Skip to content

Splunk Connect for Syslog

Cisco Access Control System (ACS)

Splunk Connect for Syslog

Home
Architectural Considerations
Load Balancers
Getting Started
Getting Started
- Read First
- Quickstart Guide
- Splunk Setup
- Runtime Configuration
- Select Runtime
  Select Runtime
  - Podman + systemd
  - Docker CE + systemd
  - MicroK8s + Linux
  - Docker Compose
  - Docker Desktop + Compose (MacOS)
  - Bring your own Envionment
  - Docker&Podman offline installation
  - Ansible
    Ansible
    
    Docker Swarm
    
    Podman/Docker
    
    mk8s
Create a parser
Configuration
Destinations
Sources
Sources
- Read First
- Basic Onboarding
  Basic Onboarding
- Known Vendors
  Known Vendors
  - AVI
    AVI
    
    Common
  - Alcatel
    Alcatel
    
    Switch
  - Alsid
    Alsid
    
    Alsid
  - Arista
    Arista
    
    EOS
  - Aruba
    Aruba
    
    Access Points
    
    Clearpass
    
    Silverpeak
  - Avaya
    Avaya
    
    SIP Manager
  - Aviatrix
    Aviatrix
    
    Aviatrix
  - Barracuda
    Barracuda
    
    WAF (Cloud)
    
    Barracuda WAF (On Premises)
  - BeyondTrust
    BeyondTrust
    
    Secure Remote Access (Bomgar)
  - Broadcom
    Broadcom
    
    Brightmail
    
    Symantec DLP
    
    Symantec Endpoint Protection (SEPM)
    
    ProxySG/ASG
    
    SSL Visibility Appliance
  - Brocade
    Brocade
    
    Switch
  - Buffalo
    Buffalo
    
    Terastation
  - Checkpoint
    Checkpoint
    
    Firewall OS
    
    Log Exporter (Syslog)
    
    Log Exporter (Splunk)
  - Cisco
    Cisco
    
    Application Control Engine (ACE)
    
    Cisco Access Control System (ACS) Cisco Access Control System (ACS)
    Table of contents
    
    Key facts
    
    Sourcetypes
    
    Sourcetype and Index Configuration
    
    Splunk Setup and Configuration
    
    ASA/FTD (Firepower)
    
    Digital Network Area(DNA)
    
    Email Security Appliance (ESA)
    
    Cisco Integrated Management Controller (IMC)
    
    Cisco Networking (IOS and Compatible)
    
    Cisco ise
    
    Cisco meraki
    
    Meeting Management
    
    Meeting Server
    
    TelePresence Video Communication Server (TVCS)
    
    Unified Communications Manager (UCM)
    
    Unified Computing System (UCS)
    
    Viptela
    
    Web Security Appliance (WSA)
  - Citrix
    Citrix
    
    Netscaler ADC/SDX
  - Clearswift
    Clearswift
    
    WAF (Cloud)
  - Cohesity
    Cohesity
    
    Cluster
  - CyberArk
    CyberArk
    
    Vendor - CyberArk
    
    PTA
  - Cylance
    Cylance
    
    Protect
  - DARKTRACE
    DARKTRACE
    
    Darktrace
  - Dell
    Dell
    
    Dell Avamar
    
    CMC (VRTX)
    
    EMC Powerswitch N Series
    
    iDrac
    
    RSA SecureID
    
    Dell Networking SONiC
    
    Sonicwall
  - F5
    F5
    
    BigIP
  - FireEye
    FireEye
    
    CMS
    
    eMPS
    
    etp
    
    hx
  - Forcepoint
    Forcepoint
    
    Email Security
    
    Webprotect (Websense)
  - Fortinet
    Fortinet
    
    FortiWMail
    
    Fortios
    
    FortiWeb
  - GitHub
    GitHub
    
    Enterprise Server
  - HAProxy
    HAProxy
    
    HAProxy
  - HPe
    HPe
    
    ILO (4+)
    
    Jedirect
    
    Procurve Switch
  - IBM
    IBM
    
    Data power
  - ISC
    ISC
    
    bind
    
    dhcpd
  - Imperva
    Imperva
    
    Incapsula
    
    On-Premises WAF (SecureSphere WAF)
  - InfoBlox
    InfoBlox
    
    NIOS
  - Juniper
    Juniper
    
    JunOS
    
    Netscreen
  - Kaspersky
    Kaspersky
    
    Enterprise Security RFC5424
    
    Enterprise Security CEF
    
    Enterprise Security Leef
  - Liveaction
    Liveaction
    
    Liveaction - livenx
  - McAfee
    McAfee
    
    EPO
    
    Network Security Platform
    
    Wg
  - Microfocus
    Microfocus
    
    Arcsight Internal Agent
    
    Arcsight Microsoft Windows (CEF)
  - Microsoft
    Microsoft
    
    Cloud App Security (MCAS)
  - Mikrotik
    Mikrotik
    
    RouterOS
  - NetApp
    NetApp
    
    OnTap
    
    StorageGRID
  - NetScout
    NetScout
    
    DatAdvantage
  - Netmotion
    Netmotion
    
    Mobility Server
    
    Reporting
  - Netwrix
    Netwrix
    
    Endpoint Protector by CoSoSys
  - Novell
    Novell
    
    NetIQ
  - Nutanix
    Nutanix
    
    Nutanix_CVM_Audit
  - Ossec
    Ossec
    
    Ossec
  - PaloaltoNetworks
    PaloaltoNetworks
    
    Cortext
    
    panos
    
    Prisma SD-WAN ION
    
    Traps
  - Pfsense
    Pfsense
    
    Firewall
  - Polycom
    Polycom
    
    RPRM
  - Powertech
    Powertech
    
    PowerTech Interact
  - Proofpoint
    Proofpoint
    
    Proofpoint Protection Server
  - Pulse
    Pulse
    
    Pulse
  - PureStorage
    PureStorage
    
    Array
  - Qumulo
    Qumulo
    
    Storage
  - Radware
    Radware
    
    DefensePro
  - Raritan
    Raritan
    
    DSX
  - Ricoh
    Ricoh
    
    MFP
  - Riverbed
    Riverbed
    
    Syslog
    
    Steelconnect
    
    SteelHead
  - Ruckus
    Ruckus
    
    Smart Zone
  - Schneider
    Schneider
    
    APC Power systems
  - SecureAuthIdP
    SecureAuthIdP
    
    SecureAuth IdP
  - Semperis
    Semperis
    
    Semperis DSP
  - Solace
    Solace
    
    EventBroker
  - Sophos
    Sophos
    
    Web Appliance
    
    Web Appliance
  - Spectracom
    Spectracom
    
    NTP Appliance
  - Splunk
    Splunk
    
    Splunk Heavy Forwarder
    
    Splunk Connect for Syslog (SC4S)
  - StealthWatch
    StealthWatch
    
    Stealth Intercept
  - Tanium
    Tanium
    
    Platform
  - Tenable
    Tenable
    
    ad
    
    nnm
  - Thales
    Thales
    
    Thales Vormetric Data Security Platform
  - Thycotic
    Thycotic
    
    Secret Server
  - Tintri
    Tintri
    
    Syslog
  - Trellix
    Trellix
    
    Trellix CMS
    
    Trellix MPS
  - Trend
    Trend
    
    Deep Security
  - Ubiquiti
    Ubiquiti
    
    Unifi
  - VMWare
    VMWare
    
    Airwatch
    
    Carbon Black Protection
    
    Horizon View
    
    Vsphere
  - Varonis
    Varonis
    
    DatAdvantage
  - Vectra
    Vectra
    
    Cognito
  - Veeam
    Veeam
    
    Veeam
  - Wallix
    Wallix
    
    Bastion
  - XYPro
    XYPro
    
    Merged Audit
  - Zscaler
    Zscaler
    
    LSS
    
    NSS
  - a10networks
    a10networks
    
    a10networks vthunder
  - epic
    epic
    
    Epic EHR
  - syslog-ng
    syslog-ng
    
    loggen
Performance
SC4S Lite (Experimental)
SC4S Lite (Experimental)
- Intro
- Pluggable modules
Edge Processor (Experimental)
Troubleshooting
Troubleshooting
- SC4S Startup and Validation
- SC4S Logging and Troubleshooting Resources
Dashboard
Experiments
Upgrading SC4S
SC4S FAQ

Cisco Access Control System (ACS)¶

Key facts¶

MSG Format based filter
None conformant legacy BSD Format default port 514

Ref	Link
Splunk Add-on	https://splunkbase.splunk.com/app/1811/
Product Manual	https://community.cisco.com/t5/security-documents/acs-5-x-configuring-the-external-syslog-server/ta-p/3143143

Sourcetypes¶

sourcetype	notes
cisco:acs	Aggregation used

Sourcetype and Index Configuration¶

key	sourcetype	index	notes
cisco_acs	cisco:acs	netauth	None

Splunk Setup and Configuration¶

Replace the following extract using Splunk local configuration. Impacts version 1.5.0 of the addond

EXTRACT-AA-signature = CSCOacs_(?<signature>\S+):?
# Note the value of this config is empty to disable
EXTRACT-AA-syslog_message = 
EXTRACT-acs_message_header2 = ^CSCOacs_\S+\s+(?<log_session_id>\S+)\s+(?<total_segments>\d+)\s+(?<segment_number>\d+)\s+(?<acs_message>.*)