Anonymous_User Absent Member.
Absent Member.

LOGIN_FAILED at XDAS Taoxonomy Level3 (Action) Field


Several collectors (including Windows and Cisco switch collectors) are
generating parsed event data with XDAS Taxonomy Level3 field set to
But there is no such value at the SDK documentation ( 'Sentinel
Taxonomy' ( )

I think the correct way to parse LOGIN FAILED event is to set the XDAS
Taxonomy Level3 value to LOGIN and set XDAS Outcome to
Because the action is not LOGIN_FAILED but the result of the LOGIN
action is FAILURE.

Am I correct, or should I also set the Action field to LOGIN_FAILED for
failed logons?


hkalyoncu's Profile:
View this thread:

1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: LOGIN_FAILED at XDAS Taoxonomy Level3 (Action) Field

Hi Hakan,

Good question - the answer however depends on whether you're using the
2011.1 SDK (Beta) or not. In the new SDK, we don't use the legacy
taxonomy at all in the file.

Anyway, I assume your question boils down to this: "When I'm parsing a
failed login event, what should I put in my file?"

The answer is that you should use "LOGIN FAILED" for the legacy
taxonomy (for 6.1),like this:

Actually it's a bit more subtle than this; in reality it should
probably be:
with the "XDASOutcomeName" set to whatever the correct specific reason
was for denying the login.

FAILED implies some sort of system failure, whereas DENIAL indicates
that the rejection was entirely intentional, and the login was denied by

And although I agree this isn't terribly well documented, the idea is
that for the legacy taxonomy you simply append " FAILED" or " DENIED" to
the Level3 field to match whatever XDAS has (again, only for 6.1).

DCorlette's Profile:
View this thread:

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.