IPS Log Formats

The Cisco Secure Access IPS logs show the traffic, events, and possible threats detected by the Secure Access Intrusion Prevention System. For information about the size of a log file, see Estimate the Size of a Log.

Table of Contents

Example

Example of a v12 IPS log.

timestamp,identities,identity types,generator id,signature id,signature message,signature list id,severity,attack classification,cves,ip protocol,session id,source ip,source port,destination ip,destination port,action,operation mode,policy resource id,direction,firewall rule id,ips config type,aws region,application id,casi category ids,data center,organization id,egress ip,egress,enforced by,ftd enforcement id,ftd enforcement name
"2024-09-11 23:17:13","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","50516","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","123.123.123.123","80","1.1.1.1","40762","Would Block","IDS","50516","S2C","21171","PROFILE","eu-central-2b","","","","8151514","3.3.3.4","TRUE","FTD","12321321312",""

Order of Fields in the IPS Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

Optional V12 Log Header Format

The CSV fields in the header row of the Optional Log Header.

"Timestamp","Identities","Identity Types","Generator ID","Signature ID","Signature Message","Signature List ID","Severity","Attack Classification","CVEs","IP Protocol","Session ID","Source IP","Source Port","Destination IP","Destination Port","Action","Operation Mode","Policy Resource ID","Direction","Firewall Rule ID","IPS Config Type","AWS Region","Application ID","CASI Category IDs","Data Center","Organization ID","Egress IP","Egress","Enforced By","FTD enforcement ID","FTD Enforcement Name"

V12 Log Format

The CSV fields in the header row of the IPS log.

timestamp,identities,identity types,generator id,signature id,signature message,signature list id,severity,attack classification,cves,ip protocol,session id,source ip,source port,destination ip,destination port,action,operation mode,policy resource id,direction,firewall rule id,ips config type,aws region,application id,casi category ids,data center,organization id,egress IP,egress,enforced by,ftd enforcement id,ftd enforcement name

The description of each field and the log version in which each field was released, up to version 12. For more information about log versions, see Find Your Log Schema Version.

Field nameDescriptionRelease version
timestampThe date and time of the IPS detection event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).

Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone.
v8
identitiesAll tunnel identities that are associated with this request.v8
identity typesThe type of identity that is associated with this request.v8
generator idUnique ID assigned to the part of the IPS that generated the event.v8
signature idUsed to uniquely identify signatures.v8
signature messageA brief description of the signature.v8
signature list idUnique ID assigned to a Default or Custom Signature List.v8
severityThe severity level of the rule. Valid values are: High, Medium, Low, and Very Low.v8
attack classificationThe category of attack detected by a rule that is part of a more general type of attack class. Valid values are: trojan-activity, attempted-user, and unknown.v8
cvesA list of information about security vulnerabilities and exposures.v8
ip protocolThe actual protocol of the traffic, such as TCP, UDP, ICMP.v8
session idThe unique identifier of a session, which is used to group the correlated events between various services.v8
source ipThe IP of the computer making the request.v8
source portThe port number of the request.v8
destination ipThe port number of the request.v8
destination portThe destination port number of the request.v8
actionThe action performed when criteria meets a rule, for example: block, warn, and would_block.v8
operation modeThe mode of operation of the IPS, either detection or prevention. Valid values are: IDS, IPS, and UNKNOWN.v9
policy resource idThe ID of the IPS policy resource. An example of a policy resource is: signature list.v9
directionThe direction of the packet that matches the signature. Valid values are: S2C, C2S, and UNKNOWN.v9
firewall rule idThe ID of the rule that matches the firewall session.v9
ips config typeThe type of the IPS configuration. Valid values are: CONFIG, PROFILE, and UNKNOWN.v9
aws regionThe AWS region where Secure Access stores your logs.v9
application idThe ID of the destination application.v10
casi category idsThe name of the Application category to which the App ID belongs.v10
data centerThe name of the data center that processed the user-generated traffic.v10
organization idThe Secure Access organization ID. For more information, see Find Your Organization ID .v10
egress ipThe public IP address representing the source of the network traffic as it exits your organization's premises or a roaming user's device.v12
egressTRUEindicates that the egress IP was a reserved IP.v12
enforced byThe Secure Access component or service that enforced the policy or control related to this event (e.g., Firewall, Web Proxy).v12
ftd enforcement idThe unique identifier of the enforcement action taken by a Firepower Threat Defense (FTD) device integrated with Secure Access.v12
ftd enforcement nameThe name or type of enforcement action taken by a FTD device integrated with Secure Access (e.g., Malware Block, URL Category Block).v12


File Events Log Formats < IPS Log Formats > Remote Access VPN Log Formats