How to collect cisco switch log on graylog?


(Jay) #1

My Cisco Catalyst 3850 is configured "Hosting 192.168.1.10"
Graylog2 is configued System/input > Select input > Syslog UDP > Node “select local node” > Title = hostname > bind address = cisco sw IP > Port: 514 > Recieved buffer size default: 262144 > Checked: Allow overriding data?

Start input is initiated, but it keeps failing and I have no idea why. I’ve looked all over the net and cannot get a clear simple answer. The entire goal is just to have the server receive syslogs for audit compliance.


(Karl) #2

What I did for my 3850 switches is on the switch, I added “logging host 192.168.13.56 transport udp port 11001” to the switch config, and in GrayLog, I added a Raw/Plaintext UDP input with the following attributes:

  • bind_address : 0.0.0.0
  • override_source:
  • port: 11001
  • recv_buffer_size: 262144

(Karl) #3

and here is the Extractors JSON export that I am using:

{
  "extractors": [
    {
      "title": "Facility",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "syslog_pri_facility",
          "config": {}
        }
      ],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "facility",
      "extractor_config": {
        "regex_value": "^<(\\d.+)>"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "Level",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "syslog_pri_level",
          "config": {}
        }
      ],
      "order": 1,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "level",
      "extractor_config": {
        "regex_value": "^<(\\d.+)>"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "Source",
      "extractor_type": "regex",
      "converters": [],
      "order": 2,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "source",
      "extractor_config": {
        "regex_value": ">: (.+?):"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "Timestamp",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "flexdate",
          "config": {}
        }
      ],
      "order": 3,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "timestamp",
      "extractor_config": {
        "regex_value": ">:\\s.+:\\s(.+?):\\s%"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "Local facility",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "lowercase",
          "config": {}
        }
      ],
      "order": 4,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "local_facility",
      "extractor_config": {
        "regex_value": "%(.+?)-"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "Local level",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "numeric",
          "config": {}
        }
      ],
      "order": 5,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "local_level",
      "extractor_config": {
        "regex_value": "%.+-(\\d?)-"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "Message",
      "extractor_type": "regex",
      "converters": [],
      "order": 7,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "message",
      "extractor_config": {
        "regex_value": "%.+-\\d+-.+: (.*)$"
      },
      "condition_type": "none",
      "condition_value": ""
    },
    {
      "title": "Mnemonic",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "lowercase",
          "config": {}
        }
      ],
      "order": 6,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "mnemonic",
      "extractor_config": {
        "regex_value": "%.+-\\d-(.+?):"
      },
      "condition_type": "none",
      "condition_value": ""
    }
  ],
  "version": "2.3.0"
}

(Jay) #4

I was able to get a Windows Server using NXlogin to populate on graylog as long as the bind was 0.0.0.0 over port 12201. If I have say 10 other Windows servers. Do I have to use a different port in order to get them all working on Graylog? EX: 12202, 12203 etc.


(Karl) #5

As far as my experience goes, you only need to use different ports if you want to use different rules for how to parse the log file. So for example, I have one port for all of my Windows servers, one for the Cisco switches, one for the Cisco ASA’s, etc. Graylog and will keep track of which device/server the logs are coming from so that you can search by different sources, even though they are using the same port number in Graylog


(Jan Doberstein) #6

@dualcore

the Graylog Input can only be bound to one IP that is available at the Server where it is running. Using the Wildcard will bind to all IPs/Interfaces.

In addition you tried to bind to a low port (514) what is not possible ( see http://docs.graylog.org/en/stable/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024 ) on Linux without beeing root.

One option would be what @kmb suggested or you create a Syslog Input on 1514 and redirect your Cisco Switch Syslog to that Port.

regards
Jan


(Jay) #7

Let’s say the server IP is 192.168.1.100. I have 100 devices that need to sens syslogs to the Graylog server at 192.168.1.100. Every input on the server side IP bind would be 192.168.1.100, correct? Where I’m getting confused at is it seems my server needs more than one IP address to function, if I have more that one devices connecting to the server.

In regards to to the port bind being too low because of non-root. How do I fix that without the work around?


(Jan Doberstein) #8

Hej @dualcore

you have multiple options now:

  • have one input configured on one port and use that input for all your devices that should send syslog data to graylog
  • have multiple inputs configured on different ports and use them on your devices.

You can have multiple (thousand) of servers sending to the same input and no need to have a 1-on-1 connection.

How to run a low port with Graylog Input is mentioned in the FAQ Entry.


(Jay) #9

Thanks Jan,

Got a follow up question. I was reading this https://groups.google.com/forum/#!topic/graylog2/V-D6Pbivi3c and OP says “I note the OVA graylog install is running graylog-server and graylog-web as root and using runsv.” Because my manual install of CentOS 7 Graylog is not running as root. Is this why I can’t load log files from menu > System/Logging > No displayed information. Clicked server name up top > loads a monkey and no logs.

And since the OVA is running as root. Should a production environment be in root for the rest of the functionality of Graylog to work? I feel, I’m misunderstanding a few things.


(Jan Doberstein) #10

you should look for the date - Graylog has evolved massive since that posting.

Additional you mix things up. You initial question is for a not starting input. Now you talk about not showing messages.

What is your issue and please be verbose. Include information that people can understand what your thoughts and problems are. Shitting two sentence without format into the air is nothing someone else can work with.


(Jay) #11

My original issue was GLEF Inputs not starting for Windows traffic. I didn’t understand and was confused by the configuration process. You explained it clearly in your other post - Resolved

I’m redirecting my ports to something higher than 1024, so root isn’t running Graylog - Resolved.

My next question is inside Graylog menu System/Logging. The Metrics don’t display any data, but says has written 11046 internal logs here - https://imgur.com/a/iKVnF. If I click the hostname to check internal log messages here - https://imgur.com/a/XG59V. I get this picture and JVM 500 error. Is this normal? If not, what might be missing or done to correct it?


(system) #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.