Cisco ACS¶
About¶
ACS is a policy-based security server that provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to your network. ACS facilitates the administrative management of Cisco and non-Cisco devices and applications.
Product Details¶
Vendor URL: Cisco ACS
Product Type: Authentication
Product Tier: Tier I
Integration Method: Syslog
Log Guide: Cisco ACS 5.8 Log Guide
Parser Details¶
Log Format: Syslog (CSV), CEF
Expected Normalization Rate: 95%
Data Label: CISCO_ACS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| log_header | security_result.description |
| security_action | security_result.action |
| DestinationPort | target.port |
| NAS-Port-Id | target.port |
| DestinationIPAddress | target.ip |
| Remote-Address | target.ip |
| DevicePort | intermediary.port |
| DeviceIPAddress | intermediary.ip |
| UserName | target.user.userid |
| User | target.user.userid |
| Remote-Address | principal.ip |
| DeviceIPAddress | principal.ip |
| AD-IP-Address | principal.ip |
| port | principal.port |
| DevicePort | principal.port |
| AD-Domain | principal.group.group_display_name |
| mac | principal.mac |
| NetworkDeviceName | target.hostname |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| CSCOacs_RADIUS_Accounting | NETWORK_CONNECTION |
| CSCOacs_RADIUS_Diagnostics | NETWORK_CONNECTION |
| CSCOacs_System_Statistics | STATUS_UNCATEGORIZED |
| CSCOacs_Passed_Authentications | USER_UNCATEGORIZED |
| CSCOacs_Failed_Attempts | USER_UNCATEGORIZED |
| CSCOacs_TACACS_Accounting | USER_UNCATEGORIZED |
| CSCOacs_TACACS_Diagnostics | USER_UNCATEGORIZED |
| CSCOacs_Authentication_Flow_Diagnostics | USER_UNCATEGORIZED |
| CSCOacs_Identity_Stores_Diagnostics | USER_UNCATEGORIZED |
| CSCOacs_Policy_Diagnostics | USER_UNCATEGORIZED |
| CISE_Passed_Authentications | USER_UNCATEGORIZED |
| all others | GENERIC_EVENT |
Log Sample¶
<181>Feb 28 12:30:53 acsserver01 CSCOacs_Failed_Attempts 0085276656 2 0 2021-02-28 12:30:53.906 -08:00 0780432664 5400 NOTICE Failed-Attempt: Authentication failed, ACSVersion=acs-5.8.0.32-B.442.x86_64, ConfigVersionId=937, Device IP Address=192.168.0.2, Device Port=2912, DestinationIPAddress=172.26.5.4, DestinationPort=8080, RadiusPacketType=AccessRequest, UserName=janedoe, Protocol=Radius, RequestLatency=0, User-Name=janedoe, NAS-IP-Address=192.168.3.5, NAS-Port=141748176, Called-Station-ID=10.2.0.3, Calling-Station-ID=172.28.0.1, NAS-Port-Type=Virtual, Tunnel-Client-Endpoint=(tag=0) 172.28.0.1, cisco-av-pair=ip:source-ip=172.28.0.1, CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name=DefaultWEBVPNGroup, AcsSessionID=asgu-acs-01/341460688/30718454, SelectedAccessService=DUO - AnyConnect, FailureReason=11054 , Step=11001 , Step=11017 , Step=15008 , Step=15004 , Step=15012 , Step=11054 , Step=11003 , NetworkDeviceName=Cisco ASA - AnyConnect VPN,
Sample Parsing¶
metadata.event_type "USER_UNCATEGORIZED"
metadata.vendor_name "Cisco"
metadata.product_name "ACS"
metadata.product_event_type "CSCOacs_Failed_Attempts"
metadata.description "Authentication failed"
principal.hostname "acsserver01"
target.hostname "Cisco ASA - AnyConnect VPN"
target.user.userid "janedoe"
target.ip "172.26.5.4"
target.port "8080"
intermediary.ip "192.168.0.2"
intermediary.port "2912"
security_result.summary "failed login occurred"
security_result.description "Authentication failed"
security_result.action "BLOCK"
security_result.severity "LOW"
extensions.auth.type "TACACS"
extensions.auth.mechanism "USERNAME_PASSWORD"