{"type":"doc","content":[{"type":"paragraph"},{"type":"heading","attrs":{"level":4},"content":[{"text":"Topics Discussed","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"3"},"minLevel":{"value":"3"}},"macroMetadata":{"macroId":{"value":"b42131d6-1696-45c3-9546-dbe40093960a"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"ba56dce0-e79b-4d64-b8ec-64c51459a58c"}},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"excerpt-include","parameters":{"macroParams":{"":{"value":"Obtain Log Relay for Remote Log Collection"},"name":{"value":"Remote Log Collection Permissions"},"nopanel":{"value":"true"}},"macroMetadata":{"macroId":{"value":"5a273eae-48b9-4a67-8cbf-9c67f9938533"},"schemaVersion":{"value":"1"},"title":"Insert excerpt"}},"localId":"546ab9f4-3934-429a-825e-c8e3e5023ad8"}}]},{"type":"paragraph","content":[{"text":"You can use this document to send ","type":"text"},{"text":"Cisco Integrated Services Router (ISR) logs to Armor's Security Information & Event Management (SIEM). ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]}]},{"type":"paragraph","content":[{"text":"This document only applies to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Cisco Integrated Services Router (ISR) (IOS)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"hardBreak"},{"text":"Pre-Deployment Considerations","type":"text"}]},{"type":"rule"},{"type":"paragraph","content":[{"text":"To create a remote Log Relay, you must already have:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A Log Relay server on your account","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To learn how to add Log Relay to your account, see ","type":"text"},{"text":"Obtain Log Relay for Remote Log Collection","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/KB/pages/3519581253"}}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configured the system clock","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"hardBreak"},{"text":"Update Your Cisco ","type":"text"},{"text":"ISR D","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]},{"text":"evice","type":"text"}]},{"type":"rule"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Log into your Cisco ISR device.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Access the privileged EXEC mode:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname> enable","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Access the global configuration mode:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname# configure terminal","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Enable logging:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# logging on","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the global logging settings:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# no logging console\nhostname(config)# logging trap warning\nhostname(config)# logging origin-id hostname","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the logs to be sent to a designated Armor Log Relay device:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# logging source-interface \nhostname(config)# logging host transport port ","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"

In <interface>, enter the name of the Cisco ISR interface, such as GigabitEthernet 1.
In <ipaddress>, enter the IP address of the designated Armor Log Relay device.
- To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
For <protocol> and <port>,
- For UDP, enter transport udp port 10117.
  - Armor recommends that you use UDP.
- For TCP, enter transport tcp port 10117.

","block-inline":true,"nestedContent":{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"","type":"text","marks":[{"type":"strong"}]},{"text":", enter the name of the Cisco ISR interface, such as GigabitEthernet 1.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"","type":"text","marks":[{"type":"strong"}]},{"text":", enter the IP address of the designated ","type":"text"},{"text":"Armor Log Relay device","type":"text"},{"text":".","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To locate your IP address in AMP, in the left-side navigation, click ","type":"text"},{"text":"Infrastructure","type":"text","marks":[{"type":"strong"}]},{"text":", click ","type":"text"},{"text":"Virtual Machines","type":"text","marks":[{"type":"strong"}]},{"text":", and then review the","type":"text"},{"text":" Primary IP ","type":"text","marks":[{"type":"strong"}]},{"text":"column for the corresponding virtual machine.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For <","type":"text"},{"text":"protocol","type":"text","marks":[{"type":"strong"}]},{"text":"> and <","type":"text"},{"text":"port","type":"text","marks":[{"type":"strong"}]},{"text":">,","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For UDP, enter ","type":"text"},{"text":"transport udp port ","type":"text","marks":[{"type":"strong"}]},{"text":"10117","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Armor recommends that you use UDP.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For TCP, enter ","type":"text"},{"text":"transport tcp port ","type":"text","marks":[{"type":"strong"}]},{"text":"10117","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]}]}]}]}]}],"version":1},"reason":"A note macro in a list item can't be created or edited in the new editor."}}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Exit the configuration:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# exit","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Save the changes:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname# write memory","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Review the logging configuration:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname# show run all logging\nlogging enable\nlogging timestamp\nlogging hide username\nlogging buffer-size 4096\nlogging asdm-buffer-size 100\nlogging buffered warnings\nlogging trap warnings\nlogging asdm warnings\nlogging device-id hostname\nlogging host inside 100.64.0.10 17/5140\nlogging flash-minimum-free 3076\nlogging flash-maximum-allocation 1024","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"

If present, logging standby enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.

","block-inline":true,"nestedContent":{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"If present, ","type":"text"},{"text":"logging standby","type":"text","marks":[{"type":"strong"}]},{"text":" enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.","type":"text"}]}]}],"version":1},"reason":"A note macro in a list item can't be created or edited in the new editor."}}}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"heading","attrs":{"level":4},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"paragraph","content":[{"text":"Verify that logs are formatted correctly, similar to the following example:","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"textMidnight

","block-inline":true,"nestedContent":{"type":"doc","content":[{"type":"codeBlock","attrs":{"language":"plaintext"},"content":[{"text":"May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down","type":"text"}]}],"version":1}}}}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}]}],"version":1}

Browser not supported