| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:logs:syslog:auth [2020/08/31 06:30] – external edit 127.0.0.1 | paloaltonetworks:logs:syslog:auth [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| <code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'. (Additional Info : Commit in progress)' )</code> | <code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'. (Additional Info : Commit in progress)' )</code> |
| <code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'. Reason: User is in locked users list. From: 192.168.1.1..' )</code> | <code>( eventid eq auth-fail ) and ( description contains 'failed authentication for user \'admin\'. Reason: User is in locked users list. From: 192.168.1.1..' )</code> |
| <code>( eventid eq auth-fail ) and ( object eq SP-LDAP-NAME ) and ( description contains 'failed authentication for user \'user@domain.com\'. auth profile \'SP-LDAP-NAME\', vsys \'vsys1\', server profile \'SP_LDAP_OGLOBAL\', server address \'192.168.1.1\', From: 11.22.33.44.' )</code> | <code>( eventid eq auth-fail ) and ( object eq SP-LDAP-NAME ) and ( description contains 'failed authentication for user \'user@domain.com\'. auth profile \'SP-LDAP-NAME\', vsys \'vsys1\', server profile \'SP_LDAP_SERVER\', server address \'192.168.1.1\', From: 11.22.33.44.' )</code> |
| <code>( eventid eq auth-fail ) and ( object eq SP-LDAP-NAME ) and ( description contains 'failed authentication for user \'user@domain.com\'. Reason: User is not in allowlist. auth profile \'SP-LDAP-NAME\', vsys \'vsys1\', From: 192.168.1.1' )</code> | <code>( eventid eq auth-fail ) and ( object eq SP-LDAP-NAME ) and ( description contains 'failed authentication for user \'user@domain.com\'. Reason: User is not in allowlist. auth profile \'SP-LDAP-NAME\', vsys \'vsys1\', From: 192.168.1.1' )</code> |
| <code>( eventid eq auth-fail ) and ( description contains 'Certificate validation failed for user \'\'. Reason: Invalid username/password. reply message \'You didn\'t provide a user name\'' )</code> | <code>( eventid eq auth-fail ) and ( description contains 'Certificate validation failed for user \'\'. Reason: Invalid username/password. reply message \'You didn\'t provide a user name\'' )</code> |
| | |
| | |
| ===== Low ===== | ===== Low ===== |
| ( subtype eq auth ) and ( severity eq low )</code> | <code>( subtype eq auth ) and ( severity eq low )</code> |
| ( eventid eq saml-out-of-band-message ) and ( object eq server-profile ) and ( description contains 'Client \'\' received out-of-band SAML message: <?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://portal.domain.com:443/SAML20/SP/ACS" ID="_5656565656565656556hhghghghghghgh" InResponseTo="_b016f9a607c749490a320f9916a28e66" IssueInstant="2020-05-08T09:54:35.068Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C013kwwcj</saml2:Issuer><ds:Si' )</code> | <code>( eventid eq saml-out-of-band-message ) and ( object eq server-profile ) and ( description contains 'Client \'\' received out-of-band SAML message: <?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://portal.domain.com:443/SAML20/SP/ACS" ID="_5656565656565656556hhghghghghghgh" InResponseTo="_b016f9a607c749490a320f9916a28e66" IssueInstant="2020-05-08T09:54:35.068Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C013kwwcj</saml2:Issuer><ds:Si' )</code> |
| | |
| ===== Informational ===== | ===== Informational ===== |
