Collect Cisco Secure ACS logs

Supported in:

Google SecOps SIEM

This document describes how you can collect Cisco Secure Access Control Server (ACS) logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CISCO_ACS ingestion label.

Configure Cisco Secure ACS

Sign in to Cisco Secure ACS console using administrator credentials.
In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Remote log targets.
Click Create.

In the Create window, specify values for the following fields:

Field	Description
Name	Name of the Google Security Operations forwarder.
Description	Description of the Google Security Operations forwarder.
IP address	IP address of the Google Security Operations forwarder.
Use advanced syslog options	Select this option to enable the advanced syslog options.
Target type	Select TCP syslog or UDP syslog.
Port	Use a high port, such as 10514.
Facility code	LOCAL6 (code = 22; default).
Maximum length	The recommended value is 1024.

Click Submit. The Remote log targets window appears with the new remote log target configuration.
In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Logging categories > Per-Instance.
Select ACS, and then click Configure.
In the Per-Instance window, select a logging category, and then click Edit.

On the General tab, for some logging categories, the logging severity must be set to default or as provided by the vendor.

For Cisco Secure ACS, the default severity is Warn for all the logging categories except for those for which the severity cannot be changed, such as AAA audit-notice, accounting-notice, administrative and operational audit-notice, and system statistics-notice.
Click the Remote syslog target tab and move the newly created remote target from Available targets to Selected targets.
Click Submit.
To configure remote targets for other logging categories repeat steps from 8 to 10.

Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs

From the Google Security Operations menu, select Settings, and then click Forwarders.
Click Add new forwarder.
In the Forwarder name field, type a name.
Click Submit. The forwarder is added and the Add collector configuration window appears.
In the Collector name field, type a name.
Select Cisco ACS as the Log type.
Select Syslog as the Collector type.
Configure the following input parameters as per the configuration done previously:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles Cisco ACS logs, including authentication, accounting, diagnostics, and system statistics. It uses grok patterns to extract fields from various log formats (SYSLOG + KV, LEEF), normalizes timestamps and timezones, and maps key fields to the UDM, handling different log types with specific logic for authentication successes/failures, TACACS+ accounting, and RADIUS events. It also enriches the UDM with additional fields like device information and authentication details.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`Acct-Authentic`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Authentic` field.
`Acct-Delay-Time`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Delay-Time` field.
`Acct-Input-Octets`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Input-Octets` field.
`Acct-Input-Packets`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Input-Packets` field.
`Acct-Output-Octets`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Output-Octets` field.
`Acct-Output-Packets`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Output-Packets` field.
`Acct-Session-Id`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Session-Id` field.
`Acct-Session-Time`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Session-Time` field.
`Acct-Status-Type`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Status-Type` field.
`Acct-Terminate-Cause`	`additional.fields[].value.string_value`	Value is taken from the `Acct-Terminate-Cause` field.
`ACSVersion`	`additional.fields[].value.string_value`	Value is taken from the `ACSVersion` field.
`AD-Domain`	`principal.group.group_display_name`	Value is taken from the `AD-Domain` field.
`AD-IP-Address`	`principal.ip`	Value is taken from the `AD-IP-Address` field.
`Called-Station-ID`	`additional.fields[].value.string_value`	Value is taken from the `Called-Station-ID` field.
`Calling-Station-ID`	`additional.fields[].value.string_value`	Value is taken from the `Calling-Station-ID` field.
`Class`	`additional.fields[].value.string_value`	Value is taken from the `Class` field.
`CmdSet`	(not mapped)	Not mapped to the IDM object.
`ConfigVersionId`	`additional.fields[].value.number_value`	Value is taken from the `ConfigVersionId` field and converted to a float.
`DestinationIPAddress`	`target.ip`, `intermediary.ip`	Value is taken from the `DestinationIPAddress` field. `intermediary.ip` is derived from `Device IP Address`.
`DestinationPort`	`target.port`	Value is taken from the `DestinationPort` field and converted to an integer.
`Device IP Address`	`intermediary.ip`	Value is taken from the `Device IP Address` field.
`Device Port`	`intermediary.port`	Value is taken from the `Device Port` field and converted to an integer.
`DetailedInfo`	`security_result.summary`, `security_result.description`, `security_result.action`	If `DetailedInfo` is "Authentication succeed", `security_result.summary` is "successful login occurred" and `security_result.action` is ALLOW. If `DetailedInfo` contains "Invalid username or password specified", `security_result.summary` is "failed login occurred" and `security_result.action` is BLOCK. `security_result.description` is derived from `log_header`.
`Framed-IP-Address`	`principal.ip`	Value is taken from the `Framed-IP-Address` field.
`Framed-Protocol`	`additional.fields[].value.string_value`	Value is taken from the `Framed-Protocol` field.
`NAS-IP-Address`	`target.ip`	Value is taken from the `NAS-IP-Address` field.
`NAS-Port`	`additional.fields[].value.string_value`	Value is taken from the `NAS-Port` field.
`NAS-Port-Id`	`target.port`	Value is taken from the `NAS-Port-Id` field and converted to an integer.
`NAS-Port-Type`	`additional.fields[].value.string_value`	Value is taken from the `NAS-Port-Type` field.
`NetworkDeviceName`	`target.hostname`	Value is taken from the `NetworkDeviceName` field.
`Protocol`	`additional.fields[].value.string_value`	Value is taken from the `Protocol` field.
`RadiusPacketType`	(not mapped)	Not mapped to the IDM object.
`Remote-Address`	`principal.ip`, `target.ip`	Value is taken from the `Remote-Address` field and parsed as an IP address. It is mapped to `principal.ip` for authentication events and `target.ip` for accounting and diagnostic events.
`RequestLatency`	`additional.fields[].value.string_value`	Value is taken from the `RequestLatency` field.
`Response`	`principal.user.userid`	If `Response` contains "User-Name", the username is extracted and mapped to `principal.user.userid`.
`SelectedAccessService`	`additional.fields[].value.string_value`	Value is taken from the `SelectedAccessService` field.
`SelectedAuthenticationIdentityStores`	`security_result.detection_fields[].value`	Value is taken from the `SelectedAuthenticationIdentityStores` field.
`SelectedAuthorizationProfiles`	`security_result.detection_fields[].value`	Value is taken from the `SelectedAuthorizationProfiles` field.
`Service-Type`	`additional.fields[].value.string_value`	Value is taken from the `Service-Type` field.
`Tunnel-Client-Endpoint`	`additional.fields[].value.string_value`	Value is taken from the `Tunnel-Client-Endpoint` field and parsed as an IP address.
`User`	`target.user.userid`	Value is taken from the `User` field.
`UserName`	`target.user.userid`, `principal.mac`	If `UserName` is a MAC address, it is parsed and mapped to `principal.mac`. Otherwise, it is mapped to `target.user.userid`.
`ac-user-agent`	`network.http.user_agent`	Value is taken from the `ac-user-agent` field.
`cat`	`metadata.description`	Value is taken from the `cat` field.
`device-mac`	`principal.mac`	Value is taken from the `device-mac` field, colons are added, and the value is converted to lowercase. If `device-mac` is "00", it is replaced with "00:00:00:00:00:00".
`device-platform`	`principal.asset.platform_software.platform`	If `device-platform` is "win", the value "WINDOWS" is assigned to `principal.asset.platform_software.platform`.
`device-platform-version`	`principal.asset.platform_software.platform_version`	Value is taken from the `device-platform-version` field.
`device-public-mac`	`principal.mac`	Value is taken from the `device-public-mac` field, hyphens are replaced with colons, and the value is converted to lowercase.
`device-type`	`principal.asset.hardware.model`	Value is taken from the `device-type` field.
`device-uid`	`principal.asset.asset_id`	Value is taken from the `device-uid` field and prepended with "ASSET ID: ".
`device-uid-global`	`principal.asset.product_object_id`	Value is taken from the `device-uid-global` field.
`hostname`	`principal.hostname`	Value is taken from the `hostname` field.
`ip:source-ip`	`principal.ip`	Value is taken from the `ip:source-ip` field.
`kv.ADDomain`	(not mapped)	Not mapped to the IDM object.
`kv.Airespace-Wlan-Id`	(not mapped)	Not mapped to the IDM object.
`kv.AuthenticationIdentityStore`	(not mapped)	Not mapped to the IDM object.
`kv.AVPair`	(not mapped)	Not mapped to the IDM object.
`kv.CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name`	(not mapped)	Not mapped to the IDM object.
`kv.CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools`	(not mapped)	Not mapped to the IDM object.
`kv.ExternalGroups`	(not mapped)	Not mapped to the IDM object.
`kv.FailureReason`	(not mapped)	Not mapped to the IDM object.
`kv.IdentityAccessRestricted`	(not mapped)	Not mapped to the IDM object.
`kv.IdentityGroup`	(not mapped)	Not mapped to the IDM object.
`kv.NAS-Identifier`	(not mapped)	Not mapped to the IDM object.
`kv.SelectedShellProfile`	(not mapped)	Not mapped to the IDM object.
`kv.ServiceSelectionMatchedRule`	(not mapped)	Not mapped to the IDM object.
`kv.State`	(not mapped)	Not mapped to the IDM object.
`kv.Step`	(not mapped)	Not mapped to the IDM object.
`kv.Tunnel-Medium-Type`	(not mapped)	Not mapped to the IDM object.
`kv.Tunnel-Private-Group-ID`	(not mapped)	Not mapped to the IDM object.
`kv.Tunnel-Type`	(not mapped)	Not mapped to the IDM object.
`kv.UseCase`	(not mapped)	Not mapped to the IDM object.
`kv.UserIdentityGroup`	(not mapped)	Not mapped to the IDM object.
`kv.VendorSpecific`	(not mapped)	Not mapped to the IDM object.
`kv.attribute-131`	(not mapped)	Not mapped to the IDM object.
`kv.attribute-89`	(not mapped)	Not mapped to the IDM object.
`kv.cisco-av-pair`	(not mapped)	Not mapped to the IDM object.
`kv.cisco-av-pair:CiscoSecure-Group-Id`	(not mapped)	Not mapped to the IDM object.
`leef_version`	(not mapped)	Not mapped to the IDM object.
`log_header`	`metadata.description`	Value is taken from the `log_header` field.
`log_id`	`metadata.product_log_id`	Value is taken from the `log_id` field.
`log_type`	`metadata.product_event_type`	Value is taken from the `log_type` field.
`message_severity`	(not mapped)	Not mapped to the IDM object.
`product`	`metadata.product_name`	Value is taken from the `product` field.
`product_version`	`metadata.product_version`	Value is taken from the `product_version` field.
`server_host`	`target.hostname`	Value is taken from the `server_host` field.
`timestamp`	`metadata.event_timestamp`	Value is taken from the `timestamp` field and the `timezone` field (after removing the colon). The combined value is parsed as a timestamp.
`url`	`network.dns.questions[].name`	Value is taken from the `url` field.
`vendor`	`metadata.vendor_name`	Value is taken from the `vendor` field. Set to "GENERIC_EVENT" initially, then potentially overwritten based on the `log_type` and parsed fields. Can be "USER_LOGIN", "USER_UNCATEGORIZED", "NETWORK_DNS", "NETWORK_CONNECTION", "STATUS_UPDATE", or "STATUS_UNCATEGORIZED". Set to "Cisco" initially, then potentially overwritten by the `vendor` field. Set to "ACS" initially, then potentially overwritten by the `product` field. Set to "CISCO_ACS". Set to "USERNAME_PASSWORD". Set to "TACACS". Set to "UDP" for RADIUS accounting and diagnostic events. Set to "DNS" for DNS events. Derived from the `security_action` field, which is set based on whether the login was successful or not. Set to "successful login occurred" for successful logins and "failed login occurred" for failed logins. May also be set to "passed" for certain identity store diagnostic events. Set to "LOW" for failed login attempts. Constructed by prepending "ASSET ID: " to the `device-uid` field.

Changes

2023-09-26

Enhancement -
Initialized "hostname" to null and added a hostname not null check prior setting "metadata.event_type" to "STATUS_UPDATE".
Added a valid IP address check to "kv.DeviceIPAddress", "kv.Remote-Address" prior to mapping to UDM fields.

2022-08-19

Enhancement -
Mapped "User-Name" to "principal.user.userid".
Renamed ip:source-ip" to "source_ip" and Mapped it to "principal.ip".
Renamed "kv.audit-session-id" to "kv.audit_session_id" and Mapped it to "network.session_id".
Mapped "kv.AuthenticationMethod" to "additional.fields".
Mapped "kv.SelectedAccessService" to "additional.fields".
Mapped "kv.SelectedAuthorizationProfiles" to "security_result.detection_fields".
Mapped "kv.SelectedAuthenticationIdentityStores" to "security_result.detection_fields".
Mapped "kv.device-uid-global" to "principal.asset.product_object_id".
Mapped "kv.device-uid" to "principal.asset.asset_id".
Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where kv.DestinationIPAddress and kv.NAS-IP-Address and kv.NAS-IP-Address and kv.UserName and kv.NetworkDeviceName is null.
Added support for logs with LEEF format.

2022-06-14

Enhancement - Modified grok to parse logs of log_type = "CSCOacs_Passed_Authentications" which were failing due to multiple spaces.
Replaced the value of 'device-mac' with the dummy value of "00:00:00:00:00:00" for logtype "CSCOacs_RADIUS_Accounting" in case of invalid value (00).

2022-06-06

Enhancement - Parsed logs of type "CSCOacs_Passed_Authentications" that doesn't have either of "DestinationIPAddress" or "NAS-IP-Address" present in the logs.
Modified metadata.event_type from "USER_UNCATEGORIZED" to "USER_LOGIN" for logs of type "CSCOacs_Passed_Authentications"

2022-05-05

Enhancement - The newly ingested logs which do not have message code are parsed and dropped.

2022-04-27

Enhancement - Parsed the logs with log_type=CISE_TACACS_Accounting.