<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">aci_message_text</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">authenticator</span>
<span class="pill kill-chain">bytes</span>
<span class="pill kill-chain">change_type</span>
<span class="pill kill-chain">cipher</span>
<span class="pill kill-chain">cisco_header</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">config_source</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_interface</span>
<span class="pill kill-chain">dest_mac</span>
<span class="pill kill-chain">dest_port</span>
<span class="pill kill-chain">device_time</span>
<span class="pill kill-chain">direct_ap_mac</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">event_id</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">facility</span>
<span class="pill kill-chain">hmac</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">line</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">message_text</span>
<span class="pill kill-chain">mnemonic</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">reliable_time</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">severity_description</span>
<span class="pill kill-chain">severity_id</span>
<span class="pill kill-chain">severity_id_and_name</span>
<span class="pill kill-chain">severity_name</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_interface</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_mac</span>
<span class="pill kill-chain">subfacility</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">transport</span>
<span class="pill kill-chain">tty</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_action</span>
<span class="pill kill-chain">vlan</span>
</div>
Data Source: Cisco IOS Logs
Description
Data source object for Cisco IOS system logs. Cisco IOS logs provide operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes these events by setting proper sourcetypes and extracting fields for switches, routers, controllers, and access points; deploy the TA on indexers/HFs and search heads, and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This data is ingested via SYSLOG.
Details
| Property | Value |
|---|---|
| Source | cisco:ios |
| Sourcetype | cisco:ios |
Related Detections
Supported Apps
- Cisco Networks Add-on (version 2.7.9)
Event Fields
Fields
Example Log
1Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15 Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:username attacker privilege 15 secret * Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED
Required Output Fields
-
user
-
dest
Source: GitHub | Version: 2