Skip to content

Cisco Access Control System (ACS)

Key facts

  • MSG Format based filter
  • None conformant legacy BSD Format default port 514

Sourcetypes

sourcetype notes
cisco:acs Aggregation used

Sourcetype and Index Configuration

key sourcetype index notes
cisco_acs cisco:acs netauth None

Splunk Setup and Configuration

  • Replace the following extract using Splunk local configuration. Impacts version 1.5.0 of the addond
EXTRACT-AA-signature = CSCOacs_(?<signature>\S+):?
# Note the value of this config is empty to disable
EXTRACT-AA-syslog_message = 
EXTRACT-acs_message_header2 = ^CSCOacs_\S+\s+(?<log_session_id>\S+)\s+(?<total_segments>\d+)\s+(?<segment_number>\d+)\s+(?<acs_message>.*)