Cisco fieldsedit

Module for handling Cisco network device logs.

ciscoedit

Fields from Cisco logs.

asaedit

Fields for Cisco ASA Firewall.

cisco.asa.message_id

The Cisco ASA message identifier.

type: keyword

cisco.asa.suffix

Optional suffix after %ASA identifier.

type: keyword

example: session

cisco.asa.source_interface

Source interface for the flow or event.

type: keyword

cisco.asa.destination_interface

Destination interface for the flow or event.

type: keyword

cisco.asa.rule_name

Name of the Access Control List rule that matched this event.

type: keyword

cisco.asa.source_username

Name of the user that is the source for this event.

type: keyword

cisco.asa.destination_username

Name of the user that is the destination for this event.

type: keyword

cisco.asa.mapped_source_ip

The translated source IP address.

type: ip

cisco.asa.mapped_source_host

The translated source host.

type: keyword

cisco.asa.mapped_source_port

The translated source port.

type: long

cisco.asa.mapped_destination_ip

The translated destination IP address.

type: ip

cisco.asa.mapped_destination_host

The translated destination host.

type: keyword

cisco.asa.mapped_destination_port

The translated destination port.

type: long

cisco.asa.threat_level

Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.

type: keyword

cisco.asa.threat_category

Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.

type: keyword

cisco.asa.connection_id

Unique identifier for a flow.

type: keyword

cisco.asa.icmp_type

ICMP type.

type: short

cisco.asa.icmp_code

ICMP code.

type: short

cisco.asa.connection_type

The VPN connection type

type: keyword

cisco.asa.dap_records

The assigned DAP records

type: keyword

ftdedit

Fields for Cisco Firepower Threat Defense Firewall.

cisco.ftd.message_id

The Cisco FTD message identifier.

type: keyword

cisco.ftd.suffix

Optional suffix after %FTD identifier.

type: keyword

example: session

cisco.ftd.source_interface

Source interface for the flow or event.

type: keyword

cisco.ftd.destination_interface

Destination interface for the flow or event.

type: keyword

cisco.ftd.rule_name

Name of the Access Control List rule that matched this event.

type: keyword

cisco.ftd.source_username

Name of the user that is the source for this event.

type: keyword

cisco.ftd.destination_username

Name of the user that is the destination for this event.

type: keyword

cisco.ftd.mapped_source_ip

The translated source IP address. Use ECS source.nat.ip.

type: ip

cisco.ftd.mapped_source_host

The translated source host.

type: keyword

cisco.ftd.mapped_source_port

The translated source port. Use ECS source.nat.port.

type: long

cisco.ftd.mapped_destination_ip

The translated destination IP address. Use ECS destination.nat.ip.

type: ip

cisco.ftd.mapped_destination_host

The translated destination host.

type: keyword

cisco.ftd.mapped_destination_port

The translated destination port. Use ECS destination.nat.port.

type: long

cisco.ftd.threat_level

Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.

type: keyword

cisco.ftd.threat_category

Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.

type: keyword

cisco.ftd.connection_id

Unique identifier for a flow.

type: keyword

cisco.ftd.icmp_type

ICMP type.

type: short

cisco.ftd.icmp_code

ICMP code.

type: short

cisco.ftd.security

Raw fields for Security Events.

type: object

cisco.ftd.connection_type

The VPN connection type

type: keyword

cisco.ftd.dap_records

The assigned DAP records

type: keyword

iosedit

Fields for Cisco IOS logs.

cisco.ios.access_list

Name of the IP access list.

type: keyword

cisco.ios.facility

The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.

type: keyword

example: SEC