Cisco Firepower SF-IMS syslog

[Mikayel Mikayelyan]

Does anyone have decoders for the SF-IMS firepower ?

[Md. Nazmur Sakib]

Hi Mikayel,

I am sharing with you a sample decoder for SF-IMS firepower logs that you might find useful.

The decoder is written based on this log:

Apr 17 07:59:03 firepower SF-IMS[99999]: [25777] ADI:vdi.radius [ERROR] {nas_ip = 192.168.15.21, mac_addr = 8C:8C:3B:3D:FF:2A, user_name = test-user/mozilla.com, domain = mozilla.com, host resolved identities = test-user$@mozilla.com, networkDeviceProfileName = test,netBiosName = TEST, portId = GigabitEthernet1/0/1}

Decoder:

<decoder name="cisco_decoder">

    <program_name>SF-IMS</program_name>

    <type>syslog</type>

    <regex>nas_ip = (\d+.\d+.\d+.\d+), mac_addr = (\.+), user_name = (\.+), domain = (\.+), host resolved identities = (\.+)\.*portId = (\.+)</regex>

    <order>nas_ip,mac_addr,user_name,domain,host_resolved_identities,portID</order>

</decoder>

And here is the resulting decoder working:

**Phase 2: Completed decoding.

name: 'cisco_decoder'

domain: 'mozilla.com'

host_resolved_identities: 'test-user$@mozilla.com, networkDevice'

mac_addr: '8C:8C:3B:3D:FF:2A'

nas_ip: '192.168.15.21'

portID: 'GigabitEthernet1/0/1}'

user_name: 'test-user/mozilla.com'

You can make more decoders and further changes to your decoder following these documents.

Decoders Syntax
Regular Expression Syntax
Custom decoders

Let me know if you need any further assistance.

[Mikayel Mikayelyan]

Hello, Md. Nazhmur Sakib, thank you for your feedback.

Do I need to write a separate decoder for each log file?

среда, 8 октября 2025 г. в 17:26:53 UTC+4, Md. Nazmur Sakib:

[Md. Nazmur Sakib]

You do not need to create a decoder for every log.
You should write decoders based on the format of the log. You can make a generic decoder that matches lots of the formats of logs. You can also make decoders specific to each format. It depends on your need.

Let me know if you need any further information or assistance.