The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
Proprietary software used in Cisco routers and switches, enabling robust management of network traffic, including data, voice, and video across various communications environments.
This technology pack will process Cisco IOS logs, providing normalization and enrichment of those events.
Supported Version(s)
- Cisco IOS XE 17.14.x
Requirements
- Cisco IOS XE 17.14.x
- Graylog 5.2.6+
Stream Configuration
This technology pack includes one stream:
- "Illuminate:Cisco Device Messages "
Index Set Configuration
This technology pack includes one index set definition:
- "Cisco Devices Event Log Messages"
Log Collection
- Users can choose to send logs via syslog or raw format. Cisco products often include timestamps in logs that may not be compatible with Graylog. If this occurs, we recommend users send logs via raw.
Log Format Example
SEC-6-IPACCESSLOGP
Aug 17 02:41:39.326: %SEC-6-IPACCESSLOGP: list 105 denied udp 192.168.12.157(55250) -> 192.168.12.255(11550), 1 packet
URLF-6-URL_ALLOWED
Mar 12 18:46:11: %URLF-6-URL_ALLOWED: Access allowed for URL http://www.websense.com/; client 10.54.192.6:54123 server 192.168.0.1:80
What is Provided
- We provide parsing rules to normalize and enrich Cisco IOS log messages.
- We provide categorization for the following log types:
- SEC-6-IPACCESSLOGRP
- SEC-6-IPACCESSLOGSP
- SEC-6-IPACCESSLOGP
- SEC-6-IPACCESSLOGDP
- SEC-6-IPACCESSLOGNP
- LINK-3-UPDOWN
- LINK-5-CHANGED
- LINEPROTO-5-UPDOWN
- CRYPTO-5-SESSION_STATUS
- AUTHMGR-5-SECURITY_VIOLATION
- SYS-5-CONFIG_I
- SEC_LOGIN-5-LOGIN_SUCCESS
- SEC_LOGIN-4-LOGIN_FAILED
- AAA-5-USER_LOCKED
- AAA-5-USER_UNLOCKED
- SEC-6-IPACCESSLOGRL
- URLF-4-URL_BLOCKED
- URLF-6-URL_ALLOWED
- URLF-4-SITE_BLOCKED
- URLF-6-SITE_ALLOWED
- URLF-5-SERVER_UP
- URLF-3-SERVER_DOWN
- URLF-3-ALLOW_MODE
Events Processed by This Technology Pack
The Cisco IOS content pack supports identification for all events, but parsing, normalization, and categorization are supported for the events listed above.
Packetbeat Spotlight Content Pack
Cisco IOS offers a dashboard with three tabs: an overview tab, a network tab, and a tab for an overview of Authentication events.
Cisco IOS Overview Tab
Cisco IOS Authentication Tab
CISCO IOS Network Overview Tab