cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco Router with Syslog events and NetFlow

Jump to solution

I am working on some testing as we start to implement NetFlow into our SIEM and I have a question about the proper way to configure data sources for Cisco IOS routers that would be providing syslog events and NetFlow v9. I have read through the data source configurations and see that there is an ASA NSEL* parser that is built for netflow and there is an IOS V12xxx(ASP) parser for the syslog messages. I have experimented with the ASA NSEL parser and do not seem to be able to collect netflows from the device this way only by using the generic Netflow data source model I can gather the flows from these types of routers.

My question to the community is this. Is there a way to configure a single data source that will capture both the Syslog and NetFlow from an IOS device?

Having to utilize a Netflow data source and an additional data source to parse the syslog seems like it would quickly eat up the device limit supported by the receiver. Eventually we would be looking to implement this type of configuration on about 300+ routers and switches and two data sources per device does not seem ideal.

Our testing devices are running IOS Version: 12.4(21) and NetFlow v9 on standard ports (514 and 9993).

Thanks in advance.

Chris

1 Solution

Accepted Solutions
artek
Level 11

Re: Cisco Router with Syslog events and NetFlow

Jump to solution

Chris - for syslog you can use parent\client structure. In your case (300 routers) you can use two groups.

Unfortunately you can't use this feature in the case of netflow data source...

Regards,

Artur

4 Replies
kenrights
Level 7

Re: Cisco Router with Syslog events and NetFlow

Jump to solution

Hello Chris,

Have you considered a log to IPFIX (NetFlow) gateway? A Flow Replicator might be something for you to consider.  It parses syslogs and forwards them on in flow format to your NetFlow collector.

Ken

0 Kudos
dcobes
Level 9

Re: Cisco Router with Syslog events and NetFlow

Jump to solution

Chris,

You may be able to do this by utilizing the policy features. If a single data source is sending you multiple types of data that are parsed with different parsers you would create a custom policy that holds all the parsers needed for that data source.

For example if you have a Windows Server that is also a web server -- you would create a combined policy that looks for both Windows OS logs (more than likely WMI or Intersect Alliance - Snare) and Microsoft IIS

0 Kudos
artek
Level 11

Re: Cisco Router with Syslog events and NetFlow

Jump to solution

Chris - for syslog you can use parent\client structure. In your case (300 routers) you can use two groups.

Unfortunately you can't use this feature in the case of netflow data source...

Regards,

Artur

Re: Cisco Router with Syslog events and NetFlow

Jump to solution

So does this mean it is not possible to collect flows and syslog from the same data source? If I try there is a conflict involving duplicate IP addresses? With this issue how do I collect both flows and events?

0 Kudos