Skip to main content
Skip table of contents

Create a Remote Log Source - Cisco ISR

Topics Discussed

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

You can use this document to send Cisco Integrated Services Router (ISR) logs to Armor's Security Information & Event Management (SIEM).

This document only applies to:

  • Cisco Integrated Services Router (ISR) (IOS)


Pre-Deployment Considerations

To create a remote Log Relay, you must already have:


Update Your Cisco ISR Device

  1. Log into your Cisco ISR device.

  2. Access the privileged EXEC mode:

    BASH 
    hostname> enable

  3. Access the global configuration mode:

    BASH 
    hostname# configure terminal

  4. Enable logging:

    BASH 
    hostname(config)# logging on

  5. Configure the global logging settings:

    BASH 
    hostname(config)# no logging console
hostname(config)# logging trap warning
hostname(config)# logging origin-id hostname

  6. Configure the logs to be sent to a designated Armor Log Relay device:

    BASH 
    hostname(config)# logging source-interface <interface>
hostname(config)# logging host <ipaddress> transport <protocol> port <port>
    • In <interface>, enter the name of the Cisco ISR interface, such as GigabitEthernet 1.
    • In <ipaddress>, enter the IP address of the designated Armor Log Relay device.
      • To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
    • For <protocol> and <port>,
      • For UDP, enter transport udp port 10117.
        • Armor recommends that you use UDP.
      • For TCP, enter transport tcp port 10117.

  7. Exit the configuration:

    BASH 
    hostname(config)# exit

  8. Save the changes:

    BASH 
    hostname# write memory

  9. Review the logging configuration:

    BASH 
    hostname# show run all logging
logging enable
logging timestamp
logging hide username
logging buffer-size 4096
logging asdm-buffer-size 100
logging buffered warnings
logging trap warnings
logging asdm warnings
logging device-id hostname
logging host inside 100.64.0.10 17/5140
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024

    If present, logging standby enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.

Troubleshooting

Verify that logs are formatted correctly, similar to the following example:

TEXT 
May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close