auth.cisco

Introduction

The tags beginning with auth.cisco identify events generated by Cisco products.

Tag structure

The full tag must have 3 levels. The first two are fixed as auth.cisco. The third level identifies the type of events sent.

Technology	Brand	Type
auth	cisco	ise

Therefore, the valid tags and tables include:

auth.cisco.ise

How is the data sent to Devo?

Logs generated by Cisco must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Relay rule 1 - Cisco ISE

Define the following rule in your relay to send logs generated by Cisco Identity Services Engine (ISE):

Source port → 13011
Target tag → auth.cisco.ise
Select the Sent without syslog tag checkbox

Log samples

The following are sample logs sent to each of the auth.cisco tags. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

auth.cisco.ise

2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_Failed_Attempts 0001184091 3 1  Step=24318, Step=24322, Step=24352, Step=24412, Step=22016, Step=22056, Step=22058, Step=22061, Step=13015, SelectedAuthenticationIdentityStores=ad-jmk.com, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, NetworkDeviceGroups=ISE-Switch-TEst#ISE-Switch-TEst, NetworkDeviceGroups=Merkai-Switches YARDS#Merkai-Switches YARDS, NetworkDeviceGroups=United States#United States, CPMSessionID=3531350500172.29.58.1112410Authentication3531350500, ISEPolicySetName=Default, IdentitySelectionMatchedRule=Default, StepData=4=ad-jmk.com, StepData=9=ad-jmk.com, StepData=10=ad-jmk.com, StepData=11=root, StepData=12=ad-jmk.com, StepData=13=ad-jmk.com, StepData=15=ERROR_NO_SUCH_USER, StepData=16=ad-jmk.com, StepData=17=ad-jmk.com, StepData=18=ad-jmk.com, StepData=19=root, StepData=20=ad-jmk.com, StepData=21=ad-jmk.com, StepData=23=ERROR_NO_SUCH_USER,  
 
2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_TACACS_Accounting 0001210542 2 0 2021-03-11 05:53:29.423 -05:00 0022067728 3302 NOTICE Tacacs-Accounting: TACACS+ Accounting STOP, ConfigVersionId=159, Device IP Address=10.99.20.56, RequestLatency=1, NetworkDeviceName=SW2-Suwanee-NEXUS, Type=Accounting, Privilege-Level=0, Service=None, User=cisco._service, Port=0, Remote-Address=10.99.1.162, Authen-Method=TacacsPlus, AVPair=task_id=10.99.1.162@pts/17, AVPair=start_time=1615460294, AVPair=timezone=UTC, AVPair=stop_time=1615460294, AcctRequest-Flags=Stop, Service-Argument=none, AcsSessionID=jmk-Cisco-ISE/401755681/1215858, SelectedAccessService=Default Device Admin, Step=13006, Step=15049, Step=15008, Step=22084, Step=13035, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, NetworkDeviceGroups=ISE-Switch-TEst#ISE-Switch-TEst, NetworkDeviceGroups=Merkai-Switches YARDS#Merkai-Switches YARDS, 
 
2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_Passed_Authentications 0001116339 4 3  ExternalGroups=S-1-5-21-2491358695-1016440237-2260140534-5905, IdentityAccessRestricted=false, Response={Author-Reply-Status=PassRepl; AVPair=priv-lvl=15; },

And this is how the logs would be parsed:

Field	Value	Type	Source field name	Field transformation	Extra fields
eventdate	`2021-03-10 11:00:06.314`	`timestamp`
host	`jkm-cisco-ise`	`str`
level	`notice`	`str`
category	`CISE_Failed_Attempts`	`str`		category1 + category2
logLevel	`null`	`str`
msgId	`0001184091`	`str`
totalSeg	`3`	`int`
seg	`1`	`int`
timestamp	`null`	`timestamp`
messageCode	`null`	`int`
severity	`null`	`str`
typeCode	`null`	`str`
typeName	`null`	`str`
ConfigVersionId	`null`	`str`
DeviceIp	`null`	`ip`	Device IP Address
devicePort	`null`	`int`	Device Port
RequestLatency	`null`	`int`
NetworkDeviceName	`null`	`str`
AdminInterface	`null`	`str`
AdminIPAddress	`null`	`ip`
AdminSession	`null`	`str`
AdminName	`null`	`str`
ConfigChangeData	`null`	`str`
ObjectType	`null`	`str`
ObjectName	`null`	`str`
UserAdminFlag	`null`	`str`
AccountName	`null`	`str`
UserName	`null`	`str`	User-Name
NASIPAddress	`null`	`ip`	NAS-IP-Address
NASPort	`null`	`int`	NAS-Port
FramedIPAddress	`null`	`ip`	Framed-IP-Address
deviceIP	`null`	`ip`	deviceIP
AuditPasswordType	`null`	`str`
IdentityStoreName	`null`	`str`
ChangePasswordMethod	`null`	`str`
OperatorName	`null`	`str`
Component	`null`	`str`
ObjectInternalID	`null`	`str`
FailureFlag	`null`	`str`
RequestResponseType	`null`	`str`
MisconfiguredClientFixReason	`null`	`str`
CalledStationID	`null`	`str`	Called-Station-ID
CallingStationID	`null`	`str`	Calling-Station-ID
NASIdentifier	`null`	`str`	NAS-Identifier
AcctStatusType	`null`	`str`	Acct-Status-Type
AcctDelayTime	`null`	`int`	Acct-Delay-Time
AcctInputOctets	`null`	`int`	Acct-Input-Octets
AcctOutputOctets	`null`	`int`	Acct-Output-Octets
AcctSessionId	`null`	`str`	Acct-Session-Id
AcctAuthentic	`null`	`str`	Acct-Authentic
AcsInstance	`null`	`str`
AcctSessionTime	`null`	`int`	Acct-Session-Time
AcctInputPackets	`null`	`int`	Acct-Input-Packets
AcctOutputPackets	`null`	`int`	Acct-Output-Packets
TunnelType	`null`	`str`	Tunnel-Type
TunnelMediumType	`null`	`str`	Tunnel-Medium-Type
TunnelPrivateGroupID	`null`	`str`	Tunnel-Private-Group-ID
ciscoAvPair	`null`	`str`	cisco-av-pair
AirespaceWlanId	`null`	`str`	Airespace-Wlan-Id
FailureReason	`null`	`str`
TotalFailedAttempts	`null`	`int`
TotalFailedTime	`null`	`int`
DTLSSupport	`null`	`str`
AcsSessionID	`null`	`str`
SelectedAccessService	`null`	`str`
NetworkDeviceGroups	`IPSEC#Is IPSEC Device#No`	`str`		The first occurrence of NetworkDeviceGroups
NetworkDeviceGroupsValues	`IPSEC#Is IPSEC Device#No, Location#All Locations, Device Type#All Device Types, ISE-Switch-TEst#ISE-Switch-TEst, Merkai-Switches YARDS#Merkai-Switches YARDS, United States#United States`	`str`		All the occurrences of NetworkDeviceGroups separated by ","
CPMSessionID	`3531350500172.29.58.1112410Authentication3531350500`	`str`
AllowedProtocolMatchedRule	`null`	`str`
BusinessFunction	`null`	`str`	Business Function
EnforcementType	`null`	`str`	Enforcement Type
ModelName	`null`	`str`	Model Name
NetworkDeviceProfile	`null`	`str`	Network Device Profile
Location	`null`	`str`
DeviceType	`null`	`str`	Device Type
step	`24318`	`str`		The first occurrence of Step	Step
stepValues	`24318, 24322, 24352, 24412, 22016, 22056, 22058, 22061, 13015`	`str`		All the occurrences of step separated by ","
stepData	`4=ad-jkm.com`	`str`		The first occurrence of StepData	StepData
stepDataValues	`4=ad-jkm.com, 9=ad-jkm.com, 10=ad-jkm.com, 11=root, 12=ad-jkm.com, 13=ad-jkm.com, 15=ERROR_NO_SUCH_USER, 16=ad-jkm.com, 17=ad-jkm.com, 18=ad-jkm.com, 19=root, 20=ad-jkm.com, 21=ad-jkm.com, 23=ERROR_NO_SUCH_USER`	`str`		All the occurrences of StepData separated by ","
IsMachineIdentity	`null`	`str`
merkaiSwitchesYards	`null`	`str`	Merkai-Switches YARDS
iseSwitchTest	`null`	`str`	ISE-Switch-TEst
remoteAddress	`null`	`str`	Remote-Address
IPSEC	`null`	`str`
OperationMessageText	`null`	`str`
DstIp	`null`	`ip`	DestinationIPAddress
DstPort	`null`	`int`	DestinationPort
User	`null`	`str`	UserName
user	`null`	`str`	User
Protocol	`null`	`str`
NASPortType	`null`	`str`	NAS-Port-Type
NASPortId	`null`	`str`	NAS-Port-Id
ServiceType	`null`	`str`	Service-Type
FramedMTU	`null`	`int`	Framed-MTU
State	`null`	`str`
NetworkDeviceProfileName	`null`	`str`
NetworkDeviceProfileId	`null`	`str`
IsThirdPartyDeviceFlow	`null`	`str`
RadiusFlowType	`null`	`str`
SSID	`null`	`str`
AuthenticationIdentityStore	`null`	`str`
AuthenticationMethod	`null`	`str`
IdentityGroup	`null`	`str`
SelectedAuthenticationIdentityStores	`ad-jkm.com`	`str`
AuthorizationPolicyMatchedRule	`null`	`str`
EapAuthentication	`null`	`str`
SerialNumber	`null`	`str`	Serial Number
SubjectCommonName	`null`	`str`	Subject - Common Name
EndPointMACAddress	`null`	`str`
PostureAssessmentStatus	`null`	`str`
EndPointMatchedProfile	`null`	`str`
ISEPolicySetName	`Default`	`str`
IdentitySelectionMatchedRule	`Default`	`str`
ADErrorDetails	`null`	`str`	AD-Error-Details
ADUserResolvedIdentities	`null`	`str`	AD-User-Resolved-Identities
ADUserCandidateIdentities	`null`	`str`	AD-User-Candidate-Identities
ADUserJoinPoint	`null`	`str`	AD-User-Join-Point
ADUserResolvedDNs	`null`	`str`	AD-User-Resolved-DNs
ADUserDNSDomain	`null`	`str`	AD-User-DNS-Domain
ADUserNetBiosName	`null`	`str`
allowEasyWiredSession	`null`	`str`
TLSCipher	`null`	`str`
TLSVersion	`null`	`str`
Subject	`null`	`str`
SubjectAlternativeName	`null`	`str`	Subject Alternative Name - Other Name
Issuer	`null`	`str`
IssuerCommonName	`null`	`str`	Issuer - Common Name
IssuerDomainComponent	`null`	`str`	Issuer - Domain Component
keyUsage	`null`	`str`	Key Usage
AKI	`null`	`str`
HostIdentityGroup	`null`	`str`
Response	`null`	`str`
ADLogId	`null`	`str`	AD-Log-Id
ADAccountName	`null`	`str`	AD-Account-Name
ADDomain	`null`	`str`	AD-Domain
ADSrvQuery	`null`	`str`	AD-Srv-Query
ADSrvRecord	`null`	`str`	AD-Srv-Record
ADDomainController	`null`	`str`	AD-Domain-Controller
ADIPAddress	`null`	`str`	AD-IP-Address
ADSite	`null`	`str`	AD-Site
ADForest	`null`	`str`	AD-Forest
ADTrustedDomain	`null`	`str`	AD-Trusted-Domain
ADHostname	`null`	`str`	AD-Hostname
CurrentIDStoreName	`null`	`str`
ExternalGroups	`null`	`str`
Class	`null`	`str`
EventTimestamp	`null`	`int`	Event-Timestamp
SysStatsUtilizationCpu	`null`	`str`
SysStatsUtilizationNetwork	`null`	`str`
SysStatsUtilizationMemory	`null`	`str`
SysStatsUtilizationDiskIO	`null`	`str`
SysStatsUtilizationDiskSpace	`null`	`str`
AverageRadiusRequestLatency	`null`	`str`
AverageTacacsRequestLatency	`null`	`str`
DeltaRadiusRequestCount	`null`	`str`
DeltaTacacsRequestCount	`null`	`str`
SysStatsUtilizationLoadAvg	`null`	`str`
SysStatsCpuCount	`null`	`str`
SysStatsProcessMemoryMB	`null`	`str`
ActiveSessionCount	`null`	`str`
SysStatsAcsProcessHealth	`null`	`str`
OperationCounters	`null`	`str`
OCSPPrimaryNotResponsiveCount	`null`	`str`
OCSPSecondaryNotResponsiveCount	`null`	`str`
OCSPPrimaryCertsGoodCount	`null`	`str`
OCSPSecondaryCertsGoodCount	`null`	`str`
rawMessage	CISE_Failed_Attempts 0001184091 3 1 Step=24318, Step=24322, Step=24352, Step=24412, Step=22016, Step=22056, Step=22058, Step=22061, Step=13015, SelectedAuthenticationIdentityStores=ad-jkm.com, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, NetworkDeviceGroups=ISE-Switch-TEst#ISE-Switch-TEst, NetworkDeviceGroups=Merkai-Switches YARDS#Merkai-Switches YARDS, NetworkDeviceGroups=United States#United States, CPMSessionID=3531350500172.29.58.1112410Authentication3531350500, ISEPolicySetName=Default, IdentitySelectionMatchedRule=Default, StepData=4=ad-jkm.com, StepData=9=ad-jkm.com, StepData=10=ad-jkm.com, StepData=11=root, StepData=12=ad-jkm.com, StepData=13=ad-jkm.com, StepData=15=ERROR_NO_SUCH_USER, StepData=16=ad-jkm.com, StepData=17=ad-jkm.com, StepData=18=ad-jkm.com, StepData=19=root, StepData=20=ad-jkm.com, StepData=21=ad-jkm.com, StepData=23=ERROR_NO_SUCH_USER,	`str`
raw	2021-03-10 11:00:06.314 jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195 local6.notice auth.cisco.ise: CISE_Failed_Attempts 0001184091 3 1 Step=24318, Step=24322, Step=24352, Step=24412, Step=22016, Step=22056, Step=22058, Step=22061, Step=13015, SelectedAuthenticationIdentityStores=ad-jkm.com, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Location#All Locations, NetworkDeviceGroups=Device Type#All Device Types, NetworkDeviceGroups=ISE-Switch-TEst#ISE-Switch-TEst, NetworkDeviceGroups=Merkai-Switches YARDS#Merkai-Switches YARDS, NetworkDeviceGroups=United States#United States, CPMSessionID=3531350500172.29.58.1112410Authentication3531350500, ISEPolicySetName=Default, IdentitySelectionMatchedRule=Default, StepData=4=ad-jkm.com, StepData=9=ad-jkm.com, StepData=10=ad-jkm.com, StepData=11=root, StepData=12=ad-jkm.com, StepData=13=ad-jkm.com, StepData=15=ERROR_NO_SUCH_USER, StepData=16=ad-jkm.com, StepData=17=ad-jkm.com, StepData=18=ad-jkm.com, StepData=19=root, StepData=20=ad-jkm.com, StepData=21=ad-jkm.com, StepData=23=ERROR_NO_SUCH_USER,
category1	`CISE_`	`str`			✓
category2	`Failed_Attempts`	`str`			✓
sourceDate		`str`		2018-03-22 23:35:40.117 -07:00 (fixed)	✓
NetworkDeviceGroupsArray	`[IPSEC#Is IPSEC Device#No, Location#All Locations, Device Type#All Device Types, ISE-Switch-TEst#ISE-Switch-TEst, Merkai-Switches YARDS#Merkai-Switches YARDS, United States#United States]`	`Array`		Array with all occurrences of NetworkDeviceGroups	✓
steps	`[24318, 24322, 24352, 24412, 22016, 22056, 22058, 22061, 13015]`	`Array`		Array with all occurrences of Step	✓
stepDatas	`[4=ad-jkm.com, 9=ad-jkm.com, 10=ad-jkm.com, 11=root, 12=ad-jkm.com, 13=ad-jkm.com, 15=ERROR_NO_SUCH_USER, 16=ad-jkm.com, 17=ad-jkm.com, 18=ad-jkm.com, 19=root, 20=ad-jkm.com, 21=ad-jkm.com, 23=ERROR_NO_SUCH_USER]`	`Array`		Array with all occurrences of StepData	✓
hostchain	`jkm-cisco-ise=10.99.1.135/aujkmdmdvoapp01.ad-jkm.com=38.110.60.195`	`str`			✓
tag	`auth.cisco.ise`	`str`			✓