Parsers and Generated Fields
Tag Fields Created by Parser cisco-ios
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser cisco-ios
| Vendor Field | CPS Field | Description |
|---|---|---|
| `event.category[]` | Array | Vendor.eventCode |
| `event.type[]` | Array | Vendor.eventCode |
| `destination.ip` | Copied | destination.address |
| `event.sequence` | Copied | Vendor.ios.message_count, Vendor.ios.sequence |
| `network.packets` | Copied | source.packets |
| `rule.name` | Copied | Vendor.sgacl_name |
| `source.ip` | Copied | source.address |
| `source.user.name` | Copied | user.name |
| `client.ip` | Extracted | message |
| `client.mac` | Extracted | message |
| `destination.address` | Extracted | message |
| `destination.mac` | Extracted | message |
| `destination.port` | Extracted | message |
| `event.action` | Extracted | message, Vendor.eventAction |
| `event.reason` | Extracted | message |
| `host.mac` | Extracted | message |
| `log.syslog.hostname` | Extracted | @rawstring |
| `log.syslog.priority` | Extracted | @rawstring |
| `log.syslog.severity.code` | Extracted | @rawstring |
| `network.iana_number` | Extracted | message |
| `network.transport` | Extracted | message |
| `observer.ingress.interface.name` | Extracted | message, Vendor.ingress_interface |
| `observer.ip[0]` | Extracted | @rawstring |
| `process.command_line` | Extracted | message |
| `server.ip` | Extracted | message |
| `server.port` | Extracted | message |
| `source.address` | Extracted | message |
| `source.packets` | Extracted | message |
| `source.port` | Extracted | message |
| `user.name` | Extracted | message |
| `vlan.id` | Extracted | message |
| `event.dataset` | Formatted | event.module, Vendor.ios.facility |
| `network.community_id` | Generated | source.ip, destination.ip, network.transport, source.port, destination.port |
| `log.level` | Mapped | log.syslog.severity.code |
| `source.mac` | Normalized | Vendor.mac |
| `@timestamp` | Parsed | _ts, _tz |
| `event.outcome` | Set | Vendor.eventCode, message patterns |
| `network.type` | Set | source.ip |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `observer.product` | Static | None |
| Vendor.Source | client.ip | |
| destination.address | destination.ip | |
| Vendor.action | event.action | |
| Vendor.Reason | event.reason | |
| source.packets | network.packets | |
| Vendor.protocol | network.transport | |
| Vendor.ingress_interface | observer.ingress.interface.name | |
| Vendor.sgacl_name | rule.name | |
| Vendor.localport | server.port | |
| source.address | source.ip | |
| user.name | source.user.name | |
| Vendor.user | user.name |