IPS Log Formats
The Cisco Secure Access IPS logs show the traffic, events, and possible threats detected by the Secure Access Intrusion Prevention System. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Example
Example of a v12 IPS log.
timestamp,identities,identity types,generator id,signature id,signature message,signature list id,severity,attack classification,cves,ip protocol,session id,source ip,source port,destination ip,destination port,action,operation mode,policy resource id,direction,firewall rule id,ips config type,aws region,application id,casi category ids,data center,organization id,egress ip,egress,enforced by,ftd enforcement id,ftd enforcement name
"2024-09-11 23:17:13","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","50516","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","123.123.123.123","80","1.1.1.1","40762","Would Block","IDS","50516","S2C","21171","PROFILE","eu-central-2b","","","","8151514","3.3.3.4","TRUE","FTD","12321321312",""
Order of Fields in the IPS Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
Optional V12 Log Header Format
The CSV fields in the header row of the Optional Log Header.
"Timestamp","Identities","Identity Types","Generator ID","Signature ID","Signature Message","Signature List ID","Severity","Attack Classification","CVEs","IP Protocol","Session ID","Source IP","Source Port","Destination IP","Destination Port","Action","Operation Mode","Policy Resource ID","Direction","Firewall Rule ID","IPS Config Type","AWS Region","Application ID","CASI Category IDs","Data Center","Organization ID","Egress IP","Egress","Enforced By","FTD enforcement ID","FTD Enforcement Name"
V12 Log Format
The CSV fields in the header row of the IPS log.
timestamp,identities,identity types,generator id,signature id,signature message,signature list id,severity,attack classification,cves,ip protocol,session id,source ip,source port,destination ip,destination port,action,operation mode,policy resource id,direction,firewall rule id,ips config type,aws region,application id,casi category ids,data center,organization id,egress IP,egress,enforced by,ftd enforcement id,ftd enforcement name
The description of each field and the log version in which each field was released, up to version 12. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the IPS detection event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v8 |
| identities | All tunnel identities that are associated with this request. | v8 |
| identity types | The type of identity that is associated with this request. | v8 |
| generator id | Unique ID assigned to the part of the IPS that generated the event. | v8 |
| signature id | Used to uniquely identify signatures. | v8 |
| signature message | A brief description of the signature. | v8 |
| signature list id | Unique ID assigned to a Default or Custom Signature List. | v8 |
| severity | The severity level of the rule. Valid values are: High, Medium, Low, and Very Low. | v8 |
| attack classification | The category of attack detected by a rule that is part of a more general type of attack class. Valid values are: trojan-activity, attempted-user, and unknown. | v8 |
| cves | A list of information about security vulnerabilities and exposures. | v8 |
| ip protocol | The actual protocol of the traffic, such as TCP, UDP, ICMP. | v8 |
| session id | The unique identifier of a session, which is used to group the correlated events between various services. | v8 |
| source ip | The IP of the computer making the request. | v8 |
| source port | The port number of the request. | v8 |
| destination ip | The port number of the request. | v8 |
| destination port | The destination port number of the request. | v8 |
| action | The action performed when criteria meets a rule, for example: block, warn, and would_block. | v8 |
| operation mode | The mode of operation of the IPS, either detection or prevention. Valid values are: IDS, IPS, and UNKNOWN. | v9 |
| policy resource id | The ID of the IPS policy resource. An example of a policy resource is: signature list. | v9 |
| direction | The direction of the packet that matches the signature. Valid values are: S2C, C2S, and UNKNOWN. | v9 |
| firewall rule id | The ID of the rule that matches the firewall session. | v9 |
| ips config type | The type of the IPS configuration. Valid values are: CONFIG, PROFILE, and UNKNOWN. | v9 |
| aws region | The AWS region where Secure Access stores your logs. | v9 |
| application id | The ID of the destination application. | v10 |
| casi category ids | The name of the Application category to which the App ID belongs. | v10 |
| data center | The name of the data center that processed the user-generated traffic. | v10 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID . | v10 |
| egress ip | The public IP address assigned to a session as it exits the Secure Access ZTA infrastructure en route to the destination application. | v12 |
| egress | TRUEindicates that the egress IP was a reserved IP. | v12 |
| enforced by | The Secure Access component or service that enforced the policy or control related to this event (e.g., Firewall, Web Proxy). | v12 |
| ftd enforcement id | The unique identifier of the enforcement action taken by a Firepower Threat Defense (FTD) device integrated with Secure Access. | v12 |
| ftd enforcement name | The name or type of enforcement action taken by a FTD device integrated with Secure Access (e.g., Malware Block, URL Category Block). | v12 |
File Events Log Formats < IPS Log Formats > Remote Access VPN Log Formats
Updated 5 days ago