Cisco Software Defined WAN¶
About¶
Cisco SD-WAN is a cloud-first architecture that separates data and control planes, managed through the Cisco vManage console. You can quickly establish an SD-WAN overlay fabric to connect data centers, branches, campuses, and colocation facilities to improve network speed, security, and efficiency.
Product Details¶
Vendor URL: Cisco Software Defined WAN
Product Type: Network Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Configure System Logging for Cisco IOS XE SD-WAN Devices
Log Guide: Cisco SD-WAN Monitor and Maintain Configuration Guide
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: CISCO_SDWAN
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| source-vpn | additional.fields["source-vpn"] |
| state | additional.fields["state"] |
| svc-vpn-id | additional.fields["svc-vpn-id"] |
| zone-pair | additional.fields["zone-pair"] |
| mnemonic | metadata.product_event_type |
| SDWAN | metadata.product_name |
| Cisco | metadata.vendor_name |
| NETCONF | network.application_protocol |
| protocol | network.ip_protocol |
| observer | observer.hostname |
| system-ip | observer.ip |
| host-name | principal.hostname |
| source-ip | principal.ip |
| source-port | principal.port |
| username | principal.user.userid |
| dest_addr | target.ip |
| destination-port | target.port |
| groups | target.user.group_identifiers |
| msg | security_result.action_details |
| facility | security_result.category_details |
| msg | security_result.description |
| severity | security_result.severity |
| facility-severity-mnemonic | security_result.summary |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Group Assignment | GROUP_UNCATEGORIZED |
| FTMD | NETWORK_CONNECTION |
| FTMD | STATUS_UPDATE |
| LOGIN | USER_LOGIN |
| LOGOUT | USER_LOGOUT |
| all others | GENERIC_EVENT |
Log Sample¶
<189>35061: Jul 3 05:59:16.884: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: jdoe] [Source: 10.100.1.160] [localport: 22] at 01:59:16 EDT Mon Jul 3 2023
Sample Parsing¶
metadata.event_timestamp: "2023-06-03T05:59:16Z"
metadata.event_type: USER_LOGIN
metadata.vendor_name: "Cisco"
metadata.product_name: "SDWAN"
metadata.product_event_type: "LOGIN_SUCCESS"
principal.user.userid: "jdoe"
target.ip: "10.100.1.160"
target.port: 22
security_result.category_details: "SEC_LOGIN"
security_result.summary: "SEC_LOGIN-5-LOGIN_SUCCESS"
security_result.description: "Login Success [user: jdoe] [Source: 10.100.1.160] [localport: 22] at 01:59:16 EDT Mon Jul 3 2023"
security_result.action_details: "Login Success"
security_result.severity: LOW
Rules¶
Coming Soon