The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
Cisco Business 350 Series Managed Switches are managed Layer 3 network switches designed for small and medium-sized businesses, offering advanced features like VLAN segmentation, static routing, and enhanced security in a simple, intuitive interface.
This technology pack processes Cisco Business 350 Series (CBS) switch logs, providing normalization and enrichment of common events of interest.
Supported Version(s)
-
Pack created with CBS350 Firmware 3.4.0.17
Requirements
-
Minimum supported version of Graylog.
-
Configure CBS350 device to transmit RFC5424 formatted Syslog to your Graylog server Syslog input.
<190>%COPY-I-FILECPY....
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Cisco Device Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- Cisco Devices Event Log Messages
Log Collection and Delivery
This pack parses logs from the following sources:
-
Syslog
Configuration
Due to the generic formatting of CBS logs, identifying and parsing these logs can be difficult and
possibly match non-CBS logs. To solve this problem, you must configure a CBS-specific input on the Graylog server and use an Illuminate lookup override. This configuration allows Illuminate to treat every log sent to this input as a CBS message by mapping the input ID to the CBS Illuminate identification rule. This input should be unique to CBS to ensure this pack processes only CBS logs.
-
Create a new Syslog input in Graylog and choose an unused port.
-
Click Show received messages to obtain the input ID. This action pulls up a search window with the All Time timeframe.
-
Copy the
gl2_source_inputvalue. -
Navigate to Enterprise > Illuminate, then click the Customization tab.
-
Locate the lookup_adapter_input_routing title and click Edit.
-
For Key: content_name, enter cisco_350, and for the Value: input_id, enter the
gl2_source_inputID copied earlier. -
Click Configure value to confirm. Graylog identifies all logs sent to the configured input and associated port as CBS logs, allowing for proper Illuminate processing.
-
Create Illuminate lookup override.
Log Format Example
These are example logs for various processed log types.
<190>1 2025-01-24T11:09:44.000-08:00 SOME-SWITCH SOMETHING - CONNECT - User CLI session for user some.user over ssh , source 192.168.2.3 destination 192.168.2.10 ACCEPTED
<190>1 2025-01-24T11:48:30.000-08:00 SOME-SWITCH SOMETHING - SSHSUCC - Connection ID 11 - SSH Session request from 192.168.2.10 port 53865 to Local address 192.168.2.30 port 22, username 'some.user' using crypto cipher aes256-ctr, hmac hmac-sha2-256 succeeded.
<190>1 2025-01-17T09:27:51.000-08:00 SOME-SWITCh SOMETHING - Up - gi1/0/47
<190>1 2025-02-25T00:04:48.000-08:00 SOME-SWITCh SOMETHING - FILECPY - Files Copy - source URL flash://system/configuration/startup-config destination URL flash://system/configuration/mirror-config
What is Provided
-
Rules to parse, normalize, and enrich Content Pack messages.
Events Processed by This Technology Pack
The content pack supports the following log types. Generic processing will be provided for log types not listed.
-
NATIVE_VLAN_MISMATCH
-
PORTSTATUS
-
SECSYNBLOCKED
-
SNMPAUTHFAIL
-
SSHFAIL
-
LOG
-
FILECPY
-
REJECT
-
Up
-
Down
-
SHUTDWN
-
SSHSUCC
-
CONNECT
-
DISCONNECT
-
EeeLldpMultiNeighbours
Message Fields Included in This Pack
General Parsing
Common Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| application_name | PNPAGENT | keyword | This field is generated by the Syslog input when analyzing the syslog message |
| destination_ip | 192.168.2.10 | long | IP address of the destination host |
| destination_port | 22 | long | Port the client connects to |
| event_source | GL-SWITCH | keyword | Syslog hostname in delivered message |
| event_source_product | cisco_350 | keyword | The default event_source_product for CBS processed logs |
| network_interface | gi1/0/47 | keyword | The network interface(s) noted in the message |
| source_ip | 192.168.2.3 | long | IP address of the source host |
| source_port | 12345 | long | Port from which the client initiates |
| user_name | some.user | keyword | User name tied to the message |
| vendor_crypto_cipher | aes256-ctr | keyword | The cypher used to encrypt the communication |
| vendor_crypto_hmac | hmac-sha2-256 | keyword | The HMAC used in the communication |
| vendor_connection_id | 14 | keyword | The connection ID associated with the connection |
| vendor_destination_file_name | mirror-config | keyword | The destination file name noted in message |
| vendor_destination_protocol | flash | keyword | The destination protocol noted in the message (flash/http/https/etc.) |
| vendor_destination_request_path | /system/configuration/mirror-config | keyword | The destination file path |
| vendor_event_message | Backoff PnP Request with <callbackAfter> has received: 24 Hours 0 Minutes 0 Seconds | keyword | Main event message contained in log and will only exist for log types not noted as supported |
| vendor_event_outcome | Bye Bye | keyword | The outcome from the associated connection |
| vendor_event_outcome_code | 11 | keyword | The outcome code from the associated connection |
| vendor_event_outcome_reason | identification exchange failed | keyword | Additionally provided info related to the outcome of the associated connection |
| vendor_source_request_path | /system/configuration/startup-config | keyword | The source file path |
| vendor_source_request_protocol | flash | keyword | The source protocol noted in the message (flash/http/https/etc.) |
| vendor_subtype | BACKOFFCALLBACKAFTER | keyword | This field is extracted is the CBS message ID or event identifier |
