auth.cisco

[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Check the reference vendor documentation here.

Introduction

The tags beginning with auth.cisco identify events generated by Cisco products.

Tag structure

The full tag must have 3 levels. The first two are fixed as auth.cisco. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Cisco Identity Services Engine	`auth.cisco.acs`	`auth.cisco.acs`
Cisco Identity Services Engine	`auth.cisco.ise`	`auth.cisco.ise`

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by Cisco must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Relay rule - Cisco ISE

Define the following rule in your relay to send logs generated by Cisco Identity Services Engine (ISE):

Source port - 13011
Target tag - auth.cisco.ise
Sent without syslog tag - ✓

Table structure

These are the fields displayed in these tables:

auth.cisco.acs
auth.cisco.ise

auth.cisco.acs

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`		vmachine
facility	`str`		embFacility
level	`str`		vlevel
reportName	`str`
msgId	`str`
totalSeg	`int4`
seg	`int4`
msgType	`str`
serverdate	`timestamp`	`parsedate(serverdate_str, dateformat("YYYY-MM-DD HH:mm:ss.SSS ZZ"))`	serverdate_str
seqnum	`str`
msgcode	`int4`
msgseverity	`str`
msgclass	`str`
message	`str`
step	`int4`
acsVersion	`str`
configVersionId	`str`
deviceIpAddress	`ip4`
cmdSet	`str`
destinationIPAddress	`ip4`
destinationPort	`int4`
protocol	`str`
requestLatency	`int4`
user	`str`
nasIp	`ip4`
callerId	`ip4`
nasPort	`int4`
serviceType	`str`
serviceArgument	`str`
privilegeLevel	`str`
framedMTU	`str`
state	`str`
calledStationID	`str`
callingStationID	`str`
nasIdentifier	`str`
nasPortType	`str`
ciscoAvPair	`str`
acsSessionID	`str`
authenticationIdentityStore	`str`
authenticationMethod	`str`
authenticationResult	`str`
selectedAccessService	`str`
selectedAuthorizationProfiles	`str`
identityGroup	`str`
groupName	`str`
filterInfo	`str`
remoteAddress	`str`
acctRequestFlags	`str`
responseType	`str`
responseStatus	`str`
failureReason	`str`
externalIdentityStoreName	`str`
selectedAuthenticationIdentityStores	`str`
networkDeviceName	`str`
networkDeviceGroupsDeviceType	`str`
networkDeviceGroupsLocation	`str`
networkDeviceGroupsMigratedNDGs	`str`
networkDeviceGroupsFunction	`str`
serviceRule	`str`
identityRule	`str`
authRule	`str`
authType	`str`
action	`str`
service	`str`
majorVersion	`str`
minorVersion	`str`
sessionID	`str`
parseError	`str`
thresholdAlarmName	`str`
systemAlarmName	`str`
alarmSeverity	`str`
alarmCause	`str`
alarmDetail	`str`
framedIPAddress	`ip4`
ciscoAvPair_auditSessionId	`str`
ciscoAvPair_sourceIp	`ip4`
ciscoAvPair_deviceUidGlobal	`str`
ciscoAvPair_deviceUid	`str`
ciscoAvPair_coaPush	`str`
ciscoAvPair_devicePlatform	`str`
ciscoAvPair_deviceMac	`str`
ciscoAvPair_devicePlatformVersion	`str`
ciscoAvPair_devicePublicMac	`str`
ciscoAvPair_acUserAgent	`str`
ciscoAvPair_deviceType	`str`
avPair	`str`
avPair_taskId	`str`
avPair_proccess	`str`
avPair_privLvl	`str`
radiusPacketType	`str`
selectedShellProfile	`str`
tunnelClientEndpoint	`str`
adDomain	`str`
adUserCandidateIdentities	`str`
tunnelGroupName	`str`
identityAccessRestricted	`str`
memberOf	`str`
tunnelType	`str`
tunnelMediumType	`str`
tunnelPrivateGroupId	`str`
auditSessionId	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`		rawSource	✓

auth.cisco.ise

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
host	`str`		vhost
level	`str`		vlevel
category	`str`	`category1 + category2`	category1 category2
logLevel	`str`
msgId	`str`
totalSeg	`int4`
seg	`int4`
timestamp	`timestamp`	`timestamp(sourceDate)`	sourceDate
messageCode	`int4`
severity	`str`
typeCode	`str`
typeName	`str`
ConfigVersionId	`str`
DeviceIp	`ip4`
devicePort	`int4`
RequestLatency	`int4`
NetworkDeviceName	`str`
AdminInterface	`str`
AdminIPAddress	`ip4`
AdminSession	`str`
AdminName	`str`
ConfigChangeData	`str`
ObjectType	`str`
ObjectName	`str`
UserAdminFlag	`str`
AccountName	`str`
UserName	`str`
NASIPAddress	`ip4`
NASPort	`int4`
FramedIPAddress	`ip4`
deviceIP	`ip4`
AuditPasswordType	`str`
IdentityStoreName	`str`
ChangePasswordMethod	`str`
OperatorName	`str`
Component	`str`
ObjectInternalID	`str`
FailureFlag	`str`
RequestResponseType	`str`
MisconfiguredClientFixReason	`str`
CalledStationID	`str`
CallingStationID	`str`
NASIdentifier	`str`
AcctStatusType	`str`
AcctDelayTime	`int8`
AcctInputOctets	`int8`
AcctOutputOctets	`int8`
AcctSessionId	`str`
AcctAuthentic	`str`
AcsInstance	`str`
AcctSessionTime	`int8`
AcctInputPackets	`int8`
AcctOutputPackets	`int8`
TunnelType	`str`
TunnelMediumType	`str`
TunnelPrivateGroupID	`str`
ciscoAvPair	`str`
AirespaceWlanId	`str`
FailureReason	`str`
TotalFailedAttempts	`int4`
TotalFailedTime	`int4`
DTLSSupport	`str`
AcsSessionID	`str`
SelectedAccessService	`str`
NetworkDeviceGroups	`str`		NetworkDeviceGroupsArray
NetworkDeviceGroupsValues	`str`		NetworkDeviceGroupsArray
CPMSessionID	`str`
AllowedProtocolMatchedRule	`str`
BusinessFunction	`str`
EnforcementType	`str`
ModelName	`str`
NetworkDeviceProfile	`str`
Location	`str`
DeviceType	`str`
step	`str`		steps
stepValues	`str`		steps
stepData	`str`		stepDatas
stepDataValues	`str`		stepDatas
IsMachineIdentity	`str`
merkaiSwitchesYards	`str`
iseSwitchTest	`str`
remoteAddress	`str`
IPSEC	`str`
OperationMessageText	`str`
DstIp	`ip4`
DstPort	`int4`
User	`str`
user	`str`
Protocol	`str`
NASPortType	`str`
NASPortId	`str`
ServiceType	`str`
FramedMTU	`int4`
State	`str`
NetworkDeviceProfileName	`str`
NetworkDeviceProfileId	`str`
IsThirdPartyDeviceFlow	`str`
RadiusFlowType	`str`
SSID	`str`
AuthenticationIdentityStore	`str`
AuthenticationMethod	`str`
IdentityGroup	`str`
SelectedAuthenticationIdentityStores	`str`
AuthorizationPolicyMatchedRule	`str`
EapAuthentication	`str`
SerialNumber	`str`
SubjectCommonName	`str`
EndPointMACAddress	`str`
PostureAssessmentStatus	`str`
EndPointMatchedProfile	`str`
ISEPolicySetName	`str`
IdentitySelectionMatchedRule	`str`
ADErrorDetails	`str`
ADUserResolvedIdentities	`str`
ADUserCandidateIdentities	`str`
ADUserJoinPoint	`str`
ADUserResolvedDNs	`str`
ADUserDNSDomain	`str`
ADUserNetBiosName	`str`
allowEasyWiredSession	`str`
TLSCipher	`str`
TLSVersion	`str`
Subject	`str`
SubjectAlternativeName	`str`
Issuer	`str`
IssuerCommonName	`str`
IssuerDomainComponent	`str`
keyUsage	`str`
AKI	`str`
HostIdentityGroup	`str`
Response	`str`
ADLogId	`str`
ADAccountName	`str`
ADDomain	`str`
ADSrvQuery	`str`
ADSrvRecord	`str`
ADDomainController	`str`
ADIPAddress	`str`
ADSite	`str`
ADForest	`str`
ADTrustedDomain	`str`
ADHostname	`str`
CurrentIDStoreName	`str`
ExternalGroups	`str`
Class	`str`
EventTimestamp	`int8`
SysStatsUtilizationCpu	`str`
SysStatsUtilizationNetwork	`str`
SysStatsUtilizationMemory	`str`
SysStatsUtilizationDiskIO	`str`
SysStatsUtilizationDiskSpace	`str`
AverageRadiusRequestLatency	`str`
AverageTacacsRequestLatency	`str`
DeltaRadiusRequestCount	`str`
DeltaTacacsRequestCount	`str`
SysStatsUtilizationLoadAvg	`str`
SysStatsCpuCount	`str`
SysStatsProcessMemoryMB	`str`
ActiveSessionCount	`str`
SysStatsAcsProcessHealth	`str`
OperationCounters	`str`
OCSPPrimaryNotResponsiveCount	`str`
OCSPSecondaryNotResponsiveCount	`str`
OCSPPrimaryCertsGoodCount	`str`
OCSPSecondaryCertsGoodCount	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`		rawSource