Cisco on graylog

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Olny info

2. Describe your environment:

• OS Information:
  debian
• Package Version:
  last
• Service logs, configurations, and environment variables:

none

3. What steps have you already taken to try and solve the problem?

info

4. How can the community help?

info

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

I have my graylog server running which sees all the logs coming from my Cisco devices. Without many frills. Can anyone give me precise step by step instructions to better monitor ALL my Cisco devices? with dashboard etc etc?? why can’t I find a tutorial for all this since the Cisco world is so big? Grazie

Hey @riccardo

I assume your using Raw/ Plain text INPUT on Graylog, if so you best bet would be a pipeline and us a Key_value to break up the fields.

Or you can just get what fileds needed, here is a example:

rule “Cisco Meraki Security ”

when
	has_field(“message”) && contains(to_string($message.message),“ids-alerts”)

then

	let result = regex(("^<\\d+>.+?(\\d+)\\.(\\d+) (\\S+) (\\S+) signature=(\\d+:\\d+:\\d+) priority=(\\d) timestamp=(.+) direction=(\\w+) protocol=(.+) src=(\\d+.\\d+.\\d+.\\d+):(\\d+)$"),to_string($message.message));
	set_field("flow_start_time", result["0"]);
	set_field("flow_stop_time", result["1"]);	
	set_field("device", result["2"]);
	set_field("event_type", result["3"]);
	set_field("signature", result["4"]);
	set_field("priority", result["5"]);
	set_field("device_timestamp", result["6"]);
	set_field("direction", result["7"]);
	set_field("protocol", result["8"]);
	set_field("src_ip", result["9"]);
	set_field("src_port", result["10"]);
end

where it shows set_field("device", result["2"]); you can execute a global search for the field " device" . Hope that helps

Thanks for your advice, I’ll try to understand better how to put the advice into practice. Honestly, I expected a multitude of responses from the community since for me the CISCO syslog topic is a very widespread topic. I found a lot of info on older versions of graylog

how much effort are you willing to invest? Cisco logging is notorious hard, as it’s mostly syslog which needs to be parsed. For each kind of source you will need to follow those steps:

1. ingest your logs into Graylog. With some devices it might be harder than with others
2. parse your logs into machine readable values into different fields. I recommend to stick on the GIM.
3. enritch your data with meaningfull information from the outside (reverse dns, IOCs, …)
4. route your data into separate streams for different sources: ASA to ASA, ISE to ISE, Meraki to Meraki and so on.
5. understand your data: create dashboards telling you what is going on and also prepare saved streams for investigations
6. create alerts if stuff is above/below your usual thresholds.
7. work with your logs, get to know them, check the parsing is in all cases good

This takes a lot of time, patience, but will give you a very good overview of your environment.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.