The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Proprietary software used in Cisco routers and switches, enabling robust management of network traffic, including data, voice, and video across various communications environments.

This technology pack will process Cisco IOS logs, providing normalization and enrichment of those events.

Supported Version(s)

  • Cisco IOS XE 17.14.x

Requirements

  • Cisco IOS XE 17.14.x
  • Graylog 5.2.6+

Stream Configuration

This technology pack includes one stream:

  • "Illuminate:Cisco Device Messages "

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • "Cisco Devices Event Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

  • Users can choose to send logs via syslog or raw format. Cisco products often include timestamps in logs that may not be compatible with Graylog. If this occurs, we recommend users send logs via raw.

Log Format Example

SEC-6-IPACCESSLOGP

Aug 17 02:41:39.326: %SEC-6-IPACCESSLOGP: list 105 denied udp 192.168.12.157(55250) -> 192.168.12.255(11550), 1 packet

URLF-6-URL_ALLOWED

Mar 12 18:46:11: %URLF-6-URL_ALLOWED: Access allowed for URL http://www.websense.com/; client 10.54.192.6:54123 server 192.168.0.1:80

What is Provided

  • We provide parsing rules to normalize and enrich Cisco IOS log messages.
  • We provide categorization for the following log types:
    • SEC-6-IPACCESSLOGRP
    • SEC-6-IPACCESSLOGSP
    • SEC-6-IPACCESSLOGP
    • SEC-6-IPACCESSLOGDP
    • SEC-6-IPACCESSLOGNP
    • LINK-3-UPDOWN
    • LINK-5-CHANGED
    • LINEPROTO-5-UPDOWN
    • CRYPTO-5-SESSION_STATUS
    • AUTHMGR-5-SECURITY_VIOLATION
    • SYS-5-CONFIG_I
    • SEC_LOGIN-5-LOGIN_SUCCESS
    • SEC_LOGIN-4-LOGIN_FAILED
    • AAA-5-USER_LOCKED
    • AAA-5-USER_UNLOCKED
    • SEC-6-IPACCESSLOGRL
    • URLF-4-URL_BLOCKED
    • URLF-6-URL_ALLOWED
    • URLF-4-SITE_BLOCKED
    • URLF-6-SITE_ALLOWED
    • URLF-5-SERVER_UP
    • URLF-3-SERVER_DOWN
    • URLF-3-ALLOW_MODE

Events Processed by This Technology Pack

The Cisco IOS content pack supports identification for all events, but parsing, normalization, and categorization are supported for the events listed above.

Packetbeat Spotlight Content Pack

Cisco IOS offers a dashboard with three tabs: an overview tab, a network tab, and a tab for an overview of Authentication events.

Cisco IOS Overview Tab

Cisco IOS Authentication Tab

CISCO IOS Network Overview Tab