Data Source: Cisco IOS Logs

Date: 2025-08-21

ID: 9e4c8d7b-6f5e-4a3d-b2c1-0a9b8c7d6e5f

Author: Michael Haag, Splunk

Description

Data source object for Cisco IOS system logs. Cisco IOS logs provide operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes these events by setting proper sourcetypes and extracting fields for switches, routers, controllers, and access points; deploy the TA on indexers/HFs and search heads, and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This data is ingested via SYSLOG.

Details

Property	Value
Source	`cisco:ios`
Sourcetype	`cisco:ios`

Name ▲▼	Technique ▲▼	Type ▲▼
Cisco Configuration Archive Logging Analysis	Disable or Modify Tools, Account Manipulation, Web Shell	Hunting
Cisco IOS Suspicious Privileged Account Creation	Create Account, Valid Accounts	Anomaly
Cisco Network Interface Modifications	Modify Authentication Process, Remote Services, External Remote Services	Anomaly
Cisco SNMP Community String Configuration Changes	Disable or Modify Tools, Network Sniffing, Unsecured Credentials	Anomaly
Cisco TFTP Server Configuration for Data Exfiltration	Exfiltration Over Web Service, Data from Local System	TTP
Detect ARP Poisoning	Hardware Additions, Network Denial of Service, ARP Cache Poisoning	TTP
Detect IPv6 Network Infrastructure Threats	Hardware Additions, Network Denial of Service, ARP Cache Poisoning	TTP
Detect Port Security Violation	Hardware Additions, Network Denial of Service, ARP Cache Poisoning	TTP
Detect Rogue DHCP Server	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle	TTP
Detect Traffic Mirroring	Traffic Duplication, Hardware Additions, Network Denial of Service	TTP

Supported Apps

Cisco Networks Add-on (version 2.7.9)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">aci_message_text</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authenticator</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">cipher</span>
  
  <span class="pill kill-chain">cisco_header</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">config_source</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_interface</span>
  
  <span class="pill kill-chain">dest_mac</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">device_time</span>
  
  <span class="pill kill-chain">direct_ap_mac</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">facility</span>
  
  <span class="pill kill-chain">hmac</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">line</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">message_text</span>
  
  <span class="pill kill-chain">mnemonic</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">reliable_time</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_description</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">severity_id_and_name</span>
  
  <span class="pill kill-chain">severity_name</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_interface</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_mac</span>
  
  <span class="pill kill-chain">subfacility</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">tty</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_action</span>
  
  <span class="pill kill-chain">vlan</span>
  
</div>

Example Log

1Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15 Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:username attacker privilege 15 secret * Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED

Required Output Fields

user
dest

Source: GitHub | Version: 1