Collect Cisco Secure ACS logs
This document describes how you can collect Cisco Secure Access Control Server (ACS) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the
CISCO_ACS
ingestion label.
Configure Cisco Secure ACS
- Sign in to Cisco Secure ACS console using administrator credentials.
- In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Remote log targets.
- Click Create.
In the Create window, specify values for the following fields:
Field Description Name Name of the Google Security Operations forwarder. Description Description of the Google Security Operations forwarder. IP address IP address of the Google Security Operations forwarder. Use advanced syslog options Select this option to enable the advanced syslog options. Target type Select TCP syslog or UDP syslog. Port Use a high port, such as 10514. Facility code LOCAL6 (code = 22; default). Maximum length The recommended value is 1024. Click Submit. The Remote log targets window appears with the new remote log target configuration.
In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Logging categories > Per-Instance.
Select ACS, and then click Configure.
In the Per-Instance window, select a logging category, and then click Edit.
On the General tab, for some logging categories, the logging severity must be set to default or as provided by the vendor.
For Cisco Secure ACS, the default severity is Warn for all the logging categories except for those for which the severity cannot be changed, such as AAA audit-notice, accounting-notice, administrative and operational audit-notice, and system statistics-notice.
Click the Remote syslog target tab and move the newly created remote target from Available targets to Selected targets.
Click Submit.
To configure remote targets for other logging categories repeat steps from 8 to 10.
Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Name field, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a name.
- Select Cisco ACS as the Log type.
- Select Syslog as the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser handles Cisco ACS logs, including authentication, accounting, diagnostics, and system statistics. It uses grok patterns to extract fields from various log formats (SYSLOG + KV, LEEF), normalizes timestamps and timezones, and maps key fields to the UDM, handling different log types with specific logic for authentication successes/failures, TACACS+ accounting, and RADIUS events. It also enriches the UDM with additional fields like device information and authentication details.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
Acct-Authentic |
additional.fields[].value.string_value |
Value is taken from the Acct-Authentic field. |
Acct-Delay-Time |
additional.fields[].value.string_value |
Value is taken from the Acct-Delay-Time field. |
Acct-Input-Octets |
additional.fields[].value.string_value |
Value is taken from the Acct-Input-Octets field. |
Acct-Input-Packets |
additional.fields[].value.string_value |
Value is taken from the Acct-Input-Packets field. |
Acct-Output-Octets |
additional.fields[].value.string_value |
Value is taken from the Acct-Output-Octets field. |
Acct-Output-Packets |
additional.fields[].value.string_value |
Value is taken from the Acct-Output-Packets field. |
Acct-Session-Id |
additional.fields[].value.string_value |
Value is taken from the Acct-Session-Id field. |
Acct-Session-Time |
additional.fields[].value.string_value |
Value is taken from the Acct-Session-Time field. |
Acct-Status-Type |
additional.fields[].value.string_value |
Value is taken from the Acct-Status-Type field. |
Acct-Terminate-Cause |
additional.fields[].value.string_value |
Value is taken from the Acct-Terminate-Cause field. |
ACSVersion |
additional.fields[].value.string_value |
Value is taken from the ACSVersion field. |
AD-Domain |
principal.group.group_display_name |
Value is taken from the AD-Domain field. |
AD-IP-Address |
principal.ip |
Value is taken from the AD-IP-Address field. |
Called-Station-ID |
additional.fields[].value.string_value |
Value is taken from the Called-Station-ID field. |
Calling-Station-ID |
additional.fields[].value.string_value |
Value is taken from the Calling-Station-ID field. |
Class |
additional.fields[].value.string_value |
Value is taken from the Class field. |
CmdSet |
(not mapped) | Not mapped to the IDM object. |
ConfigVersionId |
additional.fields[].value.number_value |
Value is taken from the ConfigVersionId field and converted to a float. |
DestinationIPAddress |
target.ip , intermediary.ip |
Value is taken from the DestinationIPAddress field. intermediary.ip is derived from Device IP Address . |
DestinationPort |
target.port |
Value is taken from the DestinationPort field and converted to an integer. |
Device IP Address |
intermediary.ip |
Value is taken from the Device IP Address field. |
Device Port |
intermediary.port |
Value is taken from the Device Port field and converted to an integer. |
DetailedInfo |
security_result.summary , security_result.description , security_result.action |
If DetailedInfo is "Authentication succeed", security_result.summary is "successful login occurred" and security_result.action is ALLOW. If DetailedInfo contains "Invalid username or password specified", security_result.summary is "failed login occurred" and security_result.action is BLOCK. security_result.description is derived from log_header . |
Framed-IP-Address |
principal.ip |
Value is taken from the Framed-IP-Address field. |
Framed-Protocol |
additional.fields[].value.string_value |
Value is taken from the Framed-Protocol field. |
NAS-IP-Address |
target.ip |
Value is taken from the NAS-IP-Address field. |
NAS-Port |
additional.fields[].value.string_value |
Value is taken from the NAS-Port field. |
NAS-Port-Id |
target.port |
Value is taken from the NAS-Port-Id field and converted to an integer. |
NAS-Port-Type |
additional.fields[].value.string_value |
Value is taken from the NAS-Port-Type field. |
NetworkDeviceName |
target.hostname |
Value is taken from the NetworkDeviceName field. |
Protocol |
additional.fields[].value.string_value |
Value is taken from the Protocol field. |
RadiusPacketType |
(not mapped) | Not mapped to the IDM object. |
Remote-Address |
principal.ip , target.ip |
Value is taken from the Remote-Address field and parsed as an IP address. It is mapped to principal.ip for authentication events and target.ip for accounting and diagnostic events. |
RequestLatency |
additional.fields[].value.string_value |
Value is taken from the RequestLatency field. |
Response |
principal.user.userid |
If Response contains "User-Name", the username is extracted and mapped to principal.user.userid . |
SelectedAccessService |
additional.fields[].value.string_value |
Value is taken from the SelectedAccessService field. |
SelectedAuthenticationIdentityStores |
security_result.detection_fields[].value |
Value is taken from the SelectedAuthenticationIdentityStores field. |
SelectedAuthorizationProfiles |
security_result.detection_fields[].value |
Value is taken from the SelectedAuthorizationProfiles field. |
Service-Type |
additional.fields[].value.string_value |
Value is taken from the Service-Type field. |
Tunnel-Client-Endpoint |
additional.fields[].value.string_value |
Value is taken from the Tunnel-Client-Endpoint field and parsed as an IP address. |
User |
target.user.userid |
Value is taken from the User field. |
UserName |
target.user.userid , principal.mac |
If UserName is a MAC address, it is parsed and mapped to principal.mac . Otherwise, it is mapped to target.user.userid . |
ac-user-agent |
network.http.user_agent |
Value is taken from the ac-user-agent field. |
cat |
metadata.description |
Value is taken from the cat field. |
device-mac |
principal.mac |
Value is taken from the device-mac field, colons are added, and the value is converted to lowercase. If device-mac is "00", it is replaced with "00:00:00:00:00:00". |
device-platform |
principal.asset.platform_software.platform |
If device-platform is "win", the value "WINDOWS" is assigned to principal.asset.platform_software.platform . |
device-platform-version |
principal.asset.platform_software.platform_version |
Value is taken from the device-platform-version field. |
device-public-mac |
principal.mac |
Value is taken from the device-public-mac field, hyphens are replaced with colons, and the value is converted to lowercase. |
device-type |
principal.asset.hardware.model |
Value is taken from the device-type field. |
device-uid |
principal.asset.asset_id |
Value is taken from the device-uid field and prepended with "ASSET ID: ". |
device-uid-global |
principal.asset.product_object_id |
Value is taken from the device-uid-global field. |
hostname |
principal.hostname |
Value is taken from the hostname field. |
ip:source-ip |
principal.ip |
Value is taken from the ip:source-ip field. |
kv.ADDomain |
(not mapped) | Not mapped to the IDM object. |
kv.Airespace-Wlan-Id |
(not mapped) | Not mapped to the IDM object. |
kv.AuthenticationIdentityStore |
(not mapped) | Not mapped to the IDM object. |
kv.AVPair |
(not mapped) | Not mapped to the IDM object. |
kv.CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name |
(not mapped) | Not mapped to the IDM object. |
kv.CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools |
(not mapped) | Not mapped to the IDM object. |
kv.ExternalGroups |
(not mapped) | Not mapped to the IDM object. |
kv.FailureReason |
(not mapped) | Not mapped to the IDM object. |
kv.IdentityAccessRestricted |
(not mapped) | Not mapped to the IDM object. |
kv.IdentityGroup |
(not mapped) | Not mapped to the IDM object. |
kv.NAS-Identifier |
(not mapped) | Not mapped to the IDM object. |
kv.SelectedShellProfile |
(not mapped) | Not mapped to the IDM object. |
kv.ServiceSelectionMatchedRule |
(not mapped) | Not mapped to the IDM object. |
kv.State |
(not mapped) | Not mapped to the IDM object. |
kv.Step |
(not mapped) | Not mapped to the IDM object. |
kv.Tunnel-Medium-Type |
(not mapped) | Not mapped to the IDM object. |
kv.Tunnel-Private-Group-ID |
(not mapped) | Not mapped to the IDM object. |
kv.Tunnel-Type |
(not mapped) | Not mapped to the IDM object. |
kv.UseCase |
(not mapped) | Not mapped to the IDM object. |
kv.UserIdentityGroup |
(not mapped) | Not mapped to the IDM object. |
kv.VendorSpecific |
(not mapped) | Not mapped to the IDM object. |
kv.attribute-131 |
(not mapped) | Not mapped to the IDM object. |
kv.attribute-89 |
(not mapped) | Not mapped to the IDM object. |
kv.cisco-av-pair |
(not mapped) | Not mapped to the IDM object. |
kv.cisco-av-pair:CiscoSecure-Group-Id |
(not mapped) | Not mapped to the IDM object. |
leef_version |
(not mapped) | Not mapped to the IDM object. |
log_header |
metadata.description |
Value is taken from the log_header field. |
log_id |
metadata.product_log_id |
Value is taken from the log_id field. |
log_type |
metadata.product_event_type |
Value is taken from the log_type field. |
message_severity |
(not mapped) | Not mapped to the IDM object. |
product |
metadata.product_name |
Value is taken from the product field. |
product_version |
metadata.product_version |
Value is taken from the product_version field. |
server_host |
target.hostname |
Value is taken from the server_host field. |
timestamp |
metadata.event_timestamp |
Value is taken from the timestamp field and the timezone field (after removing the colon). The combined value is parsed as a timestamp. |
url |
network.dns.questions[].name |
Value is taken from the url field. |
vendor |
metadata.vendor_name |
Value is taken from the vendor field. Set to "GENERIC_EVENT" initially, then potentially overwritten based on the log_type and parsed fields. Can be "USER_LOGIN", "USER_UNCATEGORIZED", "NETWORK_DNS", "NETWORK_CONNECTION", "STATUS_UPDATE", or "STATUS_UNCATEGORIZED". Set to "Cisco" initially, then potentially overwritten by the vendor field. Set to "ACS" initially, then potentially overwritten by the product field. Set to "CISCO_ACS". Set to "USERNAME_PASSWORD". Set to "TACACS". Set to "UDP" for RADIUS accounting and diagnostic events. Set to "DNS" for DNS events. Derived from the security_action field, which is set based on whether the login was successful or not. Set to "successful login occurred" for successful logins and "failed login occurred" for failed logins. May also be set to "passed" for certain identity store diagnostic events. Set to "LOW" for failed login attempts. Constructed by prepending "ASSET ID: " to the device-uid field. |
Changes
2023-09-26
- Enhancement -
- Initialized "hostname" to null and added a hostname not null check prior setting "metadata.event_type" to "STATUS_UPDATE".
- Added a valid IP address check to "kv.DeviceIPAddress", "kv.Remote-Address" prior to mapping to UDM fields.
2022-08-19
- Enhancement -
- Mapped "User-Name" to "principal.user.userid".
- Renamed ip:source-ip" to "source_ip" and Mapped it to "principal.ip".
- Renamed "kv.audit-session-id" to "kv.audit_session_id" and Mapped it to "network.session_id".
- Mapped "kv.AuthenticationMethod" to "additional.fields".
- Mapped "kv.SelectedAccessService" to "additional.fields".
- Mapped "kv.SelectedAuthorizationProfiles" to "security_result.detection_fields".
- Mapped "kv.SelectedAuthenticationIdentityStores" to "security_result.detection_fields".
- Mapped "kv.device-uid-global" to "principal.asset.product_object_id".
- Mapped "kv.device-uid" to "principal.asset.asset_id".
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where kv.DestinationIPAddress and kv.NAS-IP-Address and kv.NAS-IP-Address and kv.UserName and kv.NetworkDeviceName is null.
- Added support for logs with LEEF format.
2022-06-14
- Enhancement - Modified grok to parse logs of log_type = "CSCOacs_Passed_Authentications" which were failing due to multiple spaces.
- Replaced the value of 'device-mac' with the dummy value of "00:00:00:00:00:00" for logtype "CSCOacs_RADIUS_Accounting" in case of invalid value (00).
2022-06-06
- Enhancement - Parsed logs of type "CSCOacs_Passed_Authentications" that doesn't have either of "DestinationIPAddress" or "NAS-IP-Address" present in the logs.
- Modified metadata.event_type from "USER_UNCATEGORIZED" to "USER_LOGIN" for logs of type "CSCOacs_Passed_Authentications"
2022-05-05
- Enhancement - The newly ingested logs which do not have message code are parsed and dropped.
2022-04-27
- Enhancement - Parsed the logs with log_type=CISE_TACACS_Accounting.