Skip to content

Cisco Software Defined WAN

Cisco Software Defined WAN

About

Cisco SD-WAN is a cloud-first architecture that separates data and control planes, managed through the Cisco vManage console. You can quickly establish an SD-WAN overlay fabric to connect data centers, branches, campuses, and colocation facilities to improve network speed, security, and efficiency.‚Äč

Product Details

Vendor URL: Cisco Software Defined WAN

Product Type: Network Management

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Configure System Logging for Cisco IOS XE SD-WAN Devices

Log Guide: Cisco SD-WAN Monitor and Maintain Configuration Guide

Parser Details

Log Format: Syslog

Expected Normalization Rate: 90%

Data Label: CISCO_SDWAN

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
source-vpn additional.fields["source-vpn"]
state additional.fields["state"]
svc-vpn-id additional.fields["svc-vpn-id"]
zone-pair additional.fields["zone-pair"]
mnemonic metadata.product_event_type
SDWAN metadata.product_name
Cisco metadata.vendor_name
NETCONF network.application_protocol
protocol network.ip_protocol
observer observer.hostname
system-ip observer.ip
host-name principal.hostname
source-ip principal.ip
source-port principal.port
username principal.user.userid
dest_addr target.ip
destination-port target.port
groups target.user.group_identifiers
msg security_result.action_details
facility security_result.category_details
msg security_result.description
severity security_result.severity
facility-severity-mnemonic security_result.summary

Product Event Types

Event UDM Event Classification
Group Assignment GROUP_UNCATEGORIZED
FTMD NETWORK_CONNECTION
FTMD STATUS_UPDATE
LOGIN USER_LOGIN
LOGOUT USER_LOGOUT
all others GENERIC_EVENT

Log Sample

<189>35061: Jul  3 05:59:16.884: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: jdoe] [Source: 10.100.1.160] [localport: 22] at 01:59:16 EDT Mon Jul 3 2023

Sample Parsing

metadata.event_timestamp: "2023-06-03T05:59:16Z"
metadata.event_type: USER_LOGIN
metadata.vendor_name: "Cisco"
metadata.product_name: "SDWAN"
metadata.product_event_type: "LOGIN_SUCCESS"
principal.user.userid: "jdoe"
target.ip: "10.100.1.160"
target.port: 22
security_result.category_details: "SEC_LOGIN"
security_result.summary: "SEC_LOGIN-5-LOGIN_SUCCESS"
security_result.description: "Login Success [user: jdoe] [Source: 10.100.1.160] [localport: 22] at 01:59:16 EDT Mon Jul 3 2023"
security_result.action_details: "Login Success"
security_result.severity: LOW

Rules

Coming Soon