The tags beginning with vpn.cisco
identify log events generated by Cisco ASA VPN.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as vpn.cisco
. The third level identifies the product and the fourth is the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Cisco ASA AnyConnect |
|
Union table - This is a union table that collects events from a set of tables for easy access and analysis. Learn more about this union table in this article. |
|
| |
Cisco FTD AnyConnect |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
vpn.cisco.asa.anyconnect
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
host |
| vhost | |
logType |
|
| |
Severity |
|
| |
EventID |
|
| |
Group |
|
| |
User |
|
| |
srcIP |
|
| |
srcIPV6 |
|
| |
srcPort |
|
| |
dstIP |
|
| |
dstPort |
|
| |
interface |
|
| |
clientType |
|
| |
ipv4Address |
|
| |
ipv6Address |
|
| |
SessionType |
|
| |
Duration |
|
| |
BytesXmt |
|
| |
BytesRcv |
|
| |
Reason |
|
| |
svcMessage |
|
| |
svcMessageCode |
|
| |
Type |
|
| |
error |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| rawSource |
vpn.cisco.ftd.anyconnect
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
host |
| vhost | |
logType |
|
| |
Severity |
|
| |
EventID |
|
| |
Group |
|
| |
User |
|
| |
srcIP |
|
| |
srcIPV6 |
|
| |
srcPort |
|
| |
dstIP |
|
| |
dstPort |
|
| |
interface |
|
| |
clientType |
|
| |
ipv4Address |
|
| |
ipv6Address |
|
| |
SessionType |
|
| |
Duration |
|
| |
BytesXmt |
|
| |
BytesRcv |
|
| |
Reason |
|
| |
svcMessage |
|
| |
svcMessageCode |
|
| |
Type |
|
| |
error |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| rawSource |