Cisco Access Control System (ACS)
Key facts
- MSG Format based filter
- None conformant legacy BSD Format default port 514
Sourcetypes
sourcetype |
notes |
cisco:acs |
Aggregation used |
Sourcetype and Index Configuration
key |
sourcetype |
index |
notes |
cisco_acs |
cisco:acs |
netauth |
None |
Splunk Setup and Configuration
- Replace the following extract using Splunk local configuration. Impacts version 1.5.0 of the addond
EXTRACT-AA-signature = CSCOacs_(?<signature>\S+):?
# Note the value of this config is empty to disable
EXTRACT-AA-syslog_message =
EXTRACT-acs_message_header2 = ^CSCOacs_\S+\s+(?<log_session_id>\S+)\s+(?<total_segments>\d+)\s+(?<segment_number>\d+)\s+(?<acs_message>.*)