeded |
3008 |
Indicates that the mail service login succeeded. |
1 |
Mail Service Login Failed |
3009 |
Indicates that the mail service login failed. |
3 |
Auth Server Login Failed |
3010 |
Indicates that the authentication server login failed. |
3 |
Auth Server Login Succeeded |
3011 |
Indicates that the authentication server login succeeded. |
1 |
Web Service Login Succeeded |
3012 |
Indicates that the web service login succeeded. |
1 |
Web Service Login Failed |
3013 |
Indicates that the web service login failed. |
3 |
Admin Login Successful |
3014 |
Indicates that an administrative login was successful. |
1 |
Admin Login Failure |
3015 |
Indicates the administrative login failed. |
3 |
Suspicious Username |
3016 |
Indicates that a user attempted to access the network by using an incorrect user name. |
4 |
Login with username/ password defaults successful |
3017 |
Indicates that a user accessed the network by using the default user name and password. |
4 |
Login with username/ password defaults failed |
3018 |
Indicates that a user was unsuccessful accessing the network by using the default user name and password. |
4 |
FTP Login Succeeded |
3019 |
Indicates that the FTP login was successful. |
1 |
FTP Login Failed |
3020 |
Indicates that the FTP login failed. |
3 |
SSH Login Succeeded |
3021 |
Indicates that the SSH login was successful. |
1 |
SSH Login Failed |
3022 |
Indicates that the SSH login failed. |
2 |
User Right Assigned |
3023 |
Indicates that user access to network resources was successfully granted. |
1 |
User Right Removed |
3024 |
Indicates that user access to network resources was successfully removed. |
1 |
Trusted Domain Added |
3025 |
Indicates that a trusted domain was successfully added to your deployment. |
1 |
Trusted Domain Removed |
3026 |
Indicates that a trusted domain was removed from your deployment. |
1 |
System Security Access Granted |
3027 |
Indicates that system security access was successfully granted. |
1 |
System Security Access Removed |
3028 |
Indicates that system security access was successfully removed. |
1 |
Policy Added |
3029 |
Indicates that a policy was successfully added. |
1 |
Policy Change |
3030 |
Indicates that a policy was successfully changed. |
1 |
User Account Added |
3031 |
Indicates that a user account was successfully added. |
1 |
User Account Changed |
3032 |
Indicates a change to an existing user account. |
1 |
Password Change Failed |
3033 |
Indicates that an attempt to change an existing password failed. |
3 |
Password Change Succeeded |
3034 |
Indicates that a password change was successful. |
1 |
User Account Removed |
3035 |
Indicates that a user account was successfully removed. |
1 |
Group Member Added |
3036 |
Indicates that a group member was successfully added. |
1 |
Group Member Removed |
3037 |
Indicates that a group member was removed. |
1 |
Group Added |
3038 |
Indicates that a group was successfully added. |
1 |
Group Changed |
3039 |
Indicates a change to an existing group. |
1 |
Group Removed |
3040 |
Indicates that a group was removed. |
1 |
Computer Account Added |
3041 |
Indicates that a computer account was successfully added. |
1 |
Computer Account Changed |
3042 |
Indicates a change to an existing computer account. |
1 |
Computer Account Removed |
3043 |
Indicates that a computer account was successfully removed. |
1 |
Remote Access Login Succeeded |
3044 |
Indicates that access to the network by using a remote login was successful. |
1 |
Remote Access Login Failed |
3045 |
Indicates that an attempt to access the network by using a remote login failed. |
3 |
General Authentication Successful |
3046 |
Indicates that the authentication processes was successful. |
1 |
General Authentication Failed |
3047 |
Indicates that the authentication process failed. |
3 |
Telnet Login Succeeded |
3048 |
Indicates that the telnet login was successful. |
1 |
Telnet Login Failed |
3049 |
Indicates that the telnet login failed. |
3 |
Suspicious Password |
3050 |
Indicates that a user attempted to log in by using a suspicious password. |
4 |
Samba Login Successful |
3051 |
Indicates that a user successfully logged in by using Samba. |
1 |
Samba Login Failed |
3052 |
Indicates a user failed to log in by using Samba. |
3 |
Auth Server Session Opened |
3053 |
Indicates that a communication session with the authentication server was started. |
1 |
Auth Server Session Closed |
3054 |
Indicates that a communication session with the authentication server was closed. |
1 |
Firewall Session Closed |
3055 |
Indicates that a firewall session was closed. |
1 |
Host Logout |
3056 |
Indicates that a host successfully logged out. |
1 |
Misc Logout |
3057 |
Indicates that a user successfully logged out. |
1 |
Auth Server Logout |
3058 |
Indicates that the process to log out of the authentication server was successful. |
1 |
Web Service Logout |
3059 |
Indicates that the process to log out of the web service was successful. |
1 |
Admin Logout |
3060 |
Indicates that the administrative user successfully logged out. |
1 |
FTP Logout |
3061 |
Indicates that the process to log out of the FTP service was successful. |
1 |
SSH Logout |
3062 |
Indicates that the process to log out of the SSH session was successful. |
1 |
Remote Access Logout |
3063 |
Indicates that the process to log out using remote access was successful. |
1 |
Telnet Logout |
3064 |
Indicates that the process to log out of the Telnet session was successful. |
1 |
Samba Logout |
3065 |
Indicates that the process to log out of Samba was successful. |
1 |
SSH Session Started |
3066 |
Indicates that the SSH login session was initiated on a host. |
1 |
SSH Session Finished |
3067 |
Indicates the termination of an SSH login session on a host. |
1 |
Admin Session Started |
3068 |
Indicates that a login session was initiated on a host by an administrative or privileged user. |
1 |
Admin Session Finished |
3069 |
Indicates the termination of an administrator or privileged users login session on a host. |
1 |
VoIP Login Succeeded |
3070 |
Indicates a successful VoIP service login |
1 |
VoIP Login Failed |
3071 |
Indicates an unsuccessful attempt to access VoIP service. |
1 |
VoIP Logout |
3072 |
Indicates a user logout, |
1 |
VoIP Session Initiated |
3073 |
Indicates the beginning of a VoIP session. |
1 |
VoIP Session Terminated |
3074 |
Indicates the end of a VoIP session. |
1 |
Database Login Succeeded |
3075 |
Indicates a successful database login. |
1 |
Database Login Failure |
3076 |
Indicates a database login attempt failed. |
3 |
IKE Authentication Failed |
3077 |
Indicates a failed Internet Key Exchange (IKE) authentication was detected. |
3 |
IKE Authentication Succeeded |
3078 |
Indicates that a successful IKE authentication was detected. |
1 |
IKE Session Started |
3079 |
Indicates that an IKE session started. |
1 |
IKE Session Ended |
3080 |
Indicates that an IKE session ended. |
1 |
IKE Error |
3081 |
Indicates an IKE error message. |
1 |
IKE Status |
3082 |
Indicates IKE status message. |
1 |
RADIUS Session Started |
3083 |
Indicates that a RADIUS session started. |
1 |
RADIUS Session Ended |
3084 |
Indicates a RADIUS session ended. |
1 |
RADIUS Session Denied |
3085 |
Indicates that a RADIUS session was denied. |
1 |
RADIUS Session Status |
3086 |
Indicates a RADIUS session status message. |
1 |
RADIUS Authentication Failed |
3087 |
Indicates a RADIUS authentication failure. |
3 |
RADIUS Authentication Successful |
3088 |
Indicates a RADIUS authentication succeeded. |
1 |
TACACS Session Started |
3089 |
Indicates a TACACS session started. |
1 |
TACACS Session Ended |
3090 |
Indicates a TACACS session ended. |
1 |
TACACS Session Denied |
3091 |
Indicates that a TACACS session was denied. |
1 |
TACACS Session Status |
3092 |
Indicates a TACACS session status message. |
1 |
TACACS Authentication Successful |
3093 |
Indicates a TACACS authentication succeeded. |
1 |
TACACS Authentication Failed |
3094 |
Indicates a TACACS authentication failure. |
1 |
Deauthenticating Host Succeeded |
3095 |
Indicates that the deauthentication of a host was successful. |
1 |
Deauthenticating Host Failed |
3096 |
Indicates that the deauthentication of a host failed. |
3 |
Station Authentication Succeeded |
3097 |
Indicates that the station authentication was successful. |
1 |
Station Authentication Failed |
3098 |
Indicates that the station authentication of a host failed. |
3 |
Station Association Succeeded |
3099 |
Indicates that the station association was successful. |
1 |
Station Association Failed |
3100 |
Indicates that the station association failed. |
3 |
Station Reassociation Succeeded |
3101 |
Indicates that the station reassociation was successful. |
1 |
Station Reassociation Failed |
3102 |
Indicates that the station association failed. |
3 |
Disassociating Host Succeeded |
3103 |
Indicates that the disassociating a host was successful. |
1 |
Disassociating Host Failed |
3104 |
Indicates that the disassociating a host failed. |
3 |
SA Error |
3105 |
Indicates a Security Association (SA) error message. |
5 |
SA Creation Failure |
3106 |
Indicates a Security Association (SA) creation failure. |
3 |
SA Established |
3107 |
Indicates that a Security Association (SA) connection established. |
1 |
SA Rejected |
3108 |
Indicates that a Security Association (SA) connection rejected. |
3 |
Deleting SA |
3109 |
Indicates the deletion of a Security Association (SA). |
1 |
Creating SA |
3110 |
Indicates the creation of a Security Association (SA). |
1 |
Certificate Mismatch |
3111 |
Indicates a certificate mismatch. |
3 |
Credentials Mismatch |
3112 |
Indicates a credentials mismatch. |
3 |
Admin Login Attempt |
3113 |
Indicates an admin login attempt. |
2 |
User Login Attempt |
3114 |
Indicates a user login attempt. |
2 |
User Login Successful |
3115 |
Indicates a successful user login. |
1 |
User Login Failure |
3116 |
Indicates a failed user login. |
3 |
SFTP Login Succeeded |
3117 |
Indicates a successful SSH File Transfer Protocol (SFTP) login. |
1 |
SFTP Login Failed |
3118 |
Indicates a failed SSH File Transfer Protocol (SFTP) login. |
3 |
SFTP Logout |
3119 |
Indicates an SSH File Transfer Protocol (SFTP) logout. |
1 |
Identity Granted |
3120 |
Indicates that an identity was granted. |
1 |
Identity Removed |
3121 |
Indicates that an identity was removed. |
1 |
Identity Revoked |
3122 |
Indicates that an identity was revoked. |
1 |
Policy Removed |
3123 |
Indicates that a policy was removed. |
1 |
User Account Lock |
3124 |
Indicates that a user account was locked. |
1 |
User Account Unlock |
3125 |
Indicates that a user account was unlocked |
1 |
User Account Expired |
3126 |
Indicates that a user account is expired |
1 |