6 Replies Latest reply on Apr 1, 2016 1:27 PM by yassinezeroual

    Not getting CISCO 3845 router syslogs on ESM.

    swkadam

      Hi Team,

       

      We have integrated CISCO router 3845 data source with McAfee NITRO.We are directly forwarding syslogs from router to

      McAfee NITRO Receiver end on UDP 514.

       

      But still we are not getting any logs from router end.

       

      So any one have configuration details of router end(CISCO 3845) and McAfee ESM end.

       

      Kindly Suggest..

       

      Regards,

      Swapnil kadam

        • 1. Re: Not getting CISCO 3845 router syslogs on ESM.
          andy777

          Please select the Cisco in the Device list on the left and use the Event Viewer to verify that logs are arriving at the SIEM. Also verify the timestamps on the incoming logs if you do see them.

           

          event-viewer.png

          • 2. Re: Not getting CISCO 3845 router syslogs on ESM.
            swkadam

            Thanks for reply..

             

            We have already done it, but still we are not getting logs from router.

            • 3. Re: Not getting CISCO 3845 router syslogs on ESM.
              andy777

              I'm going to assume that you have a Cisco data source using the Cisco IOS (ASP) parser already configured in your device list.


              The first thing to verify is that the logs are reaching the Receiver. If you aren't seeing any logs using the Streaming Event Viewer, that could mean that the packets are being dropped somewhere or that they are not originating from the IP that you think they are. I will usually SSH into the Receiver and run tcpdump (e.g. tcpdump -vvnni eth0 port 514 and net x.x.x.0/24) to try and find packets possibly originating from an unexpected IP. Then try some login failures to generate some logs and try to figure out where the logs are going.

              • 4. Re: Not getting CISCO 3845 router syslogs on ESM.
                kmc

                We are also facing the same problem here but instead of sending directly to ESM we are trying  to forward router logs from logging host to the ESM, can anybody please help in this.

                • 5. Re: Not getting CISCO 3845 router syslogs on ESM.
                  yassinezeroual

                  Please follow the Steps:

                   

                  CISCO_IOS_1.png

                   

                  CISCO_IOS_2.png

                  • 6. Re: Not getting CISCO 3845 router syslogs on ESM.
                    yassinezeroual

                    If you created a data source and you know that logs are being sent to the Receiver, perform these steps to check if the data is actually getting to the Receiver.

                     

                    To determine if you are getting data from a data source:

                    1. 1. Run the following command:

                    tcpdump -nni eth0 host <IP_Address of datasource>

                    If you see data, go to Step 2. If not, there could be a firewall blocking the traffic, or it might be sending to the wrong IP address.

                    1. 2. Run the following command:

                    iptables -nvL

                     

                    In the output displayed, the first 2 columns will be the packets sent and received, which will enable you to find the IP address of the data source. If there is data, go to step 3.

                     

                    1. 3. In the ESM console, select the data source in question, then from the View drop-down, select Device Status. If you see data, the data has been received. If you see data but you are still not seeing events, verify the vendor and model. If the vendor and model are correct, call technical Support.