Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Topics Discussed

Table of Contents
maxLevel3
minLevel3

Insert excerpt
Obtain Log Relay for Remote Log Collection
Obtain Log Relay for Remote Log Collection
nameRemote Log Collection Permissions
nopaneltrue

You can use this document to send Cisco Integrated Services Router (ISR) logs to Armor's Security Information & Event Management (SIEM).

This document only applies to:

  • Cisco Integrated Services Router (ISR) (IOS)


Pre-Deployment Considerations

...

To create a remote Log Relay, you must already have:


Update Your Cisco ISR Device

...

  1. Log into your Cisco ISR device.

  2. Access the privileged EXEC mode:

    Code Block
    languagebash
    hostname> enable

  3. Access the global configuration mode:

    Code Block
    languagebash
    hostname# configure terminal

  4. Enable logging:

    Code Block
    languagebash
    hostname(config)# logging on

  5. Configure the global logging settings:

    Code Block
    languagebash
    hostname(config)# no logging console
hostname(config)# logging trap warning
hostname(config)# logging origin-id hostname

  6. Configure the logs to be sent to a designated Armor Log Relay device:

    Code Block
    languagebash
    hostname(config)# logging source-interface <interface>
hostname(config)# logging host <ipaddress> transport <protocol> port <port>
    Note
    • In <interface>, enter the name of the Cisco ISR interface, such as GigabitEthernet 1.
    • In <ipaddress>, enter the IP address of the designated Armor Log Relay device.
      • To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
    • For <protocol> and <port>,
      • For UDP, enter transport udp port 10117.
        • Armor recommends that you use UDP.
      • For TCP, enter transport tcp port 10117.

  7. Exit the configuration:

    Code Block
    languagebash
    hostname(config)# exit

  8. Save the changes:

    Code Block
    languagebash
    hostname# write memory

  9. Review the logging configuration:

    Code Block
    languagebash
    hostname# show run all logging
logging enable
logging timestamp
logging hide username
logging buffer-size 4096
logging asdm-buffer-size 100
logging buffered warnings
logging trap warnings
logging asdm warnings
logging device-id hostname
logging host inside 100.64.0.10 17/5140
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
    Note

    If present, logging standby enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.

Info

Troubleshooting

Verify that logs are formatted correctly, similar to the following example:

Code Block
languagetext
themeMidnight
May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down