Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser cisco-firepower

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser cisco-firepower

Vendor Field	CPS Field	Description
`event.category[]`	Array	Vendor.mnemonic
`event.type[]`	Array	Vendor.mnemonic
`network.bytes`	Calculated	source.bytes, destination.bytes
`network.packets`	Calculated	source.packets, destination.packets
`event.outcome`	Conditional	Vendor.mnemonic
`destination.bytes`	Copied	Vendor.InitiatorBytes
`destination.nat.ip`	Copied	Vendor.NAT_ResponderIP
`destination.nat.port`	Copied	Vendor.NAT_ResponderPort
`destination.packets`	Copied	Vendor.InitiatorPackets
`device.id`	Copied	Vendor.DeviceUUID
`dns.answers[0].ttl`	Copied	Vendor.DNS_TTL
`dns.question.name`	Copied	Vendor.DNSQuery
`dns.question.type`	Copied	Vendor.DNSRecordType
`dns.response_code`	Copied	Vendor.DNSResponseType
`event.action`	Copied	Vendor.AccessControlRuleAction
`event.reason`	Copied	Vendor.AccessControlRuleReason
`event.start`	Copied	Vendor.FirstPacketSecond
`file.hash.sha256`	Copied	Vendor.ArchiveSHA256, Vendor.FileSHA256
`file.name`	Copied	Vendor.ArchiveFileName, Vendor.FileName
`host.id`	Copied	Vendor.InstanceID
`http.request.referrer`	Copied	Vendor.HTTPReferer
`http.response.status_code`	Copied	Vendor.HTTPResponse
`network.application`	Copied	Vendor.WebApplication
`network.protocol`	Copied	Vendor.ApplicationProtocol
`network.transport`	Copied	Vendor.Protocol
`observer.egress.vlan.name`	Copied	Vendor.EgressVRF
`observer.hostname`	Copied	log.syslog.hostname
`observer.ingress.vlan.name`	Copied	Vendor.IngressVRF
`rule.category`	Copied	Vendor.DetectionType
`rule.description`	Copied	Vendor.AccessControlRuleReason
`rule.name`	Copied	Vendor.AccessControlRuleName
`rule.ruleset`	Copied	Vendor.ACPolicy
`source.bytes`	Copied	Vendor.ResponderBytes
`source.nat.ip`	Copied	Vendor.NAT_InitiatorIP
`source.nat.port`	Copied	Vendor.NAT_InitiatorPort
`source.packets`	Copied	Vendor.ResponderPackets
`tls.cipher`	Copied	Vendor.SSLCipherSuite
`tls.client.certificate`	Copied	Vendor.SSLCertificate
`tls.client.server_name`	Copied	Vendor.SSLServerName
`tls.version`	Copied	Vendor.SSLVersion
`url.full`	Copied	url.original
`url.original`	Copied	Vendor.URL
`user.id`	Copied	Vendor.User
`user_agent.name`	Copied	Vendor.Client
`user_agent.original`	Copied	Vendor.UserAgent
`user_agent.version`	Copied	Vendor.ClientVersion
`user.email`	Derived	user.name
`@timestamp`	Extracted	@rawstring
`client.ip`	Extracted	Vendor.message
`destination.address`	Extracted	Vendor.message
`destination.ip`	Extracted	Vendor.message, Vendor.DstIP
`destination.port`	Extracted	Vendor.message, Vendor.DstPort
`log.syslog.appname`	Extracted	@rawstring
`log.syslog.hostname`	Extracted	@rawstring
`log.syslog.priority`	Extracted	@rawstring
`log.syslog.procid`	Extracted	@rawstring
`log.syslog.severity.code`	Extracted	Vendor.mnemonic
`network.direction`	Extracted	Vendor.message
`observer.egress.interface.alias`	Extracted	Vendor.message, Vendor.EgressInterface
`observer.egress.zone`	Extracted	Vendor.message, Vendor.EgressZone
`observer.ingress.interface.alias`	Extracted	Vendor.message, Vendor.IngressInterface
`observer.ingress.zone`	Extracted	Vendor.message, Vendor.IngressZone
`source.ip`	Extracted	Vendor.message, Vendor.SrcIP
`source.mac`	Extracted	Vendor.message
`source.port`	Extracted	Vendor.message, Vendor.SrcPort
`user.domain`	Extracted	Vendor.message
`user.group`	Extracted	Vendor.message
`user.name`	Extracted	Vendor.message
`event.severity`	Mapped	Vendor.EventPriority
`log.syslog.severity.name`	Mapped	log.syslog.severity.code
`url.domain`	Parsed	url.original
`ecs.version`	Static	None
`event.dataset`	Static	None
`event.kind`	Static	None
`event.module`	Static	None
`observer.type`	Static	None
Vendor.InitiatorBytes	destination.bytes
Vendor.DstIP	destination.ip
Vendor.NAT_ResponderIP	destination.nat.ip
Vendor.NAT_ResponderPort	destination.nat.port
Vendor.InitiatorPackets	destination.packets
Vendor.DstPort	destination.port
Vendor.DeviceUUID	device.id
Vendor.DNS_TTL	dns.answers[0].ttl
Vendor.DNSQuery	dns.question.name
Vendor.DNSRecordType	dns.question.type
Vendor.DNSResponseType	dns.response_code
Vendor.AccessControlRuleAction	event.action
Vendor.AccessControlRuleReason	event.reason
Vendor.FirstPacketSecond	event.start
Vendor.ArchiveFileName	file.name
Vendor.FileName	file.name
Vendor.InstanceID	host.id
Vendor.HTTPReferer	http.request.referrer
Vendor.HTTPResponse	http.response.status_code
Vendor.WebApplication	network.application
source.bytes	network.bytes
destination.packets	network.packets
Vendor.EgressInterface	observer.egress.interface.alias
Vendor.EgressVRF	observer.egress.vlan.name
Vendor.EgressZone	observer.egress.zone
log.syslog.hostname	observer.hostname
Vendor.IngressInterface	observer.ingress.interface.alias
Vendor.IngressVRF	observer.ingress.vlan.name
Vendor.IngressZone	observer.ingress.zone
Vendor.DetectionType	rule.category
Vendor.AccessControlRuleReason	rule.description
Vendor.AccessControlRuleName	rule.name
Vendor.ACPolicy	rule.ruleset
Vendor.ResponderBytes	source.bytes
Vendor.SrcIP	source.ip
Vendor.NAT_InitiatorIP	source.nat.ip
Vendor.NAT_InitiatorPort	source.nat.port
Vendor.ResponderPackets	source.packets
Vendor.SrcPort	source.port
Vendor.SSLCipherSuite	tls.cipher
Vendor.SSLCertificate	tls.client.certificate
Vendor.SSLServerName	tls.client.server_name
Vendor.SSLVersion	tls.version
url.host	url.domain
url.original	url.full
Vendor.URL	url.original
user.name	user.email
Vendor.User	user.id
Vendor.Client	user_agent.name
Vendor.UserAgent	user_agent.original
Vendor.ClientVersion	user_agent.version

Enter search term