auth.cisco
Introduction
The tags beginning with auth.cisco identify events generated by Cisco products.
Tag structure
The full tag must have 3 levels. The first two are fixed as auth.cisco. The third level identifies the type of events sent.
Technology | Brand | Type |
---|---|---|
auth | cisco |
|
Therefore, the valid tags and tables include:
- auth.cisco.ise
How is the data sent to Devo?
Logs generated by Cisco must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Relay rule 1 - Cisco ISE
Define the following rule in your relay to send logs generated by Cisco Identity Services Engine (ISE):
Source port → 13011
Target tag → auth.cisco.ise
Select the Sent without syslog tag checkbox
Log samples
The following are sample logs sent to each of the auth.cisco tags. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
auth.cisco.ise
2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_Failed_Attempts 0001184091 3 1 Step=24318, Step=24322, Step=24352, Step=24412, Step=22016, Step=22056, Step=22058, Step=22061, Step=13015, SelectedAuthenticationIdentityStores=ad-jmk.com, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, NetworkDeviceGroups=ISE-Switch-TEst#ISE-Switch-TEst, NetworkDeviceGroups=Merkai-Switches YARDS#Merkai-Switches YARDS, NetworkDeviceGroups=United States#United States, CPMSessionID=3531350500172.29.58.1112410Authentication3531350500, ISEPolicySetName=Default, IdentitySelectionMatchedRule=Default, StepData=4=ad-jmk.com, StepData=9=ad-jmk.com, StepData=10=ad-jmk.com, StepData=11=root, StepData=12=ad-jmk.com, StepData=13=ad-jmk.com, StepData=15=ERROR_NO_SUCH_USER, StepData=16=ad-jmk.com, StepData=17=ad-jmk.com, StepData=18=ad-jmk.com, StepData=19=root, StepData=20=ad-jmk.com, StepData=21=ad-jmk.com, StepData=23=ERROR_NO_SUCH_USER, 2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_TACACS_Accounting 0001210542 2 0 2021-03-11 05:53:29.423 -05:00 0022067728 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=159, Device IP Address=10.99.20.56, RequestLatency=1, NetworkDeviceName=SW2-Suwanee-NEXUS, Type=Accounting, Privilege-Level=0, Service=None, User=cisco._service, Port=0, Remote-Address=10.99.1.162, Authen-Method=TacacsPlus, AVPair=task_id=10.99.1.162@pts/17, AVPair=start_time=1615460294, AVPair=timezone=UTC, AVPair=stop_time=1615460294, AcctRequest-Flags=Stop, Service-Argument=none, AcsSessionID=jmk-Cisco-ISE/401755681/1215858, SelectedAccessService=Default Device Admin, Step=13006, Step=15049, Step=15008, Step=22084, Step=13035, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, NetworkDeviceGroups=ISE-Switch-TEst#ISE-Switch-TEst, NetworkDeviceGroups=Merkai-Switches YARDS#Merkai-Switches YARDS, 2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_Passed_Authentications 0001116339 4 3 ExternalGroups=S-1-5-21-2491358695-1016440237-2260140534-5905, IdentityAccessRestricted=false, Response={Author-Reply-Status=PassRepl; AVPair=priv-lvl=15; },
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Field transformation | Extra fields |
---|---|---|---|---|---|
eventdate | 2021-03-10 11:00:06.314 |
| |||
host | jkm-cisco-ise |
| |||
level | notice |
| |||
category | CISE_Failed_Attempts |
| category1 + category2 | ||
logLevel | null |
| |||
msgId | 0001184091 |
| |||
totalSeg | 3 |
| |||
seg | 1 |
| |||
timestamp | null |
| |||
messageCode | null |
| |||
severity | null |
| |||
typeCode | null |
| |||
typeName | null |
| |||
ConfigVersionId | null |
| |||
DeviceIp | null |
| Device IP Address | ||
devicePort | null |
| Device Port | ||
RequestLatency | null |
| |||
NetworkDeviceName | null |
| |||
AdminInterface | null |
| |||
AdminIPAddress | null |
| |||
AdminSession | null |
| |||
AdminName | null |
| |||
ConfigChangeData | null |
| |||
ObjectType | null |
| |||
ObjectName | null |
| |||
UserAdminFlag | null |
| |||
AccountName | null |
| |||
UserName | null |
| User-Name | ||
NASIPAddress | null |
| NAS-IP-Address | ||
NASPort | null |
| NAS-Port | ||
FramedIPAddress | null |
| Framed-IP-Address | ||
deviceIP | null |
| deviceIP | ||
AuditPasswordType | null |
|
| ||
IdentityStoreName | null |
|
| ||
ChangePasswordMethod | null |
|
| ||
OperatorName | null |
| |||
Component | null |
| |||
ObjectInternalID | null |
|
| ||
FailureFlag | null |
| |||
RequestResponseType | null |
| |||
MisconfiguredClientFixReason | null |
| |||
CalledStationID | null |
| Called-Station-ID | ||
CallingStationID | null |
| Calling-Station-ID | ||
NASIdentifier | null |
| NAS-Identifier | ||
AcctStatusType | null |
| Acct-Status-Type | ||
AcctDelayTime | null |
| Acct-Delay-Time | ||
AcctInputOctets | null |
| Acct-Input-Octets | ||
AcctOutputOctets | null |
| Acct-Output-Octets | ||
AcctSessionId | null |
| Acct-Session-Id | ||
AcctAuthentic | null |
| Acct-Authentic | ||
AcsInstance | null |
| |||
AcctSessionTime | null |
| Acct-Session-Time | ||
AcctInputPackets | null |
| Acct-Input-Packets | ||
AcctOutputPackets | null |
| Acct-Output-Packets | ||
TunnelType | null |
| Tunnel-Type | ||
TunnelMediumType | null |
| Tunnel-Medium-Type | ||
TunnelPrivateGroupID | null |
| Tunnel-Private-Group-ID | ||
ciscoAvPair | null |
| cisco-av-pair | ||
AirespaceWlanId | null |
| Airespace-Wlan-Id | ||
FailureReason | null |
| |||
TotalFailedAttempts | null |
| |||
TotalFailedTime | null |
| |||
DTLSSupport | null |
| |||
AcsSessionID | null |
| |||
SelectedAccessService | null |
| |||
NetworkDeviceGroups | IPSEC#Is IPSEC Device#No |
| The first occurrence of NetworkDeviceGroups | ||
NetworkDeviceGroupsValues |
|
| All the occurrences of NetworkDeviceGroups separated by "," | ||
CPMSessionID | 3531350500172.29.58.1112410Authentication3531350500 |
| |||
AllowedProtocolMatchedRule | null |
| |||
BusinessFunction | null |
| Business Function | ||
EnforcementType | null |
| Enforcement Type | ||
ModelName | null |
| Model Name | ||
NetworkDeviceProfile | null |
| Network Device Profile | ||
Location | null |
| |||
DeviceType | null |
| Device Type | ||
step |
|
| The first occurrence of Step | Step | |
stepValues | 24318, 24322, 24352, 24412, 22016, 22056, 22058, 22061, 13015 |
| All the occurrences of step separated by "," | ||
stepData | 4=ad-jkm.com |
| The first occurrence of StepData | StepData | |
stepDataValues |
|
| All the occurrences of StepData separated by "," | ||
IsMachineIdentity | null |
| |||
merkaiSwitchesYards | null |
| Merkai-Switches YARDS | ||
iseSwitchTest | null |
| ISE-Switch-TEst | ||
remoteAddress | null |
| Remote-Address | ||
IPSEC | null |
| |||
OperationMessageText | null |
| |||
DstIp | null |
| DestinationIPAddress | ||
DstPort | null |
| DestinationPort | ||
User | null |
| UserName | ||
user | null |
| User | ||
Protocol | null |
| |||
NASPortType | null |
| NAS-Port-Type | ||
NASPortId | null |
| NAS-Port-Id | ||
ServiceType | null |
| Service-Type | ||
FramedMTU | null |
| Framed-MTU | ||
State | null |
| |||
NetworkDeviceProfileName | null |
| |||
NetworkDeviceProfileId | null |
| |||
IsThirdPartyDeviceFlow | null |
| |||
RadiusFlowType | null |
| |||
SSID | null |
| |||
AuthenticationIdentityStore | null |
| |||
AuthenticationMethod | null |
| |||
IdentityGroup | null |
| |||
SelectedAuthenticationIdentityStores | ad-jkm.com |
| |||
AuthorizationPolicyMatchedRule | null |
| |||
EapAuthentication | null |
| |||
SerialNumber | null |
| Serial Number | ||
SubjectCommonName | null |
| Subject - Common Name | ||
EndPointMACAddress | null |
| |||
PostureAssessmentStatus | null |
| |||
EndPointMatchedProfile | null |
| |||
ISEPolicySetName | Default |
| |||
IdentitySelectionMatchedRule | Default |
| |||
ADErrorDetails | null |
| AD-Error-Details | ||
ADUserResolvedIdentities | null |
| AD-User-Resolved-Identities | ||
ADUserCandidateIdentities | null |
| AD-User-Candidate-Identities | ||
ADUserJoinPoint | null |
| AD-User-Join-Point | ||
ADUserResolvedDNs | null |
| AD-User-Resolved-DNs | ||
ADUserDNSDomain | null |
| AD-User-DNS-Domain | ||
ADUserNetBiosName | null |
| |||
allowEasyWiredSession | null |
| |||
TLSCipher | null |
| |||
TLSVersion | null |
| |||
Subject | null |
| |||
SubjectAlternativeName | null |
| Subject Alternative Name - Other Name | ||
Issuer | null |
| |||
IssuerCommonName | null |
| Issuer - Common Name | ||
IssuerDomainComponent | null |
| Issuer - Domain Component | ||
keyUsage | null |
| Key Usage | ||
AKI | null |
| |||
HostIdentityGroup | null |
| |||
Response | null |
| |||
ADLogId | null |
| AD-Log-Id | ||
ADAccountName | null |
| AD-Account-Name | ||
ADDomain | null |
| AD-Domain | ||
ADSrvQuery | null |
| AD-Srv-Query | ||
ADSrvRecord | null |
| AD-Srv-Record | ||
ADDomainController | null |
| AD-Domain-Controller | ||
ADIPAddress | null |
| AD-IP-Address | ||
ADSite | null |
| AD-Site | ||
ADForest | null |
| AD-Forest | ||
ADTrustedDomain | null |
| AD-Trusted-Domain | ||
ADHostname | null |
| AD-Hostname | ||
CurrentIDStoreName | null |
| |||
ExternalGroups | null |
| |||
Class | null |
| |||
EventTimestamp | null |
| Event-Timestamp | ||
SysStatsUtilizationCpu | null |
| |||
SysStatsUtilizationNetwork | null |
| |||
SysStatsUtilizationMemory | null |
| |||
SysStatsUtilizationDiskIO | null |
| |||
SysStatsUtilizationDiskSpace | null |
| |||
AverageRadiusRequestLatency | null |
| |||
AverageTacacsRequestLatency | null |
| |||
DeltaRadiusRequestCount | null |
| |||
DeltaTacacsRequestCount | null |
| |||
SysStatsUtilizationLoadAvg | null |
| |||
SysStatsCpuCount | null |
| |||
SysStatsProcessMemoryMB | null |
| |||
ActiveSessionCount | null |
| |||
SysStatsAcsProcessHealth | null |
| |||
OperationCounters | null |
| |||
OCSPPrimaryNotResponsiveCount | null |
| |||
OCSPSecondaryNotResponsiveCount | null |
| |||
OCSPPrimaryCertsGoodCount | null |
| |||
OCSPSecondaryCertsGoodCount | null |
| |||
rawMessage |
|
| |||
raw | 2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_Failed_Attempts 0001184091 3 1 Step=24318, Step=24322, Step=24352, Step=24412, Step=22016, Step=22056, Step=22058, Step=22061, Step=13015, SelectedAuthenticationIdentityStores=ad-jkm.com, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, NetworkDeviceGroups=ISE-Switch-TEst#ISE-Switch-TEst, NetworkDeviceGroups=Merkai-Switches YARDS#Merkai-Switches YARDS, NetworkDeviceGroups=United States#United States, CPMSessionID=3531350500172.29.58.1112410Authentication3531350500, ISEPolicySetName=Default, IdentitySelectionMatchedRule=Default, StepData=4=ad-jkm.com, StepData=9=ad-jkm.com, StepData=10=ad-jkm.com, StepData=11=root, StepData=12=ad-jkm.com, StepData=13=ad-jkm.com, StepData=15=ERROR_NO_SUCH_USER, StepData=16=ad-jkm.com, StepData=17=ad-jkm.com, StepData=18=ad-jkm.com, StepData=19=root, StepData=20=ad-jkm.com, StepData=21=ad-jkm.com, StepData=23=ERROR_NO_SUCH_USER, | ||||
category1 | CISE_ | str | ✓ | ||
category2 | Failed_Attempts | str | ✓ | ||
sourceDate | str | 2018-03-22 23:35:40.117 -07:00 (fixed) | ✓ | ||
NetworkDeviceGroupsArray | [IPSEC#Is IPSEC Device#No, Location#All Locations, Device Type#All Device Types, ISE-Switch-TEst#ISE-Switch-TEst, Merkai-Switches YARDS#Merkai-Switches YARDS, United States#United States] | Array | Array with all occurrences of NetworkDeviceGroups | ✓ | |
steps | [24318, 24322, 24352, 24412, 22016, 22056, 22058, 22061, 13015] | Array | Array with all occurrences of Step | ✓ | |
stepDatas | [4=ad-jkm.com, 9=ad-jkm.com, 10=ad-jkm.com, 11=root, 12=ad-jkm.com, 13=ad-jkm.com, 15=ERROR_NO_SUCH_USER, 16=ad-jkm.com, 17=ad-jkm.com, 18=ad-jkm.com, 19=root, 20=ad-jkm.com, 21=ad-jkm.com, 23=ERROR_NO_SUCH_USER] | Array | Array with all occurrences of StepData | ✓ | |
hostchain | jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 | str | ✓ | ||
tag | auth.cisco.ise | str | ✓ |