Parsers and Generated Fields

Tag Fields Created by Parser cisco-ios

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser cisco-ios
Vendor FieldCPS FieldDescription
Vendor.crypto_cipher-Crypto cipher used
Vendor.eventCode-Event code
Vendor.hmac-HMAC algorithm
Vendor.icmp.code-ICMP code
Vendor.icmp.type-ICMP type
Vendor.interface-Interface name
Vendor.ios.action-Action taken
Vendor.ios.facility-IOS facility name
Vendor.ios.pim.group.ip-PIM group IP
Vendor.ios.pim.source.ip-PIM source IP
Vendor.ios.session.number-Session number
Vendor.ios.session.type-Session type
Vendor.session_id-Session ID
Vendor.vlan-VLAN ID
client.ip-Client IP address
client.mac-Client MAC address
destination.ip-Destination IP address
destination.mac-Destination MAC address
destination.port-Destination port
event.action-Action taken
event.reason-Reason for event
host.mac-Host MAC address
log.syslog.hostname-Device hostname
log.syslog.priority-Syslog priority value
log.syslog.severity.code-Severity code
message-Raw message content
network.iana_number-Protocol number
network.transport-Transport protocol
observer.ingress.interface.name-Interface name
process.command_line-CLI command executed
rule.name-Rule name
server.ip-Server IP address
server.port-Server port
Vendor.Sourceclient.ip 
destination.addressdestination.ip 
Vendor.actionevent.action 
Vendor.eventAction;event.action 
Vendor.Reasonevent.reason 
Vendor.ios.message_countevent.sequenceMessage counter
Vendor.ios.message_count;event.sequence 
Vendor.ios.sequence;event.sequence 
source.packetsnetwork.packetsNumber of packets
Vendor.protocolnetwork.transport 
Vendor.ingress_interfaceobserver.ingress.interface.name 
Vendor.sgacl_namerule.name 
Vendor.localportserver.port 
source.addresssource.ipSource IP address
Vendor.macsource.macSource MAC address (normalized to ECS format)
user.namesource.user.nameUsername
Vendor.useruser.name