...
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
host |
| |
Severity |
| |
EventID |
| |
Group |
| |
User |
| |
srcIP |
| |
srcPort |
| |
dstIP |
| |
dstPort |
| |
interface |
| |
clientType |
| |
ipv4Address |
| |
ipv6Address |
| |
SessionType |
| |
Duration |
| |
BytesXmt |
| |
BytesRcv |
| |
Reason |
| |
svcMessage |
| |
svcMessageCode |
| |
Type |
| |
error |
| |
message |
| |
rawMessage |
| |
hostchain |
| |
tag |
| ✓ |
raw |
| ✓ |
rawSource |
| ✓ |
How is the data sent to Devo?
Cisco Firewall Configuration
...
Learn more about this process here.
Devo relay rules
You will need to define relay rules that can correctly identify the event type and apply the corresponding tag.
...
These instructions cover all of the event types and the order is important. Even if you are only sending some of the Cisco firewall event types to Devo, be sure to follow the same order.
Devo Relay rules |
---|
Rule 1: Cisco Firepower Threat Defense events
Rule 2: Cisco Firepower Management Central events
|
Rule 3: Cisco Firewall Services Module events
Rule 4: Cisco PIX events
|
Rule 5: Cisco ASA VPN eventsThis rule must precede the Cisco ASA rule. The regex in the Source Data field identifies all event codes associated with the VPN.
Rule 6: Cisco ASA eventsAll events received on this port that did not match any of the previous rules will be assigned the
|
Firepower through eStreamer eNcore CLI
...