Cisco fields

Module for handling Cisco network device logs.

cisco

Fields from Cisco logs.

asa

Fields for Cisco ASA Firewall.

cisco.asa.message_id

The Cisco ASA message identifier.

type: keyword

cisco.asa.suffix

Optional suffix after %ASA identifier.

type: keyword

example: session

cisco.asa.source_interface

Source interface for the flow or event.

type: keyword

cisco.asa.destination_interface

Destination interface for the flow or event.

type: keyword

cisco.asa.list_id

Name of the Access Control List that matched this event.

type: keyword

cisco.asa.source_username

Name of the user that is the source for this event.

type: keyword

cisco.asa.destination_username

Name of the user that is the destination for this event.

type: keyword

cisco.asa.mapped_source_ip

The translated source IP address.

type: ip

cisco.asa.mapped_source_port

The translated source port.

type: long

cisco.asa.mapped_destination_ip

The translated destination IP address.

type: ip

cisco.asa.mapped_destination_port

The translated destination port.

type: long

cisco.asa.threat_level

Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.

type: keyword

cisco.asa.threat_category

Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.

type: keyword

cisco.asa.connection_id

Unique identifier for a flow.

type: keyword

cisco.asa.icmp_type

ICMP type.

type: short

cisco.asa.icmp_code

ICMP code.

type: short

ios

Fields for Cisco IOS logs.

cisco.ios.access_list

Name of the IP access list.

type: keyword

cisco.ios.facility

The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.

type: keyword

example: SEC