This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-09-03 03:40 PM

How can I get a Cisco device to send a log to enVision?

I run a report that shows the number of messages processed from each device collected in enVision.  However, I always come up with a lot of Cisco devices that apparently haven't sent any logs to enVision.  According to our network team, they rarely make changes on the Cisco routers/switches.  Therefore, I shouldn't expect to see much from them.  So, I decided to have the router guy do a simple write memory to a router and save the config to see if that would generate a log.  I did not receive anything in enVision.  We checked the logging level on the router and it is at 6, which if I remember correctly is next to debug logging level.  Is anyone aware of a way around this?  How can I get a Cisco device to send a log to enVision without making a major change on the router or switch?
0 Likes
Reply
5 Replies
DavidBruskin
Beginner
Beginner
‎2008-09-03 11:32 PM

Hi johnny5 - At Anytime has their every been logs inside the IPDB for that cisco Router? meaning have you ever recieved logs from this router before? Couple of things to check and verify from my various field encounters.

- Can the router route to the enVision box? is it an external router? punch hole through firewall?

- Did someone in the network place a ACL or firewall between recently blocking syslog?

- Can you ping from the router to the enVision LC or ES?

- if you isseut he WR MEM command, verify you see it in the log buffer on the cisco router. You then should see that the message is present and sent a copy to the logging server X.X.X.X (EnVision).

- Did enVision classify it as unknown. this is not unsual and normal for certain IOS devices. Certian IOS/CatOS messages look very similar and enVision can't decipher which exact device, switch, router, firewall, layer3 switch, etc.. it could be, so says its unknown. Try the Clear Counter command as it appears unique enough to enVision classify the correct Cisco Infra device.

Check those things and get back to me.

 

/db

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2008-09-04 12:18 AM

You can also try to log in to the management interface and purposely mistype the password a few times - that usually kicks off a series of events.
0 Likes
Reply
AlanLaurencelle
Employee
Employee
In response to DavidBruskin
‎2008-09-05 01:47 PM

IMHO, you should only have Routers and Switches sending events to enVision if they have ACLs and those ACLs have the log parameter - thus increasing the value of the information presented to enVision for the usage of a device in your licenses count.  For the reminder of your Routers and Switches you should use Cisco Works or SyslogNG (aggregation point) and simply forward those messages to enVision as if they came from one source.  From there, either use a smidgen of UDS to have the headers fixed and let ALL of them be represented as one device in enVision, or simply leave as Active / Unknown and do your rare root cause analysis using the event viewer with REGEX matching. 

 

Alan

 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2009-04-15 01:59 PM

Hello Johnny5,

 

Have you been able to receive logs from Cisco devices on a write mem event? If so, I'm interested in knowing how you finally made it!

 

Thanks,

Eric

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-04-17 01:38 PM

Unfortunately I have not.  I have been sidetracked from that.  If I do figure it out I will certainly post it. 
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.