Configure the Cisco Switch first, then the Logsign Unified SecOps Platform, so that you can forward logs generated on the Cisco Switch to Logsign Unified SecOps Platform and analyze them in more detail.
First, connect your Cisco Switch with Telnet or SSH (PuTTY). After the connection screen arrives, enter the username and password information and then access the device. After this step, let's see how Logsign will direct the logs generated on the Cisco Switch. The commands are followed respectively as below:
Enable: Use this command to exit the user mode and enter the authorized mode.
Configure terminal: Go to configuration mode.
Logging on: Enable logs to be saved.
Set logging timestamp enable: Activate the timestamp insertion when the Cisco Switch sends logs.
Logging host LOGSIGN_IP_Address: This section is where you'll direct the logs, the part where you'll set the IP address of your Logsign Unified SecOps Platform as Syslog Server (For ex. logging host 10.0.0.75).
Logging trap 6: You can define the type and level information of the log which the Logsign Unified SecOps Platform product will take. In this section, there are seven (7) different options:
Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Informational: 6
Debug: 7
In this section, continue by selecting Informational (For ex., logging trap 6).
Please note that: You'll have Informational as trap level, you'll have Informational and upper-level log types. The reason why Debug mode is not preferred is to create excessive density in Syslog traffic. If desired, you can also select the Debug option, but then Logsign Unified SecOps Platform will also have the logs that are considered unnecessary.
Logging facility local6: Using this command, set the facility value of the Syslog messages generated in our Cisco Switch. We select the same local6 option in the trap section.
Logging server enables Activates log forwarding from the Cisco Switch to the Logsign Unified SecOps Platform. end:
Used to exit the configuration mode.
Show logging or show running-config: Use the show logging command to confirm a summary of the configurations you've performed and confirm their correctness.
Copy running-config startup-config: Once you've done the settings, it saves the changes and configurations made as a precaution to the configuration file.
After performing the configurations on the Cisco Switch, you'll complete the addition of the Logsign Unified SecOps Platform as a source.
Open the Logsign Unified SecOps Platform WEB interface and click on the "+ Device" button under the Data Collection tab, which is then clicked on the Settings tab in the menu bar on the top of the page. On the page that opens, click Syslog -> Cisco -> Switch. Then, on the incoming page, fill in the information for the Cisco Switch.
Host: IP address information of the Cisco Switch that you want to retrieve the logs.
Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.
Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.
Data Policy: You can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. Our default setting here is the Default Policy, which has the default rule is "collect all logs."
Max Line Length to Process: Each log is generated as a single line. So, the Logsign Unified SecOps Platform takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.
Check Health: If you tick this box, that will inform you about the service and operability of the Logsign.
The Health Check Period tab will come up when you tick the box. This part is the time interval information to be checked.
Device Name: You must enter a descriptive name according to the configuration you are making (For ex., CiscoSwitch). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report. Define each tag as ciscoswitch1 or ciscoswitch2. If you want to query about an event, you will get a shorter result when you search according to ciscoswitch1 name.
Click on the Save button to save the integration.