https://community.cisco.com/t5/network-security/cisco-ids-log-format/m-p/1128855#M78271 <P>Hi,</P><P> Where can I find the description of Cisco IDS log format? I can find information about total signatures and the meaning of the signatures. But I cannot find the following:</P><P>1) what are the different log formats supported by Cisco IDS (XML, plain text etc)</P><P>2) what parameters to expect in the log messages and the order, meaning of the same.</P><P></P><P>For eg: if I saw following sample message in a website. How do I understand what each parameter is supposed to mean.</P><P>4,1001256,2002/04/11,01:17:49,2002/04/10,20:17:49,10008,100,101,OUT,IN,5,5126,</P><P>0,TCP/IP,64.194.107.85,W.X.Y.124,32768,80,0.0.0.0,</P><P></P><P>Thanks</P><P>KAD</P> Sun, 10 Mar 2019 11:23:25 GMT anusuya_k 2019-03-10T11:23:25Z https://community.cisco.com/t5/network-security/cisco-ids-log-format/m-p/1128855#M78271 <P>Hi,</P><P> Where can I find the description of Cisco IDS log format? I can find information about total signatures and the meaning of the signatures. But I cannot find the following:</P><P>1) what are the different log formats supported by Cisco IDS (XML, plain text etc)</P><P>2) what parameters to expect in the log messages and the order, meaning of the same.</P><P></P><P>For eg: if I saw following sample message in a website. How do I understand what each parameter is supposed to mean.</P><P>4,1001256,2002/04/11,01:17:49,2002/04/10,20:17:49,10008,100,101,OUT,IN,5,5126,</P><P>0,TCP/IP,64.194.107.85,W.X.Y.124,32768,80,0.0.0.0,</P><P></P><P>Thanks</P><P>KAD</P> Sun, 10 Mar 2019 11:23:25 GMT https://community.cisco.com/t5/network-security/cisco-ids-log-format/m-p/1128855#M78271 anusuya_k 2019-03-10T11:23:25Z https://community.cisco.com/t5/network-security/cisco-ids-log-format/m-p/1128856#M78272 <HTML><HEAD></HEAD><BODY><P>Follwoing is one of the example of IDS log format message:</P><P></P><P>%PIX|ASA-4-4000nn: IPS:number string from IP_address to IP_address on </P><P>interface interface_name</P><P>Explanation Messages 400000 through 400051 are Cisco Intrusion Detection System signature messages. For more information, see the Cisco Intrusion Detection System User Guide. </P><P>Recommended Action For more information, see the Cisco Intrusion Detection System User Guide. All signature messages are not supported by the security appliance in this release. IPS system log messages all start with 4-4000nn and have the following format: </P><P>number - The signature number. </P><P> </P><P>string - The signature message-approximately the same as the NetRanger signature message. </P><P> </P><P>IP_address - The local to remote address to which the signature applies. </P><P> </P><P>interface_name - The name of the interface on which the signature originated. </P><P> </P><P>For example: </P><P></P><P>%PIX|ASA-4-400013 IPS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz</P><P>%PIX|ASA-4-400032 IPS:4051 UDP Snork attack from 10.1.1.1 to 192.168.1.1 on interface </P><P>outside</P><P></P></BODY></HTML> Mon, 01 Dec 2008 20:49:07 GMT https://community.cisco.com/t5/network-security/cisco-ids-log-format/m-p/1128856#M78272 smalkeric 2008-12-01T20:49:07Z https://community.cisco.com/t5/network-security/cisco-ids-log-format/m-p/1128857#M78273 <HTML><HEAD></HEAD><BODY><P>Thanks for the response. But the format %PIX|ASA-4-4000nn is specific to IDS/IPS module messages on Cisco ASA/PIX. I am looking for the message format of Cisco IDS appliance itself. I understand cisco IDS supports SDEE, so when it is exported as text, it may generate the text format logs as I put in the initial message. I am looking for description of this log format.</P><P></P><P>Thanks</P><P>KAD</P></BODY></HTML> Tue, 02 Dec 2008 05:03:48 GMT https://community.cisco.com/t5/network-security/cisco-ids-log-format/m-p/1128857#M78273 anusuya_k 2008-12-02T05:03:48Z