Document toolboxDocument toolbox

auth.cisco

Check the reference vendor documentation here.

Introduction

The tags beginning with auth.cisco identify events generated by Cisco products.

Tag structure

The full tag must have 3 levels. The first two are fixed as auth.cisco. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Cisco Identity Services Engine

auth.cisco.acs

auth.cisco.acs

auth.cisco.ise

auth.cisco.ise

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by Cisco must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Relay rule - Cisco ISE

Define the following rule in your relay to send logs generated by Cisco Identity Services Engine (ISE):

  • Source port - 13011

  • Target tag - auth.cisco.ise

  • Sent without syslog tag - ✓

 

Table structure

These are the fields displayed in these tables:

auth.cisco.acs

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

vmachine

 

facility

str

 

embFacility

 

level

str

 

vlevel

 

reportName

str

 

 

 

msgId

str

 

 

 

totalSeg

int4

 

 

 

seg

int4

 

 

 

msgType

str

 

 

 

serverdate

timestamp

parsedate(serverdate_str, dateformat("YYYY-MM-DD HH:mm:ss.SSS ZZ"))

serverdate_str

 

seqnum

str

 

 

 

msgcode

int4

 

 

 

msgseverity

str

 

 

 

msgclass

str

 

 

 

message

str

 

 

 

step

int4

 

 

 

acsVersion

str

 

 

 

configVersionId

str

 

 

 

deviceIpAddress

ip4

 

 

 

cmdSet

str

 

 

 

destinationIPAddress

ip4

 

 

 

destinationPort

int4

 

 

 

protocol

str

 

 

 

requestLatency

int4

 

 

 

user

str

 

 

 

nasIp

ip4

 

 

 

callerId

ip4

 

 

 

nasPort

int4

 

 

 

serviceType

str

 

 

 

serviceArgument

str

 

 

 

privilegeLevel

str

 

 

 

framedMTU

str

 

 

 

state

str

 

 

 

calledStationID

str

 

 

 

callingStationID

str

 

 

 

nasIdentifier

str

 

 

 

nasPortType

str

 

 

 

ciscoAvPair

str

 

 

 

acsSessionID

str

 

 

 

authenticationIdentityStore

str

 

 

 

authenticationMethod

str

 

 

 

authenticationResult

str

 

 

 

selectedAccessService

str

 

 

 

selectedAuthorizationProfiles

str

 

 

 

identityGroup

str

 

 

 

groupName

str

 

 

 

filterInfo

str

 

 

 

remoteAddress

str

 

 

 

acctRequestFlags

str

 

 

 

responseType

str

 

 

 

responseStatus

str

 

 

 

failureReason

str

 

 

 

externalIdentityStoreName

str

 

 

 

selectedAuthenticationIdentityStores

str

 

 

 

networkDeviceName

str

 

 

 

networkDeviceGroupsDeviceType

str

 

 

 

networkDeviceGroupsLocation

str

 

 

 

networkDeviceGroupsMigratedNDGs

str

 

 

 

networkDeviceGroupsFunction

str

 

 

 

serviceRule

str

 

 

 

identityRule

str

 

 

 

authRule

str

 

 

 

authType

str

 

 

 

action

str

 

 

 

service

str

 

 

 

majorVersion

str

 

 

 

minorVersion

str

 

 

 

sessionID

str

 

 

 

parseError

str

 

 

 

thresholdAlarmName

str

 

 

 

systemAlarmName

str

 

 

 

alarmSeverity

str

 

 

 

alarmCause

str

 

 

 

alarmDetail

str

 

 

 

framedIPAddress

ip4

 

 

 

ciscoAvPair_auditSessionId

str

 

 

 

ciscoAvPair_sourceIp

ip4

 

 

 

ciscoAvPair_deviceUidGlobal

str

 

 

 

ciscoAvPair_deviceUid

str

 

 

 

ciscoAvPair_coaPush

str

 

 

 

ciscoAvPair_devicePlatform

str

 

 

 

ciscoAvPair_deviceMac

str

 

 

 

ciscoAvPair_devicePlatformVersion

str

 

 

 

ciscoAvPair_devicePublicMac

str

 

 

 

ciscoAvPair_acUserAgent

str

 

 

 

ciscoAvPair_deviceType

str

 

 

 

avPair

str

 

 

 

avPair_taskId

str

 

 

 

avPair_proccess

str

 

 

 

avPair_privLvl

str

 

 

 

radiusPacketType

str

 

 

 

selectedShellProfile

str

 

 

 

tunnelClientEndpoint

str

 

 

 

adDomain

str

 

 

 

adUserCandidateIdentities

str

 

 

 

tunnelGroupName

str

 

 

 

identityAccessRestricted

str

 

 

 

memberOf

str

 

 

 

tunnelType

str

 

 

 

tunnelMediumType

str

 

 

 

tunnelPrivateGroupId

str

 

 

 

auditSessionId

str

 

 

 

hostchain

str

 

 

✓ 

tag

str

 

 

✓

rawMessage

str

 

rawSource

✓

auth.cisco.ise

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

host

str

 

vhost

 

level

str

 

vlevel

 

category

str

category1 + category2

category1

category2

 

logLevel

str

 

 

 

msgId

str

 

 

 

totalSeg

int4

 

 

 

seg

int4

 

 

 

timestamp

timestamp

timestamp(sourceDate)

sourceDate

 

messageCode

int4

 

 

 

severity

str

 

 

 

typeCode

str

 

 

 

typeName

str

 

 

 

ConfigVersionId

str

 

 

 

DeviceIp

ip4

 

 

 

devicePort

int4

 

 

 

RequestLatency

int4

 

 

 

NetworkDeviceName

str

 

 

 

AdminInterface

str

 

 

 

AdminIPAddress

ip4

 

 

 

AdminSession

str

 

 

 

AdminName

str

 

 

 

ConfigChangeData

str

 

 

 

ObjectType

str

 

 

 

ObjectName

str

 

 

 

UserAdminFlag

str

 

 

 

AccountName

str

 

 

 

UserName

str

 

 

 

NASIPAddress

ip4

 

 

 

NASPort

int4

 

 

 

FramedIPAddress

ip4

 

 

 

deviceIP

ip4

 

 

 

AuditPasswordType

str

 

 

 

IdentityStoreName

str

 

 

 

ChangePasswordMethod

str

 

 

 

OperatorName

str

 

 

 

Component

str

 

 

 

ObjectInternalID

str

 

 

 

FailureFlag

str

 

 

 

RequestResponseType

str

 

 

 

MisconfiguredClientFixReason

str

 

 

 

CalledStationID

str

 

 

 

CallingStationID

str

 

 

 

NASIdentifier

str

 

 

 

AcctStatusType

str

 

 

 

AcctDelayTime

int8

 

 

 

AcctInputOctets

int8

 

 

 

AcctOutputOctets

int8

 

 

 

AcctSessionId

str

 

 

 

AcctAuthentic

str

 

 

 

AcsInstance

str

 

 

 

AcctSessionTime

int8

 

 

 

AcctInputPackets

int8

 

 

 

AcctOutputPackets

int8

 

 

 

TunnelType

str

 

 

 

TunnelMediumType

str

 

 

 

TunnelPrivateGroupID

str

 

 

 

ciscoAvPair

str

 

 

 

AirespaceWlanId

str

 

 

 

FailureReason

str

 

 

 

TotalFailedAttempts

int4

 

 

 

TotalFailedTime

int4

 

 

 

DTLSSupport

str

 

 

 

AcsSessionID

str

 

 

 

SelectedAccessService

str

 

 

 

NetworkDeviceGroups

str

NetworkDeviceGroupsArray

 

NetworkDeviceGroupsValues

str

NetworkDeviceGroupsArray

 

CPMSessionID

str

 

 

 

AllowedProtocolMatchedRule

str

 

 

 

BusinessFunction

str

 

 

 

EnforcementType

str

 

 

 

ModelName

str

 

 

 

NetworkDeviceProfile

str

 

 

 

Location

str

 

 

 

DeviceType

str

 

 

 

step

str

steps

 

stepValues

str

steps

 

stepData

str

stepDatas

 

stepDataValues

str

stepDatas

 

IsMachineIdentity

str

 

 

 

merkaiSwitchesYards

str

 

 

 

iseSwitchTest

str

 

 

 

remoteAddress

str

 

 

 

IPSEC

str

 

 

 

OperationMessageText

str

 

 

 

DstIp

ip4

 

 

 

DstPort

int4

 

 

 

User

str

 

 

 

user

str

 

 

 

Protocol

str

 

 

 

NASPortType

str

 

 

 

NASPortId

str

 

 

 

ServiceType

str

 

 

 

FramedMTU

int4

 

 

 

State

str

 

 

 

NetworkDeviceProfileName

str

 

 

 

NetworkDeviceProfileId

str

 

 

 

IsThirdPartyDeviceFlow

str

 

 

 

RadiusFlowType

str

 

 

 

SSID

str

 

 

 

AuthenticationIdentityStore

str

 

 

 

AuthenticationMethod

str

 

 

 

IdentityGroup

str

 

 

 

SelectedAuthenticationIdentityStores

str

 

 

 

AuthorizationPolicyMatchedRule

str

 

 

 

EapAuthentication

str

 

 

 

SerialNumber

str

 

 

 

SubjectCommonName

str

 

 

 

EndPointMACAddress

str

 

 

 

PostureAssessmentStatus

str

 

 

 

EndPointMatchedProfile

str

 

 

 

ISEPolicySetName

str

 

 

 

IdentitySelectionMatchedRule

str

 

 

 

ADErrorDetails

str

 

 

 

ADUserResolvedIdentities

str

 

 

 

ADUserCandidateIdentities

str

 

 

 

ADUserJoinPoint

str

 

 

 

ADUserResolvedDNs

str

 

 

 

ADUserDNSDomain

str

 

 

 

ADUserNetBiosName

str

 

 

 

allowEasyWiredSession

str

 

 

 

TLSCipher

str

 

 

 

TLSVersion

str

 

 

 

Subject

str

 

 

 

SubjectAlternativeName

str

 

 

 

Issuer

str

 

 

 

IssuerCommonName

str

 

 

 

IssuerDomainComponent

str

 

 

 

keyUsage

str

 

 

 

AKI

str

 

 

 

HostIdentityGroup

str

 

 

 

Response

str

 

 

 

ADLogId

str

 

 

 

ADAccountName

str

 

 

 

ADDomain

str

 

 

 

ADSrvQuery

str

 

 

 

ADSrvRecord

str

 

 

 

ADDomainController

str

 

 

 

ADIPAddress

str

 

 

 

ADSite

str

 

 

 

ADForest

str

 

 

 

ADTrustedDomain

str

 

 

 

ADHostname

str

 

 

 

CurrentIDStoreName

str

 

 

 

ExternalGroups

str

 

 

 

Class

str

 

 

 

EventTimestamp

int8

 

 

 

SysStatsUtilizationCpu

str

 

 

 

SysStatsUtilizationNetwork

str

 

 

 

SysStatsUtilizationMemory

str

 

 

 

SysStatsUtilizationDiskIO

str

 

 

 

SysStatsUtilizationDiskSpace

str

 

 

 

AverageRadiusRequestLatency

str

 

 

 

AverageTacacsRequestLatency

str

 

 

 

DeltaRadiusRequestCount

str

 

 

 

DeltaTacacsRequestCount

str

 

 

 

SysStatsUtilizationLoadAvg

str

 

 

 

SysStatsCpuCount

str

 

 

 

SysStatsProcessMemoryMB

str

 

 

 

ActiveSessionCount

str

 

 

 

SysStatsAcsProcessHealth

str

 

 

 

OperationCounters

str

 

 

 

OCSPPrimaryNotResponsiveCount

str

 

 

 

OCSPSecondaryNotResponsiveCount

str

 

 

 

OCSPPrimaryCertsGoodCount

str

 

 

 

OCSPSecondaryCertsGoodCount

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

rawSource

Â