Secure Access Help Center

IPS Log Formats

The Cisco Secure Access IPS logs show the traffic, events, and possible threats detected by the Secure Access Intrusion Prevention System. For information about the size of a log file, see Estimate the Size of a Log.

Table of Contents

Examples

Examples of IPS logs shown with various log format versions.

V9 Log Sample

"2022-04-12 16:14:09","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","1323","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","123.123.123.123","33010","1.1.1.1","443","Would Block","IDS","3658","S2C","245","PROFILE","us-west-2"

V8 Log Sample

"2022-04-12 16:14:09","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","1323","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","123.123.123.123","33010","1.1.1.1","443","Would Block"

Order of Fields in the IPS Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

V9 Log Format

The CSV fields in the header row of the IPS v9 format logs.

timestamp,identities,identity types,generator id,signature id,signature message,signature list id,severity,attach classification,CVEs,IP protocol,session ID,source IP,source port,destination IP,destination port,action,operation mode,policy resource ID,direction,firewall rule ID,IPS config type,AWS region

The v9 log format includes all of the fields in the v8 log format and adds the following fields:

  • operation mode—The mode of operation of the IPS, either detection or prevention. Valid values are: IDS, IPS, and UNKNOWN.
  • policy resource ID—The ID of the IPS policy resource. An example of a policy resource is: signature list.
  • direction—The direction of the packet that matches the signature. Valid values are: S2C, C2S, and UNKNOWN.
  • firewall rule ID—The ID of the rule that matches the firewall session.
  • IPS config type—The type of the IPS configuration. Valid values are: CONFIG, PROFILE, and UNKNOWN.
  • AWS region—The AWS region where Secure Access stores your logs.

V8 Log Format

The CSV fields in the header row of the IPS v8 format logs.

timestamp,identities,identity types,generator id,signature id,signature message,signature list id,severity,attach classification,CVEs,IP protocol,session ID,source IP,source port,destination IP,destination port,action
  • timestamp—The date and time in the UTC format of the request.
  • identities—All tunnel identities associated with this request.
  • identity types—The type of identity associated with this request.
  • generator id—Unique ID assigned to the part of the IPS that generated the event.
  • signature ID—Used to uniquely identify signatures.
  • signature message—A brief description of the signature.
  • signature List ID—Unique ID assigned to a Default or Custom Signature List.
  • severity—The severity level of the rule. Valid values are: High, Medium, Low, and Very Low.
  • attack classification—The category of attack detected by a rule that is part of a more general type of attack class. Valid values are: trojan-activity, attempted-user, and unknown.
  • CVEs—A list of information about security vulnerabilities and exposures.
  • IP protocol—The actual protocol of the traffic, such as TCP, UDP, ICMP.
  • session ID—The unique identifier of a session, which is used to group the correlated events between various services.
  • source IP—The IP of the computer making the request.
  • source port—The port number of the request.
  • destination IP—The destination IP requested.
  • destination Port—The destination port number of the request.
  • action—The action performed when criteria meets a rule, for example: block, warn, and would_block.

DNS log Formats < IPS Log Formats > Remote Access VPN Log Formats

Updated 3 months ago