auth.cisco
Check the reference vendor documentation here.
Introduction
The tags beginning with auth.cisco
identify events generated by Cisco products.
Tag structure
The full tag must have 3 levels. The first two are fixed as auth.cisco
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Cisco Identity Services Engine |
|
|
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
Logs generated by Cisco must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Relay rule - Cisco ISE
Define the following rule in your relay to send logs generated by Cisco Identity Services Engine (ISE):
Source port -
13011
Target tag -
auth.cisco.ise
Sent without syslog tag - ✓
Â
Table structure
These are the fields displayed in these tables:
auth.cisco.acs
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | vmachine | Â |
facility |
| Â | embFacility | Â |
level |
| Â | vlevel | Â |
reportName |
| Â | Â | Â |
msgId |
| Â | Â | Â |
totalSeg |
| Â | Â | Â |
seg |
| Â | Â | Â |
msgType |
| Â | Â | Â |
serverdate |
| parsedate(serverdate_str, dateformat("YYYY-MM-DD HH:mm:ss.SSS ZZ")) | serverdate_str | Â |
seqnum |
| Â | Â | Â |
msgcode |
| Â | Â | Â |
msgseverity |
| Â | Â | Â |
msgclass |
| Â | Â | Â |
message |
| Â | Â | Â |
step |
| Â | Â | Â |
acsVersion |
| Â | Â | Â |
configVersionId |
| Â | Â | Â |
deviceIpAddress |
| Â | Â | Â |
cmdSet |
| Â | Â | Â |
destinationIPAddress |
| Â | Â | Â |
destinationPort |
| Â | Â | Â |
protocol |
| Â | Â | Â |
requestLatency |
| Â | Â | Â |
user |
| Â | Â | Â |
nasIp |
| Â | Â | Â |
callerId |
| Â | Â | Â |
nasPort |
| Â | Â | Â |
serviceType |
| Â | Â | Â |
serviceArgument |
| Â | Â | Â |
privilegeLevel |
| Â | Â | Â |
framedMTU |
| Â | Â | Â |
state |
| Â | Â | Â |
calledStationID |
| Â | Â | Â |
callingStationID |
| Â | Â | Â |
nasIdentifier |
| Â | Â | Â |
nasPortType |
| Â | Â | Â |
ciscoAvPair |
| Â | Â | Â |
acsSessionID |
| Â | Â | Â |
authenticationIdentityStore |
| Â | Â | Â |
authenticationMethod |
| Â | Â | Â |
authenticationResult |
| Â | Â | Â |
selectedAccessService |
| Â | Â | Â |
selectedAuthorizationProfiles |
| Â | Â | Â |
identityGroup |
| Â | Â | Â |
groupName |
| Â | Â | Â |
filterInfo |
| Â | Â | Â |
remoteAddress |
| Â | Â | Â |
acctRequestFlags |
| Â | Â | Â |
responseType |
| Â | Â | Â |
responseStatus |
| Â | Â | Â |
failureReason |
| Â | Â | Â |
externalIdentityStoreName |
| Â | Â | Â |
selectedAuthenticationIdentityStores |
| Â | Â | Â |
networkDeviceName |
| Â | Â | Â |
networkDeviceGroupsDeviceType |
| Â | Â | Â |
networkDeviceGroupsLocation |
| Â | Â | Â |
networkDeviceGroupsMigratedNDGs |
| Â | Â | Â |
networkDeviceGroupsFunction |
| Â | Â | Â |
serviceRule |
| Â | Â | Â |
identityRule |
| Â | Â | Â |
authRule |
| Â | Â | Â |
authType |
| Â | Â | Â |
action |
| Â | Â | Â |
service |
| Â | Â | Â |
majorVersion |
| Â | Â | Â |
minorVersion |
| Â | Â | Â |
sessionID |
| Â | Â | Â |
parseError |
| Â | Â | Â |
thresholdAlarmName |
| Â | Â | Â |
systemAlarmName |
| Â | Â | Â |
alarmSeverity |
| Â | Â | Â |
alarmCause |
| Â | Â | Â |
alarmDetail |
| Â | Â | Â |
framedIPAddress |
| Â | Â | Â |
ciscoAvPair_auditSessionId |
| Â | Â | Â |
ciscoAvPair_sourceIp |
| Â | Â | Â |
ciscoAvPair_deviceUidGlobal |
| Â | Â | Â |
ciscoAvPair_deviceUid |
| Â | Â | Â |
ciscoAvPair_coaPush |
| Â | Â | Â |
ciscoAvPair_devicePlatform |
| Â | Â | Â |
ciscoAvPair_deviceMac |
| Â | Â | Â |
ciscoAvPair_devicePlatformVersion |
| Â | Â | Â |
ciscoAvPair_devicePublicMac |
| Â | Â | Â |
ciscoAvPair_acUserAgent |
| Â | Â | Â |
ciscoAvPair_deviceType |
| Â | Â | Â |
avPair |
| Â | Â | Â |
avPair_taskId |
| Â | Â | Â |
avPair_proccess |
| Â | Â | Â |
avPair_privLvl |
| Â | Â | Â |
radiusPacketType |
| Â | Â | Â |
selectedShellProfile |
| Â | Â | Â |
tunnelClientEndpoint |
| Â | Â | Â |
adDomain |
| Â | Â | Â |
adUserCandidateIdentities |
| Â | Â | Â |
tunnelGroupName |
| Â | Â | Â |
identityAccessRestricted |
| Â | Â | Â |
memberOf |
| Â | Â | Â |
tunnelType |
| Â | Â | Â |
tunnelMediumType |
| Â | Â | Â |
tunnelPrivateGroupId |
| Â | Â | Â |
auditSessionId |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
auth.cisco.ise
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
host |
| Â | vhost | Â |
level |
| Â | vlevel | Â |
category |
| category1 + category2 | category1 category2 | Â |
logLevel |
| Â | Â | Â |
msgId |
| Â | Â | Â |
totalSeg |
| Â | Â | Â |
seg |
| Â | Â | Â |
timestamp |
| timestamp(sourceDate) | sourceDate | Â |
messageCode |
| Â | Â | Â |
severity |
| Â | Â | Â |
typeCode |
| Â | Â | Â |
typeName |
| Â | Â | Â |
ConfigVersionId |
| Â | Â | Â |
DeviceIp |
| Â | Â | Â |
devicePort |
| Â | Â | Â |
RequestLatency |
| Â | Â | Â |
NetworkDeviceName |
| Â | Â | Â |
AdminInterface |
| Â | Â | Â |
AdminIPAddress |
| Â | Â | Â |
AdminSession |
| Â | Â | Â |
AdminName |
| Â | Â | Â |
ConfigChangeData |
| Â | Â | Â |
ObjectType |
| Â | Â | Â |
ObjectName |
| Â | Â | Â |
UserAdminFlag |
| Â | Â | Â |
AccountName |
| Â | Â | Â |
UserName |
| Â | Â | Â |
NASIPAddress |
| Â | Â | Â |
NASPort |
| Â | Â | Â |
FramedIPAddress |
| Â | Â | Â |
deviceIP |
| Â | Â | Â |
AuditPasswordType |
| Â | Â | Â |
IdentityStoreName |
| Â | Â | Â |
ChangePasswordMethod |
| Â | Â | Â |
OperatorName |
| Â | Â | Â |
Component |
| Â | Â | Â |
ObjectInternalID |
| Â | Â | Â |
FailureFlag |
| Â | Â | Â |
RequestResponseType |
| Â | Â | Â |
MisconfiguredClientFixReason |
| Â | Â | Â |
CalledStationID |
| Â | Â | Â |
CallingStationID |
| Â | Â | Â |
NASIdentifier |
| Â | Â | Â |
AcctStatusType |
| Â | Â | Â |
AcctDelayTime |
| Â | Â | Â |
AcctInputOctets |
| Â | Â | Â |
AcctOutputOctets |
| Â | Â | Â |
AcctSessionId |
| Â | Â | Â |
AcctAuthentic |
| Â | Â | Â |
AcsInstance |
| Â | Â | Â |
AcctSessionTime |
| Â | Â | Â |
AcctInputPackets |
| Â | Â | Â |
AcctOutputPackets |
| Â | Â | Â |
TunnelType |
| Â | Â | Â |
TunnelMediumType |
| Â | Â | Â |
TunnelPrivateGroupID |
| Â | Â | Â |
ciscoAvPair |
| Â | Â | Â |
AirespaceWlanId |
| Â | Â | Â |
FailureReason |
| Â | Â | Â |
TotalFailedAttempts |
| Â | Â | Â |
TotalFailedTime |
| Â | Â | Â |
DTLSSupport |
| Â | Â | Â |
AcsSessionID |
| Â | Â | Â |
SelectedAccessService |
| Â | Â | Â |
NetworkDeviceGroups |
| NetworkDeviceGroupsArray | Â | |
NetworkDeviceGroupsValues |
| NetworkDeviceGroupsArray | Â | |
CPMSessionID |
| Â | Â | Â |
AllowedProtocolMatchedRule |
| Â | Â | Â |
BusinessFunction |
| Â | Â | Â |
EnforcementType |
| Â | Â | Â |
ModelName |
| Â | Â | Â |
NetworkDeviceProfile |
| Â | Â | Â |
Location |
| Â | Â | Â |
DeviceType |
| Â | Â | Â |
step |
| steps | Â | |
stepValues |
| steps | Â | |
stepData |
| stepDatas | Â | |
stepDataValues |
| stepDatas | Â | |
IsMachineIdentity |
| Â | Â | Â |
merkaiSwitchesYards |
| Â | Â | Â |
iseSwitchTest |
| Â | Â | Â |
remoteAddress |
| Â | Â | Â |
IPSEC |
| Â | Â | Â |
OperationMessageText |
| Â | Â | Â |
DstIp |
| Â | Â | Â |
DstPort |
| Â | Â | Â |
User |
| Â | Â | Â |
user |
| Â | Â | Â |
Protocol |
| Â | Â | Â |
NASPortType |
| Â | Â | Â |
NASPortId |
| Â | Â | Â |
ServiceType |
| Â | Â | Â |
FramedMTU |
| Â | Â | Â |
State |
| Â | Â | Â |
NetworkDeviceProfileName |
| Â | Â | Â |
NetworkDeviceProfileId |
| Â | Â | Â |
IsThirdPartyDeviceFlow |
| Â | Â | Â |
RadiusFlowType |
| Â | Â | Â |
SSID |
| Â | Â | Â |
AuthenticationIdentityStore |
| Â | Â | Â |
AuthenticationMethod |
| Â | Â | Â |
IdentityGroup |
| Â | Â | Â |
SelectedAuthenticationIdentityStores |
| Â | Â | Â |
AuthorizationPolicyMatchedRule |
| Â | Â | Â |
EapAuthentication |
| Â | Â | Â |
SerialNumber |
| Â | Â | Â |
SubjectCommonName |
| Â | Â | Â |
EndPointMACAddress |
| Â | Â | Â |
PostureAssessmentStatus |
| Â | Â | Â |
EndPointMatchedProfile |
| Â | Â | Â |
ISEPolicySetName |
| Â | Â | Â |
IdentitySelectionMatchedRule |
| Â | Â | Â |
ADErrorDetails |
| Â | Â | Â |
ADUserResolvedIdentities |
| Â | Â | Â |
ADUserCandidateIdentities |
| Â | Â | Â |
ADUserJoinPoint |
| Â | Â | Â |
ADUserResolvedDNs |
| Â | Â | Â |
ADUserDNSDomain |
| Â | Â | Â |
ADUserNetBiosName |
| Â | Â | Â |
allowEasyWiredSession |
| Â | Â | Â |
TLSCipher |
| Â | Â | Â |
TLSVersion |
| Â | Â | Â |
Subject |
| Â | Â | Â |
SubjectAlternativeName |
| Â | Â | Â |
Issuer |
| Â | Â | Â |
IssuerCommonName |
| Â | Â | Â |
IssuerDomainComponent |
| Â | Â | Â |
keyUsage |
| Â | Â | Â |
AKI |
| Â | Â | Â |
HostIdentityGroup |
| Â | Â | Â |
Response |
| Â | Â | Â |
ADLogId |
| Â | Â | Â |
ADAccountName |
| Â | Â | Â |
ADDomain |
| Â | Â | Â |
ADSrvQuery |
| Â | Â | Â |
ADSrvRecord |
| Â | Â | Â |
ADDomainController |
| Â | Â | Â |
ADIPAddress |
| Â | Â | Â |
ADSite |
| Â | Â | Â |
ADForest |
| Â | Â | Â |
ADTrustedDomain |
| Â | Â | Â |
ADHostname |
| Â | Â | Â |
CurrentIDStoreName |
| Â | Â | Â |
ExternalGroups |
| Â | Â | Â |
Class |
| Â | Â | Â |
EventTimestamp |
| Â | Â | Â |
SysStatsUtilizationCpu |
| Â | Â | Â |
SysStatsUtilizationNetwork |
| Â | Â | Â |
SysStatsUtilizationMemory |
| Â | Â | Â |
SysStatsUtilizationDiskIO |
| Â | Â | Â |
SysStatsUtilizationDiskSpace |
| Â | Â | Â |
AverageRadiusRequestLatency |
| Â | Â | Â |
AverageTacacsRequestLatency |
| Â | Â | Â |
DeltaRadiusRequestCount |
| Â | Â | Â |
DeltaTacacsRequestCount |
| Â | Â | Â |
SysStatsUtilizationLoadAvg |
| Â | Â | Â |
SysStatsCpuCount |
| Â | Â | Â |
SysStatsProcessMemoryMB |
| Â | Â | Â |
ActiveSessionCount |
| Â | Â | Â |
SysStatsAcsProcessHealth |
| Â | Â | Â |
OperationCounters |
| Â | Â | Â |
OCSPPrimaryNotResponsiveCount |
| Â | Â | Â |
OCSPSecondaryNotResponsiveCount |
| Â | Â | Â |
OCSPPrimaryCertsGoodCount |
| Â | Â | Â |
OCSPSecondaryCertsGoodCount |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
| Â | rawSource | Â |