Data Source: Cisco IOS Logs

Date: 2025-08-21

ID: 9e4c8d7b-6f5e-4a3d-b2c1-0a9b8c7d6e5f

Author: Michael Haag, Splunk

Description

Data source object for Cisco IOS system logs. Cisco IOS logs provide operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes these events by setting proper sourcetypes and extracting fields for switches, routers, controllers, and access points; deploy the TA on indexers/HFs and search heads, and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This data is ingested via SYSLOG.

Details

Property	Value
Source	`cisco:ios`
Sourcetype	`cisco:ios`

Supported Apps

Cisco Networks Add-on (version 2.7.8)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">aci_message_text</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authenticator</span>
  
  <span class="pill kill-chain">bytes</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">cipher</span>
  
  <span class="pill kill-chain">cisco_header</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">config_source</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_interface</span>
  
  <span class="pill kill-chain">dest_mac</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">device_time</span>
  
  <span class="pill kill-chain">direct_ap_mac</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">facility</span>
  
  <span class="pill kill-chain">hmac</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">line</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">message_text</span>
  
  <span class="pill kill-chain">mnemonic</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">reliable_time</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_description</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">severity_id_and_name</span>
  
  <span class="pill kill-chain">severity_name</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_interface</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_mac</span>
  
  <span class="pill kill-chain">subfacility</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::app</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">tty</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_action</span>
  
  <span class="pill kill-chain">vlan</span>
  
</div>

Example Log

1Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15 Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:username attacker privilege 15 secret * Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED

Source: GitHub | Version: 1