Cisco Switch - Syslog

New to Rapid 7 IDR. Looks like you can create quite a few built in event sources. But there are no pre-built sources for Cisco switches. When I got Add an Event Source, no listing for Cisco Switch or Cisco iOS. Basically just want to send syslog from my access switches to the IDR console. Doesn’t seem to be an easy way to do that. Ideally, would also like to be able to create alerts off of the Cisco switch syslog data as well. Any pointers here?

Hey @steve_lengua! When adding an event source in InsightIDR, you can choose the Custom Logs event source type:

And then select the Listen for Syslog collection method and enter the port number syslog messages are being sent over:

NOTE: InsightIDR Collectors only support one event source per port number. As such, each Listen for Syslog source must listen on a unique port number.

Once you’ve saved the event source and syslog messages have arrived at your Collector, you should see log messages arrive in log search under the Raw Log log set. You can then use the custom parsing tool to parse this data into JSON keys and values, or skip straight to setting up custom alerts based on syslog events.

1 Like