Collect Cisco Secure ACS logs

Supported in:

This document describes how you can collect Cisco Secure Access Control Server (ACS) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CISCO_ACS ingestion label.

Configure Cisco Secure ACS

  1. Sign in to Cisco Secure ACS console using administrator credentials.
  2. In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Remote log targets.
  3. Click Create.
  4. In the Create window, specify values for the following fields:

    Field Description
    Name Name of the Google Security Operations forwarder.
    Description Description of the Google Security Operations forwarder.
    IP address IP address of the Google Security Operations forwarder.
    Use advanced syslog options Select this option to enable the advanced syslog options.
    Target type Select TCP syslog or UDP syslog.
    Port Use a high port, such as 10514.
    Facility code LOCAL6 (code = 22; default).
    Maximum length The recommended value is 1024.
  5. Click Submit. The Remote log targets window appears with the new remote log target configuration.

  6. In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Logging categories > Per-Instance.

  7. Select ACS, and then click Configure.

  8. In the Per-Instance window, select a logging category, and then click Edit.

    On the General tab, for some logging categories, the logging severity must be set to default or as provided by the vendor.

    For Cisco Secure ACS, the default severity is Warn for all the logging categories except for those for which the severity cannot be changed, such as AAA audit-notice, accounting-notice, administrative and operational audit-notice, and system statistics-notice.

  9. Click the Remote syslog target tab and move the newly created remote target from Available targets to Selected targets.

  10. Click Submit.

  11. To configure remote targets for other logging categories repeat steps from 8 to 10.

Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs

  1. Go to SIEM Settings > Forwarders.
  2. Click Add new forwarder.
  3. In the Forwarder Name field, enter a unique name for the forwarder.
  4. Click Submit. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, type a name.
  6. Select Cisco ACS as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following mandatory input parameters:
    • Protocol: specify the protocol.
    • Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles Cisco ACS logs, including authentication, accounting, diagnostics, and system statistics. It uses grok patterns to extract fields from various log formats (SYSLOG + KV, LEEF), normalizes timestamps and timezones, and maps key fields to the UDM, handling different log types with specific logic for authentication successes/failures, TACACS+ accounting, and RADIUS events. It also enriches the UDM with additional fields like device information and authentication details.

UDM Mapping Table

Log Field UDM Mapping Logic
Acct-Authentic additional.fields[].value.string_value Value is taken from the Acct-Authentic field.
Acct-Delay-Time additional.fields[].value.string_value Value is taken from the Acct-Delay-Time field.
Acct-Input-Octets additional.fields[].value.string_value Value is taken from the Acct-Input-Octets field.
Acct-Input-Packets additional.fields[].value.string_value Value is taken from the Acct-Input-Packets field.
Acct-Output-Octets additional.fields[].value.string_value Value is taken from the Acct-Output-Octets field.
Acct-Output-Packets additional.fields[].value.string_value Value is taken from the Acct-Output-Packets field.
Acct-Session-Id additional.fields[].value.string_value Value is taken from the Acct-Session-Id field.
Acct-Session-Time additional.fields[].value.string_value Value is taken from the Acct-Session-Time field.
Acct-Status-Type additional.fields[].value.string_value Value is taken from the Acct-Status-Type field.
Acct-Terminate-Cause additional.fields[].value.string_value Value is taken from the Acct-Terminate-Cause field.
ACSVersion additional.fields[].value.string_value Value is taken from the ACSVersion field.
AD-Domain principal.group.group_display_name Value is taken from the AD-Domain field.
AD-IP-Address principal.ip Value is taken from the AD-IP-Address field.
Called-Station-ID additional.fields[].value.string_value Value is taken from the Called-Station-ID field.
Calling-Station-ID additional.fields[].value.string_value Value is taken from the Calling-Station-ID field.
Class additional.fields[].value.string_value Value is taken from the Class field.
CmdSet (not mapped) Not mapped to the IDM object.
ConfigVersionId additional.fields[].value.number_value Value is taken from the ConfigVersionId field and converted to a float.
DestinationIPAddress target.ip, intermediary.ip Value is taken from the DestinationIPAddress field. intermediary.ip is derived from Device IP Address.
DestinationPort target.port Value is taken from the DestinationPort field and converted to an integer.
Device IP Address intermediary.ip Value is taken from the Device IP Address field.
Device Port intermediary.port Value is taken from the Device Port field and converted to an integer.
DetailedInfo security_result.summary, security_result.description, security_result.action If DetailedInfo is "Authentication succeed", security_result.summary is "successful login occurred" and security_result.action is ALLOW. If DetailedInfo contains "Invalid username or password specified", security_result.summary is "failed login occurred" and security_result.action is BLOCK. security_result.description is derived from log_header.
Framed-IP-Address principal.ip Value is taken from the Framed-IP-Address field.
Framed-Protocol additional.fields[].value.string_value Value is taken from the Framed-Protocol field.
NAS-IP-Address target.ip Value is taken from the NAS-IP-Address field.
NAS-Port additional.fields[].value.string_value Value is taken from the NAS-Port field.
NAS-Port-Id target.port Value is taken from the NAS-Port-Id field and converted to an integer.
NAS-Port-Type additional.fields[].value.string_value Value is taken from the NAS-Port-Type field.
NetworkDeviceName target.hostname Value is taken from the NetworkDeviceName field.
Protocol additional.fields[].value.string_value Value is taken from the Protocol field.
RadiusPacketType (not mapped) Not mapped to the IDM object.
Remote-Address principal.ip, target.ip Value is taken from the Remote-Address field and parsed as an IP address. It is mapped to principal.ip for authentication events and target.ip for accounting and diagnostic events.
RequestLatency additional.fields[].value.string_value Value is taken from the RequestLatency field.
Response principal.user.userid If Response contains "User-Name", the username is extracted and mapped to principal.user.userid.
SelectedAccessService additional.fields[].value.string_value Value is taken from the SelectedAccessService field.
SelectedAuthenticationIdentityStores security_result.detection_fields[].value Value is taken from the SelectedAuthenticationIdentityStores field.
SelectedAuthorizationProfiles security_result.detection_fields[].value Value is taken from the SelectedAuthorizationProfiles field.
Service-Type additional.fields[].value.string_value Value is taken from the Service-Type field.
Tunnel-Client-Endpoint additional.fields[].value.string_value Value is taken from the Tunnel-Client-Endpoint field and parsed as an IP address.
User target.user.userid Value is taken from the User field.
UserName target.user.userid, principal.mac If UserName is a MAC address, it is parsed and mapped to principal.mac. Otherwise, it is mapped to target.user.userid.
ac-user-agent network.http.user_agent Value is taken from the ac-user-agent field.
cat metadata.description Value is taken from the cat field.
device-mac principal.mac Value is taken from the device-mac field, colons are added, and the value is converted to lowercase. If device-mac is "00", it is replaced with "00:00:00:00:00:00".
device-platform principal.asset.platform_software.platform If device-platform is "win", the value "WINDOWS" is assigned to principal.asset.platform_software.platform.
device-platform-version principal.asset.platform_software.platform_version Value is taken from the device-platform-version field.
device-public-mac principal.mac Value is taken from the device-public-mac field, hyphens are replaced with colons, and the value is converted to lowercase.
device-type principal.asset.hardware.model Value is taken from the device-type field.
device-uid principal.asset.asset_id Value is taken from the device-uid field and prepended with "ASSET ID: ".
device-uid-global principal.asset.product_object_id Value is taken from the device-uid-global field.
hostname principal.hostname Value is taken from the hostname field.
ip:source-ip principal.ip Value is taken from the ip:source-ip field.
kv.ADDomain (not mapped) Not mapped to the IDM object.
kv.Airespace-Wlan-Id (not mapped) Not mapped to the IDM object.
kv.AuthenticationIdentityStore (not mapped) Not mapped to the IDM object.
kv.AVPair (not mapped) Not mapped to the IDM object.
kv.CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name (not mapped) Not mapped to the IDM object.
kv.CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools (not mapped) Not mapped to the IDM object.
kv.ExternalGroups (not mapped) Not mapped to the IDM object.
kv.FailureReason (not mapped) Not mapped to the IDM object.
kv.IdentityAccessRestricted (not mapped) Not mapped to the IDM object.
kv.IdentityGroup (not mapped) Not mapped to the IDM object.
kv.NAS-Identifier (not mapped) Not mapped to the IDM object.
kv.SelectedShellProfile (not mapped) Not mapped to the IDM object.
kv.ServiceSelectionMatchedRule (not mapped) Not mapped to the IDM object.
kv.State (not mapped) Not mapped to the IDM object.
kv.Step (not mapped) Not mapped to the IDM object.
kv.Tunnel-Medium-Type (not mapped) Not mapped to the IDM object.
kv.Tunnel-Private-Group-ID (not mapped) Not mapped to the IDM object.
kv.Tunnel-Type (not mapped) Not mapped to the IDM object.
kv.UseCase (not mapped) Not mapped to the IDM object.
kv.UserIdentityGroup (not mapped) Not mapped to the IDM object.
kv.VendorSpecific (not mapped) Not mapped to the IDM object.
kv.attribute-131 (not mapped) Not mapped to the IDM object.
kv.attribute-89 (not mapped) Not mapped to the IDM object.
kv.cisco-av-pair (not mapped) Not mapped to the IDM object.
kv.cisco-av-pair:CiscoSecure-Group-Id (not mapped) Not mapped to the IDM object.
leef_version (not mapped) Not mapped to the IDM object.
log_header metadata.description Value is taken from the log_header field.
log_id metadata.product_log_id Value is taken from the log_id field.
log_type metadata.product_event_type Value is taken from the log_type field.
message_severity (not mapped) Not mapped to the IDM object.
product metadata.product_name Value is taken from the product field.
product_version metadata.product_version Value is taken from the product_version field.
server_host target.hostname Value is taken from the server_host field.
timestamp metadata.event_timestamp Value is taken from the timestamp field and the timezone field (after removing the colon). The combined value is parsed as a timestamp.
url network.dns.questions[].name Value is taken from the url field.
vendor metadata.vendor_name Value is taken from the vendor field. Set to "GENERIC_EVENT" initially, then potentially overwritten based on the log_type and parsed fields. Can be "USER_LOGIN", "USER_UNCATEGORIZED", "NETWORK_DNS", "NETWORK_CONNECTION", "STATUS_UPDATE", or "STATUS_UNCATEGORIZED". Set to "Cisco" initially, then potentially overwritten by the vendor field. Set to "ACS" initially, then potentially overwritten by the product field. Set to "CISCO_ACS". Set to "USERNAME_PASSWORD". Set to "TACACS". Set to "UDP" for RADIUS accounting and diagnostic events. Set to "DNS" for DNS events. Derived from the security_action field, which is set based on whether the login was successful or not. Set to "successful login occurred" for successful logins and "failed login occurred" for failed logins. May also be set to "passed" for certain identity store diagnostic events. Set to "LOW" for failed login attempts. Constructed by prepending "ASSET ID: " to the device-uid field.

Changes

2023-09-26

  • Enhancement -
  • Initialized "hostname" to null and added a hostname not null check prior setting "metadata.event_type" to "STATUS_UPDATE".
  • Added a valid IP address check to "kv.DeviceIPAddress", "kv.Remote-Address" prior to mapping to UDM fields.

2022-08-19

  • Enhancement -
  • Mapped "User-Name" to "principal.user.userid".
  • Renamed ip:source-ip" to "source_ip" and Mapped it to "principal.ip".
  • Renamed "kv.audit-session-id" to "kv.audit_session_id" and Mapped it to "network.session_id".
  • Mapped "kv.AuthenticationMethod" to "additional.fields".
  • Mapped "kv.SelectedAccessService" to "additional.fields".
  • Mapped "kv.SelectedAuthorizationProfiles" to "security_result.detection_fields".
  • Mapped "kv.SelectedAuthenticationIdentityStores" to "security_result.detection_fields".
  • Mapped "kv.device-uid-global" to "principal.asset.product_object_id".
  • Mapped "kv.device-uid" to "principal.asset.asset_id".
  • Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where kv.DestinationIPAddress and kv.NAS-IP-Address and kv.NAS-IP-Address and kv.UserName and kv.NetworkDeviceName is null.
  • Added support for logs with LEEF format.

2022-06-14

  • Enhancement - Modified grok to parse logs of log_type = "CSCOacs_Passed_Authentications" which were failing due to multiple spaces.
  • Replaced the value of 'device-mac' with the dummy value of "00:00:00:00:00:00" for logtype "CSCOacs_RADIUS_Accounting" in case of invalid value (00).

2022-06-06

  • Enhancement - Parsed logs of type "CSCOacs_Passed_Authentications" that doesn't have either of "DestinationIPAddress" or "NAS-IP-Address" present in the logs.
  • Modified metadata.event_type from "USER_UNCATEGORIZED" to "USER_LOGIN" for logs of type "CSCOacs_Passed_Authentications"

2022-05-05

  • Enhancement - The newly ingested logs which do not have message code are parsed and dropped.

2022-04-27

  • Enhancement - Parsed the logs with log_type=CISE_TACACS_Accounting.