Collect Cisco Secure ACS logs
Supported in:
This document describes how you can collect Cisco Secure Access Control Server (ACS) logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations .
An ingestion label identifies the parser which normalizes raw log data to structured
UDM format. The information in this document applies to the parser with the CISCO_ACS
ingestion label.
Configure Cisco Secure ACS
- Sign in to Cisco Secure ACS console using administrator credentials.
- In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Remote log targets.
- Click Create.
-
In the Createwindow, specify values for the following fields:
Field Description Name Name of the Google Security Operations forwarder. Description Description of the Google Security Operations forwarder. IP address IP address of the Google Security Operations forwarder. Use advanced syslog options Select this option to enable the advanced syslog options. Target type Select TCP syslog or UDP syslog. Port Use a high port, such as 10514. Facility code LOCAL6 (code = 22; default). Maximum length The recommended value is 1024. -
Click Submit. The Remote log targetswindow appears with the new remote log target configuration.
-
In the Cisco Secure ACS console, select System administration > Configuration > Log configuration > Logging categories > Per-Instance.
-
Select ACS, and then click Configure.
-
In the Per-Instancewindow, select a logging category, and then click Edit.
On the Generaltab, for some logging categories, the logging severity must be set to default or as provided by the vendor.
For Cisco Secure ACS, the default severity is Warnfor all the logging categories except for those for which the severity cannot be changed, such as AAA audit-notice, accounting-notice, administrative and operational audit-notice, and system statistics-notice.
-
Click the Remote syslog targettab and move the newly created remote target from Available targetsto Selected targets.
-
Click Submit.
-
To configure remote targets for other logging categories repeat steps from 8 to 10.
Configure Google Security Operations forwarder and syslog to ingest Cisco Secure ACS logs
- Go to SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder Namefield, enter a unique name for the forwarder.
- Click Submit. The forwarder is added and the Add collector configurationwindow appears.
- In the Collector namefield, type a name.
- Select Cisco ACSas the Log type.
- Select Syslogas the Collector type.
- Configure the following mandatory input parameters:
- Protocol: specify the protocol.
- Address: specify the target IP address or hostname where the collector resides and addresses to the syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation . For information about requirements for each forwarder type, see Forwarder configuration by type . If you encounter issues when you create forwarders, contact Google Security Operations support .
Field mapping reference
This parser handles Cisco ACS logs, including authentication, accounting, diagnostics, and system statistics. It uses grok patterns to extract fields from various log formats (SYSLOG + KV, LEEF), normalizes timestamps and timezones, and maps key fields to the UDM, handling different log types with specific logic for authentication successes/failures, TACACS+ accounting, and RADIUS events. It also enriches the UDM with additional fields like device information and authentication details.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
Acct-Authentic
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Authentic
field. |
Acct-Delay-Time
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Delay-Time
field. |
Acct-Input-Octets
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Input-Octets
field. |
Acct-Input-Packets
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Input-Packets
field. |
Acct-Output-Octets
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Output-Octets
field. |
Acct-Output-Packets
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Output-Packets
field. |
Acct-Session-Id
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Session-Id
field. |
Acct-Session-Time
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Session-Time
field. |
Acct-Status-Type
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Status-Type
field. |
Acct-Terminate-Cause
|
additional.fields[].value.string_value
|
Value is taken from the Acct-Terminate-Cause
field. |
ACSVersion
|
additional.fields[].value.string_value
|
Value is taken from the ACSVersion
field. |
AD-Domain
|
principal.group.group_display_name
|
Value is taken from the AD-Domain
field. |
AD-IP-Address
|
principal.ip
|
Value is taken from the AD-IP-Address
field. |
Called-Station-ID
|
additional.fields[].value.string_value
|
Value is taken from the Called-Station-ID
field. |
Calling-Station-ID
|
additional.fields[].value.string_value
|
Value is taken from the Calling-Station-ID
field. |
Class
|
additional.fields[].value.string_value
|
Value is taken from the Class
field. |
CmdSet
|
(not mapped) | Not mapped to the IDM object. |
ConfigVersionId
|
additional.fields[].value.number_value
|
Value is taken from the ConfigVersionId
field and converted to a float. |
DestinationIPAddress
|
target.ip
, intermediary.ip
|
Value is taken from the DestinationIPAddress
field. intermediary.ip
is derived from Device IP Address
. |
DestinationPort
|
target.port
|
Value is taken from the DestinationPort
field and converted to an integer. |
Device IP Address
|
intermediary.ip
|
Value is taken from the Device IP Address
field. |
Device Port
|
intermediary.port
|
Value is taken from the Device Port
field and converted to an integer. |
DetailedInfo
|
security_result.summary
, security_result.description
, security_result.action
|
If DetailedInfo
is "Authentication succeed", security_result.summary
is "successful login occurred" and security_result.action
is ALLOW. If DetailedInfo
contains "Invalid username or password specified", security_result.summary
is "failed login occurred" and security_result.action
is BLOCK. security_result.description
is derived from log_header
. |
Framed-IP-Address
|
principal.ip
|
Value is taken from the Framed-IP-Address
field. |
Framed-Protocol
|
additional.fields[].value.string_value
|
Value is taken from the Framed-Protocol
field. |
NAS-IP-Address
|
target.ip
|
Value is taken from the NAS-IP-Address
field. |
NAS-Port
|
additional.fields[].value.string_value
|
Value is taken from the NAS-Port
field. |
NAS-Port-Id
|
target.port
|
Value is taken from the NAS-Port-Id
field and converted to an integer. |
NAS-Port-Type
|
additional.fields[].value.string_value
|
Value is taken from the NAS-Port-Type
field. |
NetworkDeviceName
|
target.hostname
|
Value is taken from the NetworkDeviceName
field. |
Protocol
|
additional.fields[].value.string_value
|
Value is taken from the Protocol
field. |
RadiusPacketType
|
(not mapped) | Not mapped to the IDM object. |
Remote-Address
|
principal.ip
, target.ip
|
Value is taken from the Remote-Address
field and parsed as an IP address. It is mapped to principal.ip
for authentication events and target.ip
for accounting and diagnostic events. |
RequestLatency
|
additional.fields[].value.string_value
|
Value is taken from the RequestLatency
field. |
Response
|
principal.user.userid
|
If Response
contains "User-Name", the username is extracted and mapped to principal.user.userid
. |
SelectedAccessService
|
additional.fields[].value.string_value
|
Value is taken from the SelectedAccessService
field. |
SelectedAuthenticationIdentityStores
|
security_result.detection_fields[].value
|
Value is taken from the SelectedAuthenticationIdentityStores
field. |
SelectedAuthorizationProfiles
|
security_result.detection_fields[].value
|
Value is taken from the SelectedAuthorizationProfiles
field. |
Service-Type
|
additional.fields[].value.string_value
|
Value is taken from the Service-Type
field. |
Tunnel-Client-Endpoint
|
additional.fields[].value.string_value
|
Value is taken from the Tunnel-Client-Endpoint
field and parsed as an IP address. |
User
|
target.user.userid
|
Value is taken from the User
field. |
UserName
|
target.user.userid
, principal.mac
|
If UserName
is a MAC address, it is parsed and mapped to principal.mac
. Otherwise, it is mapped to target.user.userid
. |
ac-user-agent
|
network.http.user_agent
|
Value is taken from the ac-user-agent
field. |
cat
|
metadata.description
|
Value is taken from the cat
field. |
device-mac
|
principal.mac
|
Value is taken from the device-mac
field, colons are added, and the value is converted to lowercase. If device-mac
is "00", it is replaced with "00:00:00:00:00:00". |
device-platform
|
principal.asset.platform_software.platform
|
If device-platform
is "win", the value "WINDOWS" is assigned to principal.asset.platform_software.platform
. |
device-platform-version
|
principal.asset.platform_software.platform_version
|
Value is taken from the device-platform-version
field. |
device-public-mac
|
principal.mac
|
Value is taken from the device-public-mac
field, hyphens are replaced with colons, and the value is converted to lowercase. |
device-type
|
principal.asset.hardware.model
|
Value is taken from the device-type
field. |
device-uid
|
principal.asset.asset_id
|
Value is taken from the device-uid
field and prepended with "ASSET ID: ". |
device-uid-global
|
principal.asset.product_object_id
|
Value is taken from the device-uid-global
field. |
hostname
|
principal.hostname
|
Value is taken from the hostname
field. |
ip:source-ip
|
principal.ip
|
Value is taken from the ip:source-ip
field. |
kv.ADDomain
|
(not mapped) | Not mapped to the IDM object. |
kv.Airespace-Wlan-Id
|
(not mapped) | Not mapped to the IDM object. |
kv.AuthenticationIdentityStore
|
(not mapped) | Not mapped to the IDM object. |
kv.AVPair
|
(not mapped) | Not mapped to the IDM object. |
kv.CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name
|
(not mapped) | Not mapped to the IDM object. |
kv.CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools
|
(not mapped) | Not mapped to the IDM object. |
kv.ExternalGroups
|
(not mapped) | Not mapped to the IDM object. |
kv.FailureReason
|
(not mapped) | Not mapped to the IDM object. |
kv.IdentityAccessRestricted
|
(not mapped) | Not mapped to the IDM object. |
kv.IdentityGroup
|
(not mapped) | Not mapped to the IDM object. |
kv.NAS-Identifier
|
(not mapped) | Not mapped to the IDM object. |
kv.SelectedShellProfile
|
(not mapped) | Not mapped to the IDM object. |
kv.ServiceSelectionMatchedRule
|
(not mapped) | Not mapped to the IDM object. |
kv.State
|
(not mapped) | Not mapped to the IDM object. |
kv.Step
|
(not mapped) | Not mapped to the IDM object. |
kv.Tunnel-Medium-Type
|
(not mapped) | Not mapped to the IDM object. |
kv.Tunnel-Private-Group-ID
|
(not mapped) | Not mapped to the IDM object. |
kv.Tunnel-Type
|
(not mapped) | Not mapped to the IDM object. |
kv.UseCase
|
(not mapped) | Not mapped to the IDM object. |
kv.UserIdentityGroup
|
(not mapped) | Not mapped to the IDM object. |
kv.VendorSpecific
|
(not mapped) | Not mapped to the IDM object. |
kv.attribute-131
|
(not mapped) | Not mapped to the IDM object. |
kv.attribute-89
|
(not mapped) | Not mapped to the IDM object. |
kv.cisco-av-pair
|
(not mapped) | Not mapped to the IDM object. |
kv.cisco-av-pair:CiscoSecure-Group-Id
|
(not mapped) | Not mapped to the IDM object. |
leef_version
|
(not mapped) | Not mapped to the IDM object. |
log_header
|
metadata.description
|
Value is taken from the log_header
field. |
log_id
|
metadata.product_log_id
|
Value is taken from the log_id
field. |
log_type
|
metadata.product_event_type
|
Value is taken from the log_type
field. |
message_severity
|
(not mapped) | Not mapped to the IDM object. |
product
|
metadata.product_name
|
Value is taken from the product
field. |
product_version
|
metadata.product_version
|
Value is taken from the product_version
field. |
server_host
|
target.hostname
|
Value is taken from the server_host
field. |
timestamp
|
metadata.event_timestamp
|
Value is taken from the timestamp
field and the timezone
field (after removing the colon). The combined value is parsed as a timestamp. |
url
|
network.dns.questions[].name
|
Value is taken from the url
field. |
vendor
|
metadata.vendor_name
|
Value is taken from the vendor
field. Set to "GENERIC_EVENT" initially, then potentially overwritten based on the log_type
and parsed fields. Can be "USER_LOGIN", "USER_UNCATEGORIZED", "NETWORK_DNS", "NETWORK_CONNECTION", "STATUS_UPDATE", or "STATUS_UNCATEGORIZED". Set to "Cisco" initially, then potentially overwritten by the vendor
field. Set to "ACS" initially, then potentially overwritten by the product
field. Set to "CISCO_ACS". Set to "USERNAME_PASSWORD". Set to "TACACS". Set to "UDP" for RADIUS accounting and diagnostic events. Set to "DNS" for DNS events. Derived from the security_action
field, which is set based on whether the login was successful or not. Set to "successful login occurred" for successful logins and "failed login occurred" for failed logins. May also be set to "passed" for certain identity store diagnostic events. Set to "LOW" for failed login attempts. Constructed by prepending "ASSET ID: " to the device-uid
field. |
Need more help? Get answers from Community members and Google SecOps professionals.
