Cisco IOS Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Proprietary software used in Cisco routers and switches for robust network traffic management including data, voice, and video across communications environments.

This technology pack will process Cisco IOS syslog messages, providing normalization and enrichment of common events of interest.

Supported Version(s)

Cisco IOS XE 17.14.x

Requirements

Cisco IOS XE 17.14.x
Graylog 5.2.6+

Stream Configuration

This technology pack includes 1 stream:

"Illuminate:Cisco Device Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

Cisco Devices Event Log Messages

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection and Delivery

Users may send logs via syslog or raw format (TCP or UDP). Cisco products often include timestamps in logs that may not be compatible with Graylog. If this occurs, we recommend you send logs to a raw input.

Syslog or RAW Input

Configure the Cisco IOS device to send syslog to your Graylog server: logging host <graylog-ip>
Set the logging severity level: logging trap informational
Enable timestamps: service timestamps log datetime msec
See the Graylog documentation for information on creating a Syslog or RAW/Plaintext input.

Log Format Examples

These are example logs for the various processed log types.

SEC_LOGIN - Authentication Events

Mar 12 18:46:11: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: vijay.rana] [Source: 172.17.27.132] [localport: 22] at 13:13:16 IST Fri Apr 7 2023 Mar 12 18:46:11: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 172.17.27.132] [localport: 22] [Reason: Login Authentication Failed] at 13:12:59 IST Fri Apr 7 2023

AAA - Account Lock/Unlock Events

Jul 12 00:33:29: %AAA-5-USER_LOCKED: User user1 locked out on authentication failure. Jul 12 00:19:44: %AAA-5-USER_UNLOCKED: User cisco unlocked by console (cierswbv5-te-lab19-sc, SJ)

SEC - IP Access List Log Events

Aug 17 02:41:39.326: %SEC-6-IPACCESSLOGP: list 105 denied udp 192.168.12.157(55250) -> 192.168.12.255(11550), 1 packet Aug 17 02:43:20.346: %SEC-6-IPACCESSLOGSP: list INBOUND-ON-F11 denied igmp 192.168.110.10 -> 224.0.0.2 (20), 1 packet Feb 8 03:11:47.272: %SEC-6-IPACCESSLOGRP: list 105 denied igmp 198.51.100.197 -> 224.0.0.22, 1 packet Aug 17 02:43:28.403: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 192.168.12.202 -> 198.51.100.1 (3/3), 32 packets Feb 9 03:11:47.272: %SEC-6-IPACCESSLOGNP: list INBOUND denied 113 192.168.110.10 -> 224.0.0.2 (20), 1 packet Aug 17 02:43:28.403: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 23 packets

URLF - URL Filtering Events

Mar 12 18:46:11: %URLF-4-URL_BLOCKED: Access denied URL http://www.google.com; client 12.54.192.6:54678 server 64.192.14.2:80 Mar 12 18:46:11: %URLF-6-URL_ALLOWED: Access allowed for URL http://www.websense.com/; client 10.54.192.6:54123 server 192.168.0.1:80 Mar 12 18:46:11: %URLF-4-SITE_BLOCKED: Access denied for the site 'www.sports.com'; client 10.54.192.6:34557 server 172.24.50.12:80 Mar 12 18:46:11: %URLF-6-SITE_ALLOWED: Client 10.0.0.39:2848 accessed server 80.239.156.195:80 Mar 12 18:46:11: %URLF-3-SERVER_DOWN: 8.8.8.8 Mar 12 18:46:11: %URLF-5-SERVER_UP: 8.8.8.8 Mar 12 18:46:11: %URLF-3-ALLOW_MODE: Connection to all URL filter servers are down and ALLOW MODE is ON

AUTHMGR, CRYPTO, SYS, LINK, LINEPROTO, SSH, PARSER, SNMP Events

Apr 25 14:30:38: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on GigabitEthernet0/15, New MAC address 00:1B:44:11:3A:B7 is seen Apr 25 10:31:02: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is down, destination: 192.168.1.2 Apr 25 10:17:45: %SYS-5-CONFIG_I: Configured from console by user1 on vty0 (10.1.1.1) Feb 8 08:52:05.068: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up Feb 14 09:40:10.326: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up Feb 14 12:02:38: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down Apr 25 14:30:45: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.100.50 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Succeeded Apr 25 14:31:22: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.100.50 (tty = 0) for user 'admin' using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' closed Apr 25 14:32:10: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 192.168.100.75 Apr 25 10:18:02: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:interface GigabitEthernet0/0 Apr 25 14:33:05: %SNMP-3-AUTH_FAILURE: Authentication failure for SNMP request from host 192.168.1.100

What is Provided

Parsing rules for normalization and enrichment of Cisco IOS syslog messages.
Categorization for 30 log types including SEC, LINK, LINEPROTO, CRYPTO, AUTHMGR, SYS, SEC_LOGIN, AAA, URLF, SSH, PARSER, and SNMP event categories.

GIM Categorization

GIM categorization is provided for the following messages:

GIM Categorization ▼

vendor_event_type	gim_event_type_code	gim_event_category	gim_event_subcategory	gim_event_type
SEC_LOGIN-5-LOGIN_SUCCESS	100000	authentication	authentication.logon	logon
SEC_LOGIN-4-LOGIN_FAILED	100500	authentication	authentication.credential validation	credential validation
AAA-5-USER_LOCKED	111500	iam	iam.object disable	account locked
AAA-5-USER_UNLOCKED	112000	iam	iam.object enable	account unlocked
SEC-6-IPACCESSLOGRP	120000	network	network.network connection	network connection
SEC-6-IPACCESSLOGSP	120000	network	network.network connection	network connection
SEC-6-IPACCESSLOGP	120000	network	network.network connection	network connection
SEC-6-IPACCESSLOGDP	120000	network	network.network connection	network connection
SEC-6-IPACCESSLOGNP	120000	network	network.network connection	network connection
SEC-6-IPACCESSLOGRL	120000	network	network.network connection	network connection
URLF-4-URL_BLOCKED	180300\|120000	http / network	http.proxied / network.network connection	http proxied communication / network connection
URLF-6-URL_ALLOWED	180300\|120000	http / network	http.proxied / network.network connection	http proxied communication / network connection
URLF-4-SITE_BLOCKED	180300\|120000	http / network	http.proxied / network.network connection	http proxied communication / network connection
URLF-6-SITE_ALLOWED	120000	network	network.network connection	network connection
URLF-3-SERVER_DOWN	120000	network	network.network connection	network connection
URLF-6-SERVER_DOWN	120000	network	network.network connection	network connection
URLF-5-SERVER_UP	120000	network	network.network connection	network connection
URLF-6-SERVER_UP	120000	network	network.network connection	network connection
URLF-3-ALLOW_MODE	120000	network	network.network connection	network connection
AUTHMGR-5-SECURITY_VIOLATION	101501	authentication	authentication.access policy	device policy violation
CRYPTO-5-SESSION_STATUS	120000	network	network.network connection	network connection
SYS-5-CONFIG_I	211000	endpoint	service.configuration	service configuration change
SSH-5-SSH2_SESSION	100000	authentication	authentication.logon	logon
SSH-5-SSH2_CLOSE	120300	network	network.close	network connection ended
SSH-4-SSH2_UNEXPECTED_MSG	100500	authentication	authentication.credential validation	credential validation
PARSER-5-CFGLOG_LOGGEDCMD	211000	endpoint	service.configuration	service configuration change
SNMP-3-AUTH_FAILURE	100500	authentication	authentication.credential validation	credential validation

Message Fields Included in This Pack

General Fields

These fields are extracted from all Cisco IOS syslog messages.

General Fields ▼

Field Name	Example Value	Field Type	Description
event_source_product	CISCO-IOS	keyword	Identifies the log source as Cisco IOS
vendor_facility	SEC_LOGIN	keyword	The Cisco IOS facility component extracted from the event type (e.g. SEC, AAA, URLF)
vendor_subtype	LOGIN_SUCCESS	keyword	The Cisco IOS mnemonic component extracted from the event type
vendor_event_severity	notice	keyword	The Cisco IOS severity label mapped from the numeric severity level
vendor_event_severity_level	5	long	The numeric Cisco IOS severity level (0=emergency through 7=debug)
event_severity	low	keyword	The GIM severity label mapped from the vendor severity level
event_severity_level	2	long	The GIM severity level (1=informational through 5=critical)
gim_event_type_code	100000	keyword	The GIM event type code assigned to this event

Authentication Fields (SEC_LOGIN)

Additional fields extracted for SEC_LOGIN login success and failure events.

Authentication Fields ▼

Field Name	Example Value	Field Type	Description
application_name	cisco-ios	keyword	Set to 'cisco-ios' for SEC_LOGIN events
user_name	admin	keyword	The username that attempted to log in
source_ip	172.17.27.132	ip	The source IP address of the login attempt
source_port	22	long	The local port used for the login session
event_outcome	success	keyword	The normalized outcome: success or failure
vendor_event_outcome	Success	keyword	The raw outcome string extracted from the log
vendor_event_outcome_reason	Login Authentication Failed	keyword	The reason for login failure, if provided

IAM Fields (AAA)

Additional fields extracted for AAA account lock and unlock events.

IAM Fields ▼

Field Name	Example Value	Field Type	Description
user_name	user1	keyword	The username that was locked or unlocked
source_user_name	console (hostname, SJ)	keyword	The user or entity that performed the unlock action (AAA-5-USER_UNLOCKED only)

ACL Log Fields (SEC-6-IPACCESSLOG*)

Fields extracted from IP access list log events (6 variants: LOGP, LOGSP, LOGRP, LOGDP, LOGNP, LOGRL).

ACL Log Fields ▼

Field Name	Example Value	Field Type	Description
source_ip	192.168.12.157	ip	Source IP address from the ACL log entry
source_port	55250	long	Source port from the ACL log entry (TCP/UDP)
destination_ip	192.168.12.255	ip	Destination IP address from the ACL log entry
destination_port	11550	long	Destination port from the ACL log entry (TCP/UDP)
network_protocol	udp	keyword	The network protocol (tcp, udp, icmp, igmp, etc.)
event_action	blocked	keyword	The normalized action: allowed or blocked
vendor_event_action	denied	keyword	The raw action string from the log (denied, permitted, etc.)
vendor_list_id	105	keyword	The ACL name or number that triggered the log entry
vendor_packet_count	1	keyword	The number of packets matched by this ACL entry
vendor_icmp_type	3	keyword	The ICMP type number (ICMP events only)
icmp_code	3	keyword	The ICMP code number (ICMP events only)

URL Filter Fields (URLF-*)

Fields extracted from URL filtering events (URL_BLOCKED, URL_ALLOWED, SITE_BLOCKED, SITE_ALLOWED, SERVER_DOWN, SERVER_UP, ALLOW_MODE).

URL Filter Fields ▼

Field Name	Example Value	Field Type	Description
source_ip	10.54.192.6	ip	Source IP address of the client
source_port	54678	long	Source port of the client connection
destination_ip	64.192.14.2	ip	Destination IP address of the server
destination_port	80	long	Destination port of the server connection
http_uri	http://www.google.com	keyword	The URL or site name that was filtered (URL_BLOCKED, URL_ALLOWED, SITE_BLOCKED)
event_action	blocked	keyword	The normalized action: allowed or blocked
vendor_event_action	denied	keyword	The raw action string from the log
network_transport	NETWORK_TRANSPORT_NOT_DEFINED	keyword	Set to a static placeholder as transport is not present in these logs

Other Event Fields (AUTHMGR, CRYPTO, SYS, LINK, LINEPROTO, SSH, PARSER, SNMP)

Fields extracted from network infrastructure, device management, SSH session, configuration logging, and SNMP authentication events.

Other Event Fields ▼

Field Name	Example Value	Field Type	Description
vendor_interface_name	GigabitEthernet0/1	keyword	The network interface name (LINK, LINEPROTO, AUTHMGR events)
vendor_interface_state	up	keyword	The interface or tunnel state (LINK, LINEPROTO, CRYPTO events)
destination_ip	192.168.1.2	ip	Destination IP of the VPN tunnel (CRYPTO events)
mac_address	00:1B:44:11:3A:B7	keyword	The MAC address of the violating device (AUTHMGR-SECURITY_VIOLATION)
source_ip	10.1.1.1	ip	Source IP of the managing terminal (SYS-CONFIG_I) or SSH/SNMP client
vendor_crypto_cipher	aes256-ctr	keyword	The encryption cipher used in the SSH session (SSH events)
vendor_crypto_hmac	hmac-sha2-256	keyword	The HMAC algorithm used in the SSH session (SSH events)
vendor_tty_line	0	long	The TTY line number of the SSH session (SSH events)
user_name	admin	keyword	Username of the SSH session user (SSH-5-SSH2_CLOSE, PARSER-5-CFGLOG_LOGGEDCMD)
vendor_event_description	interface GigabitEthernet0/0	keyword	The command text that was entered and logged (PARSER-5-CFGLOG_LOGGEDCMD)
event_outcome	success	keyword	The normalized event outcome (SSH-5-SSH2_SESSION: success; SNMP-3-AUTH_FAILURE: failure)
vendor_event_outcome	Succeeded	keyword	The raw outcome string from the log

Cisco IOS Spotlight

The Cisco IOS Spotlight offers an overview dashboard with three tabs: Overview, Network, and Authentication.