Cisco
Cisco allows you to monitor and identify threats to your organization using Cisco data. Logpoint aggregates and normalizes the Cisco logs so you can analyze the information through dashboards. Cisco dashboards visualize event details for network, user authentication, intrusion prevention systems, email security, VPN, endpoint security, wireless and other Cisco collaboration solutions.
Key Information
- When configuring the normalization policy, select LP_Cisco PIXASA first and LP_Cisco PIX/ASA second, followed by other normalization packages to prevent normalization issues.
- Activate the label packages to apply labels and group similar logs together. To learn how to activate the label package, go to Activating Labels Packages.
- The EmailParser should be configured in the device for using CiscoIronPortESGCompiledNormalizer.
Bug Fixes
| Description | Issue ID | Reference ID |
|---|---|---|
|
Some Cisco Firepower logs were not normalized by CiscoFirepowerNormalizer |
PLUG-13274, PLUG-13244, PLUG-16186 |
86208, 86076, 77731 |
|
The firewall’s hostname was not extracted by the Cisco normalizers.
|
PLUG-16128 |
78476 |
Past Releases
Cisco v5.5.0
Release Date: Oct 21, 2024
Download: Cisco_5.5.0.pak
SHA256: 3b50f25736a745a52cbf29175a1e163948500a1ca20f3cc691d848d0c3198f04
Enhancements
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
| For Cisco Identity Services Engine (ISE), the authentication and status fields were not normalized. |
PLUG-11999 |
84859 |
Cisco v5.4.0
Release Date: April 26, 2024
Download: Cisco_5.4.0.pak
SHA256: 7ab055ab0d9a2e2430e9b55fa799b2f5b62bffa0b7541833a67d182f232d770d
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
| Added Syslog Collector based Cisco and CiscoEmail log source templates, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. |
KB-22622 |
- |
Cisco v5.3.0
Release Date: September 01, 2023
Download: Cisco_5.3.0.pak
SHA256: 424920535a5505c925690777643ab6692a63a433e220f3a3f3f1f293efc96243
Enhancements
|
Description |
Issue ID | Reference ID | |||||||||||||||||||||||||||||||||
|
Renamed the following fields in CiscoISENormalizer, CiscoISENormalizer and CiscoFirepowerNormalizer:
|
KB-21703, KB-21285, KB-21962 | 75265, 76857 | |||||||||||||||||||||||||||||||||
|
Added new labels in CiscoISENormalizer for the event IDs 61025, 61026, 70000, 70001, 70002, 70010 and 70011. |
KB-18420 | 69408 | |||||||||||||||||||||||||||||||||
|
The host information from the syslog header of Cisco PIXASA Firewall logs is now normalized as log_host field by CiscoPIXASACompiledNormalizer. |
KB-20169, KB-20227 | 72986, 73128 | |||||||||||||||||||||||||||||||||
|
The Subject field containing MIME encoded values is decoded and normalized by CiscoIronPortESGCompiledNormalizer. |
KB-21084 | 74979, 74400, 75122 | |||||||||||||||||||||||||||||||||
|
Added new signatures in LP_Cisco IronPort Web App, LP_Cisco Switch, LP_Cisco Switch Generic and LP_Cisco Firepower Management Centre to normalize IronPort Web App, Cisco Switch and Firepower Management Centre logs. |
KB-21527, KB-21406, KB-20577, KB-21394 | 75728, 74731, 73738, 75231 | |||||||||||||||||||||||||||||||||
|
Updated CiscoPIXASACompiledNormalizer to normalize the user and domain fields. |
KB-20776 | 73863 | |||||||||||||||||||||||||||||||||
| The file, malware and threat_status fields are now normalized by CiscoIronPortESGCompiledNormalizer. | KB-18990 | 70349, 74283 | |||||||||||||||||||||||||||||||||
| Added Threat and Detect labels in CiscoIronPortESGCompiledNormalizer for events where threat_status field value is positive. | |||||||||||||||||||||||||||||||||||
|
Added new labels for event ID 61025 and removed Health label in CiscoISENormalizer. |
KB-21700 |
- | |||||||||||||||||||||||||||||||||
Bug Fix
| Description | Issue ID | Reference ID |
|---|---|---|
|
Some Cisco PIXASA logs with event ID 302013 were not normalized by CiscoPIXASACompiledNormalizer and LP_Cisco PIXASA. |
KB-20418 | 73350 |
Cisco v5.2.0
Release Date: Aug 4, 2022
Download: Cisco_5.2.0.pak
SHA256: 4b1ccdd52bbf179a2b0c5c86c6ced80ed56352c03c093e7255c767e9122a59bf
Enhancements
| Description | Issue ID | Reference ID | |
|---|---|---|---|
|
Updated the CiscoFirepowerNormalizer to support Cisco Firepower Management Center logs that were previously supported by CiscoFirepower normalization packages. |
KB-13076 | - | |
|
Added new signatures in LP_Cisco Meraki MX Security Appliance to normalize Cisco Meraki logs. Also, renamed the following labels: |
KB-16778 | - | |
| Former Labels | Updated Labels | ||
| label | VPN | ||
|
dst |
destination_address | ||
| request_type | icmp_type | ||
|
Improved the normalization performance of CiscoFirepowerNormalizer by six folds. |
KB-13215 | - | |
|
Added new signatures in LP_Cisco IronPort Web App to normalize Cisco IronPort Web App logs. Also, updated signatures in CiscoIronPortWebAppCompiledNormalizer to support new Cisco IronPort Web App log format. |
KB-16211 |
- | |
|
Updated the signature by adding relevant fields in the LP_Cisco IronPort Web Appliance to normalize Cisco Secure Web Appliance Access new log format. |
KB-17087 | 66898 | |
Bug Fixes
The following issues are fixed:
| Description | Issue ID | Reference ID |
|---|---|---|
|
CiscoPIXASACompiledNormalizer did not properly normalize some CISCO PIX ASA logs. |
KB-14337, KB-16352 | 65020 |
| CiscoFirepowerNormalizer did not correctly normalize some Cisco Firepower and Cisco FTD Intrustion logs. |
KB-16121, KB-16138, KB-17336, KB-17339 |
67334 |
| CiscoPIXASACompiledNormalizer did not correctly normalize the endpoint_feature field of Cisco ASA logs. | KB-16373 | 65001 |
| CiscoISENormalizer did not correctly normalize Cisco ISE logs. | KB-16530 | 65615 |
| LP_Cisco Wireless Controller did not properly normalize the hardware_address field of WLC logs. | KB-16856 | 66340 |
Cisco v5.1.0
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
|
Added new compiled normalizers CiscoPixASACompiledNormalizer and CiscoESACEFCompiledNormalizer to support the PIXASA and Cisco Email Security Appliance (ESA) logs. |
KB-6888, KB-13528, KB-10943, KB-15993 | 30785, 57360, 46742 |
| Added and updated new signatures in LP_Cisco DNA to normalize Cisco DNA Center logs. | KB-15447, KB-15546 | 61469 |
| Added signatures in LP_Cisco Traps and CiscoIronPortWebApp to normalize SNMP Trap logs from Cisco 5520 Wireless LAN Controller and Cisco WSA logs. | KB-15677, KB-15744 | 62459, 63114 |
| Added new signatures in LP_Arista Switch to normalize Arista Switches logs. | KB-15620 | - |
| Added new Cisco alerts. To learn more, go to Cisco Alerts in the Cisco v5.1.0 guide. | KB-12871 | |
| Added new widgets in the Cisco IronPort Email Security dashboard package for larger attachments and other policies. | KB-13578 | |
|
Added new labels in LP_Cisco Catalyst 35XX series, LP_Cisco Nexus 5548, and LP_Cisco Meraki MX Security Appliance. |
||
|
Added new labels in the LP_Cisco Catalyst 35XX series, LP_Cisco Nexus 5548, and LP_Cisco Meraki MX Security Appliance normalization packages. |
KB-13578 | |
|
Firepower events that were supported via LP_Cisco Firepower are now supported by CiscoFirepowerNormalizer. |
KB-13076 |
Bug Fixes
The following issues are fixed:
|
Description
|
Issue ID
|
Reference ID
|
|---|---|---|
| Normalization service issue in CiscoESACEFCompiledNormalizer. | KB-16289 | 64581 |
| Normalization packages did not normalize some Cisco Iron Port, Cisco WSA, and Cisco Meraki logs. | KB-15623, KB-15531, KB-15531, KB-16070 | 62426, 62883, 61037, 64233, 64116, 64730 |
| LP_Cisco ISE did not correctly normalize the FailureReason field of Cisco ISE logs. | KB-16096 | 64026 |
Cisco v5.0.3
Enhancements
- The signatures for the event IDs 419002 and 737015 have been updated for the normalization package LP_Cisco PIXASA to normalize the sample logs correctly. Additionally, the event IDs 737036, 737017, 737034, 737005, 737016, 737037, 737013, 717055, 750001, and 805002 have been added.
- The field source_address has been renamed as lease_address for Cisco PIXASA logs with the event ID 737015.
Bug Fixes
The following issues have been resolved:
- An issue in the normalization package LP_Cisco PIXASA where the value of the field user was normalized incorrectly.
- An issue where some Cisco ASA logs were not normalized.
- An issue in the normalization package LP_Cisco IOS/CatOS where the value of the field log_ts was normalized incorrectly.
- An issue in the normalization package LP_Cisco Firepower where values of some fields were not properly captured for the Cisco Firepower logs.
Cisco v3.7.0
Release Date: May 14, 2020
Download: Cisco_3.7.0.pak
SHA256: 0804c614f54f57372ecc843e374f914f2ee0013397e189db9e35299ab3480e82
Enhancement
A minor update in the Cisco's normalizer for better signature handling.
Support
If you have any queries or require assistance, create a support ticket.
Hi,
It says LogPoint v5.2 and later for Version 3.4.1.
But when I try to add it to logpoint version 6.5.3 it says, " only supported on 6.6.x".
Do you have one for version 6.x.x yet?
Best regards
Henrik Olsson