Cisco Switch - Syslog

New to Rapid 7 IDR. Looks like you can create quite a few built in event sources. But there are no pre-built sources for Cisco switches. When I got Add an Event Source, no listing for Cisco Switch or Cisco iOS. Basically just want to send syslog from my access switches to the IDR console. Doesn’t seem to be an easy way to do that. Ideally, would also like to be able to create alerts off of the Cisco switch syslog data as well. Any pointers here?

Hey @steve_lengua! When adding an event source in InsightIDR, you can choose the Custom Logs event source type:
image

And then select the Listen for Syslog collection method and enter the port number syslog messages are being sent over:
image

NOTE: InsightIDR Collectors only support one event source per port number. As such, each Listen for Syslog source must listen on a unique port number.

Once you’ve saved the event source and syslog messages have arrived at your Collector, you should see log messages arrive in log search under the Raw Log log set. You can then use the custom parsing tool to parse this data into JSON keys and values, or skip straight to setting up custom alerts based on syslog events.

1 Like

Hello

I was wondering did you get this added? I have added a few switches myself via this method and it works fine. But I was wondering is this a practical way of collecting this information since each switch needs it’s own port number and when you want to say look at 200+ devices is this the right way of going about this?

Hey Gary,

Are you sending logs over UDP or TCP?

If the former, it shouldn’t really matter how many switches are sending logs to a single port on the collector/event source side. With TCP there is a limit to the number of concurrent connections the collector can take (10 is the default) but this can be increased in the collector config.

As long as the log messages contain some discernible information to identify the source switch, it shouldn’t be a problem to aggregate these all on one port and subsequently into one log.

Sending them via UDP. Must try them on a single port. Any issues sure I can log a support call. So far it’s be useful for keeping an eye on a few switches with some ports going up and down and at what times.