Log format

Log formats

A log format defines the structure and content of log messages generated by the system. The system supports two primary log formats: CEF (Common Event Format) and CEF Extended Time Precision.

CEF log format

Here are examples:

  • Classic UI:
    Aug 1 05:52:40 10.106.15.39 Aug 1 09:51:26 Center cybervision[1]: CEF:0|Cisco|Cyber Vision|1.0|user_login|Login success to Cisco Cyber Vision|0|cat=Cisco Cyber Vision Operations msg=User 'admin user (IP: 10.189.168.24)' has logged into Cyber Vision. suser=admin@sentryo.net spriv=User SCVEventtype=user_login SCVAuthorId=e91cc472-0a35-4b63-904b-585617db3873 center-id="564d3c3f-12f5-faff-b335-02d5a1246fc8"
  • New UI:
    Aug 1 07:42:29 10.106.15.39 Aug 1 11:41:15 Center cybervision[1]: CEF:0|Cisco|Cyber Vision|2.0|alert_cleared|Prohibited vendors|2|cat=Property msg=This asset no longer belongs to this prohibited vendor SCVAuthorId=e91cc472-0a35-4b63-904b-585617db3873 alertId=21e02d4e-4c97-4913-8755-6d22b6a345ac alertRuleId=0a66abb3-075d-4f91-b3a3-5dd1c875929c assetFunctionalGroupId= assetId=37dd7107-6eb8-51e3-a74b-de2a6e87bb2a assetName=Hirschmann e:ef:38 sensorNames=explore.pcap;25102016_wincc_nmap_sS.pcapng vendorName=Hirschmann center-id="564d3c3f-12f5-faff-b335-02d5a1246fc8"

CEF Extended Time Precision log format

Examples:

  • Classic UI:
    Aug 1 07:48:21 10.106.15.42 2025-08-01T11:43:02.306722+00:00 Center cybervision[1]: CEF:0|Cisco|Cyber Vision|1.0|syslog_update|Syslog configuration updated|1|cat=Cisco Cyber Vision Administration msg=Syslog configuration has been changed by Admin User (IP: 10.189.161.111) to local3.* udp172.26.154.121:514 suser=admin@sentryo.net spriv=User center-id="564de41b-d8c3-d753-0e6f-08b4bca5d596"
  • New UI:
    Aug 1 07:51:21 10.106.15.42 2025-08-01T11:46:03.329144+00:00 Center cybervision[1]: CEF:0|Cisco|Cyber Vision|2.0|alert_raised|Severe vulnerabilities in monitored entities|1|cat=Vulnerability msg=A severe vulnerability has been detected on a monitored asset alertId=10db6ad6-4968-4b56-98d8-e2d003ea1959 alertRuleId=35b5ba13-09cf-43b9-a750-5f547693a0bd assetFunctionalGroupId= assetId=4d37a8a2-38be-5f60-98d0-783b4c7cb726 assetName=192.168.12.83 sensorNames=vlan.pcap vulnCSRS=51 vulnCVSSscore=7.5 vulnCveId=CVE-2023-51440 vulnName=TCP Sequence Number Validation Vulnerability in Siemens CP343-1 Devices center-id="564de41b-d8c3-d753-0e6f-08b4bca5d596"

Comparison of log format attributes

Format

Timestamp style

UI Variants

Use case

CEF

Second-precision timestamps

Classic UI/New UI

Regular event logging

CEF Extended Time Precision

Millisecond-precision timestamps

Classic UI/New UI

High-precision logging

Fields in CEF syslog messages

Timestamp format examples

  • CEF examples:

    • Aug 1 05:52:40 10.106.15.39 Aug 1 09:51:26 Center cybervision[1]:

  • CEF Extended Time Precision examples:

    • Aug 1 07:48:21 10.106.15.42 2025-08-01T11:43:02.306722+00:00 Center cybervision[1]:

Syslog message structure example

Fields in CEF syslog messages are separated by a vertical bar ("|").

  • CEF:0|Cisco|Cyber Vision|1.0|user_login|Login success to Cisco Cyber Vision|0|

Fields with fixed values

The table lists syslog fields with fixed values for Classic UI and New UI.

For Classic UI

 For New UI

CEF:Version”: “CEF:0

CEF:Version”: “CEF:0

Device Vendor”: “Cisco

Device Vendor”: “Cisco

Device Product”: “Cyber Vision

Device Product”: “Cyber Vision

Device Version”: “1.0

Device Version”: “2.0

center-id

center-id

Fields with values that vary by message type

The list below details the fields with values that vary depending on the message type.

  • The extension contains two fixed fields at the beginning:

    • cat

    • msg

  • The optional extension fields include:

    • For Classic UI:

      • spriv

      • SCVEventtype

      • SCVAuthorId

    • For New UI:

      • assetFunctionalGroupId

      • assetId

      • assetName

      • sensorNames

      • vulnCSRS

      • vulnCVSSscore

      • vulnCveId

      • vulnName

      • vendorName

Severity mapping for syslog messages

Syslog message severities:

  • “0”: Low

  • “1”: Medium

  • “2”: High

  • “3”: Critical

Fields in component and flow metadata


Note

You can use component and flow metadata for events in the Classic UI.

Component metadata

If the event is associated with a component:

  • An additional component-id key is present.

  • Use the SCVComponentId of the component (as a string) from the Cisco Cyber Vision database.

  • Use the SCVComponentId to query component data with the Cisco Cyber Vision API.

Flow metadata

If the event is associated with a flow, these additional keys are present:

Table 1. Descriptions of Flow Metadata Keys

Key

Description

SCVFlowId

ID of the flow

SCmp-a

IPv4 or IPv6 IP address of component A

SCmp-a-mac

MAC address of component A

SCmp-a-port

Port number of component A

SCmp-b

IPv4 or IPv6 IP address of component B

SCmp-b-mac

MAC address of component B

SCmp-b-port

Port number of component B

Sflow-properties

This is a string containing a comma-separated list of additional properties for the flow. These properties are protocol-dependent and this document does not list all possible values.

Important fields

SCVSensorId: This field corresponds to the sensor where the event was captured. The sensor ID appears in the sbs-sensor command output and is shown only for data captured from sensors (it is not present for login events).