Many Cisco branded network devices manage logs and alert information using the Syslog protocol. Unlike PCs and servers, they require more storage space to allocate the logs. For this reason, Cisco network devices offer two (2) options:
Internal buffer (Can be described as cache): Device's operating system distinguishes a part of the memory as a temporary memory to write events frequently into the logs. The size of this separation is limited to a few kB. This option is set by default. However, Syslog messages (logs) are lost when the device is rebooted.
Syslog: A UNIX-like protocol sends logs to an external device/application. The storage source is not dependent on the device that sends the logs, but it depends on the disk capacity of the Syslog Server to which the logs are sent. This option is not enabled by default.
Please note that: Before setting the Cisco network devices to send Syslog messages, ensure that the time, date, and regional options are configured correctly. Syslog messages will be useless for analyzing on a system where the time and date are incorrect. Strongly recommended that you configure your network devices using NTP on your system. When using NTP, you must be careful that all devices are configured with the correct and synchronized clock. Complete and accurate time and date settings will be helpful and valuable in correlating logs. To forward the logs of your Cisco Router to the Logsign SIEM using the Syslog method, you need to connect your Telnet or SSH (PuTTY) to your Cisco Router. Once you have provided the connection and entered your username and password, you'll be ready to make the configuration. Let's perform the below processes together.
Configure terminal: Used to switch to configuration mode.
Logging host LOGSIGN_IP_Address: This section is where you'll direct the logs, the part where you'll set the IP address of the Logsign SIEM product as Syslog Server (For ex. logging host 10.0.0.34).
Logging trap 6: You can define the type and level information of the log which the Logsign SIEM product will take. In this section, there are seven (7) different options:
In this section, you'll continue by selecting Informational (For ex., logging trap 6).
Logging facility local6: Using this command, set the facility value of the Syslog messages generated in our Cisco Router. Select the same local6 option in the trap section.
End: Used to exit the configuration mode.
Show logging or show running-config: Use the show logging command to confirm a summary of the configurations you've performed and confirm their correctness.
Add the Cisco Router as a source for your Logsign SIEM product after the settings that you made on the Cisco Router.
Open the Logsign SIEM WEB interface and click on the "+ Device" button under the Data Collection tab, which is then clicked on the Settings tab in the menu bar on the top of the page. Then add a network-based device and click Syslog -> Cisco -> Router buttons. On the page that opens, we will fill in the information for your Cisco Router:
Host: IP address information of the Cisco Router device that you want to retrieve the logs.
Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.
Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.
Data Policy: As a definition, you can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. Our default setting here is the Default Policy, which has the default rule is "collect all logs."
Max Line Length to Process: Each log is generated as a single line. So, the Logsign SIEM product takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.
Check Health: If you tşck this box, that would inform you about the service and operability of the Logsign SIEM product. The Health Check Period tab will come up when the box is ticked. This part is the time interval information to be checked.
Device Name: You must descriptive name according to your configuration(For ex., CiscoRouter). It can provide convenience for people who analyze logs. Think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple Routers and define each tag as ciscorouter1 or ciscorouter2. If you want to query about an event, you will get a shorter result when searching according to ciscorouter1 name.
Finally, click the Save button to save the configurations.