Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Cisco IOS

The JSA DSM for Cisco IOS accepts Cisco IOS events by using syslog. JSA records all relevant events.

The following Cisco switches and routers are automatically discovered as Cisco IOS series devices, and their events are parsed by the DSM for Cisco IOS:

  • Cisco 12000 Series Routers

  • Cisco 6500 Series Switches

  • Cisco 7600 Series Routers

  • Cisco Carrier Routing System

  • Cisco Integrated Services Router.

Make sure that all access control lists (ACLs) are set to LOG.

Configuring Cisco IOS to Forward Events

You can configure a Cisco IOS-based device to forward events.

Take the following steps to configure your Cisco device:

  1. Log in to your Cisco IOS Server, switch, or router.

  2. Type the following command to log in to the router in privileged-exec:

    enable

  3. Type the following command to switch to configuration mode:

    conf t

  4. Type the following commands:

    logging <IP address>

    logging source-interface <interface>

    Where:

    • <IP address> is the IP address of the JSA host and the SIM components.

    • <interface> is the name of the interface, for example, dmz, lan, ethernet0, or ethernet1.

  5. Type the following to configure the priority level:

    logging trap warning

    logging console warning

    Where warning is the priority setting for the logs.

  6. Configure the syslog facility:

    logging facility syslog

  7. Save and exit the file.

  8. Copy the running-config to startup-config by typing the following command:

    copy running-config startup-config

    You are now ready to configure the log source in JSA.

    The configuration is complete. The log source is added to JSA as Cisco IOS events are automatically discovered. Events that are forwarded to JSA by Cisco IOS-based devices are displayed on the Log Activity tab of JSA.

Syslog Log Source Parameters for Cisco IOS

If JSA does not automatically detect the log source, add a Cisco IOS log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Cisco IOS:

Table 1: Syslog Log Source Parameters for the Cisco IOS DSM

Parameter

Value

Log Source type

Select one of the following devices:

  • Cisco IOS

  • Cisco 12000 Series Routers

  • Cisco 6500 Series Switches

  • Cisco 7600 Series Routers

  • Cisco Carrier Routing System

  • Cisco Integrated Services Router

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source.

The identifier helps you determine which events came from your Cisco IOS device.

Cisco IOS Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cisco IOS Sample Message when you use the Syslog Protocol

Sample 1: This sample event shows that a TCP session is dropped.

Table 2: Highlighted Values in the Cisco IOS Event

JSA field name

Highlighted values in the event payload

Event ID

%FW-6-DROP_PKT

Event Category

IOS

Source IP

10.1.2.230

Source Port

12321

Destination IP

172.16.3.20

Destination Port

42150

Protocol

6

Sample 2: This sample event shows the opening of an inspection session. The message is issued at the start of each inspected session and it records the source and destination addresses, and ports.

Table 3: Highlighted Values in the Cisco IOS Sample Event

JSA field name

Highlighted values in the event payload

Event ID

SESS_AUDIT_TRAIL_START

Event Category

IOS

Source IP

192.168.150.120:49290

Source Port

49290

Destination IP

10.40.0.27

Destination Port

20000

Protocol

6