This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
PatricioDemarch
Beginner
Beginner
‎2012-06-11 10:02 AM

Cisco switch boxes using IOS are CIsco Switch or Cisco IOS device type..??

Hi everybody..!!
I have a doubt, I have 150 devices CIsco, some are router with IOS, some are switches with IOS (not CatOS).

The routers are set  with the Device Type "Cisco IOS" and the switches are set with Device Type "Cisco Switch" followin hte instructions on RSA Event Source Configuration Guide for Cisco IOS and Switch.

My problem is:
I want to see different  command types in this devices, but the messages ID parsed (for see this commands) are in the Cisco IOS device type only.
I use the messages ID (%PARSER-5-CFGLOG_LOGGEDCMD )  to see the executed command on CIsco console. This messages ID  is only for Cisco IOS device type, not for CIsco switch.
I need to see those executed commands on switches too. My questions are:

Can I change the device type from Cisco switch to CIsco IOS for my switches..??
This change, can I give some trouble?
Lose I the previous switches messages to change?

Sorry, my english in not good Thank you in advance for your help

Patricio

0 Likes
Reply
2 Replies
PatricioDemarch
Beginner
Beginner
‎2012-06-21 02:51 PM

Hi again..!!

First I changed the message´s subjet, next, I have good news and bad news.

Good news first... I found the messageID to recognize commands in Cisco Switch (IOS). The messageID is "PARSER-5-CFGLOG_LOGGEDCMD".

Now the bad news, this messagesID parse an specific message from Cisco switch.

<@msg:*PARMVAL($MSG)><@status:User:cd9x15 logged command:ip route <saddr><fld1><fld2>

I don´t know way but only parse this specific text "User:cd9x15 logged command:ip route". The user cd9x15 do not exist in the CIsco documentation ( don´t exist in google ). I think that is a mistake.
Someone could have written this XML for their own use, but not suitable for general use in enVision.

In Cisco IOS (router) is another story...

In the Cisco IOS the messageID to recognize command is: "%PARSER-5-CFGLOG_LOGGEDCMD" and the message:

<@:*SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)>User <username> logged command:<info>

In this way, permit filter or search specific commands in the <info> variable on some Alert for example.

It´s possible to correct this for the ESI next update..?? Have I to open a case in SCOL..??

Thanks

 

Patricio

0 Likes
Reply
PatricioDemarch
Beginner
Beginner
In response to PatricioDemarch
‎2012-07-12 10:55 AM

Here is the solution.

I must to edit the ciscoswitch.xml file using Event Source Integrator and modify the PARSER-5-CFGLOG_LOGGEDCMD messasge.

 

Here the new definition:

 

<MESSAGE

level="5"

parse="1"

parsedefvalue="1"

tableid="39"

id1="PARSER-5-CFGLOG_LOGGEDCMD"

id2="PARSER-5-CFGLOG_LOGGEDCMD"

eventcategory="1605000000"

content="<@:*SYSVAL($MSGID,$ID1)>User:<username> logged command:<event_description>"/>

 

Now I can make an Alert  if any user execute some command, for example "reload" and send an email or SMS.

 

Patricio

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.