Accenture MDR Quick Start Guide for Cisco IOS® Devices
This quick start guide will help Accenture MDR customers configure Cisco® IOS or Cisco VPN Concentrator or Cisco SDWAN devices to send logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Cisco IOS | LCP | 514 (UDP) or 601 (TCP) | Default port |
Configuring Cisco IOS
To configure Cisco IOS Routers/Switches to send event logs to the LCP, follow the steps given below:
Go to Configuration mode by following the steps below:
a. Login to the Cisco device command prompt and type the following command: enable
b. Enter your privileged command mode password.
c. At the new prompt, type the following command: configure terminal
2. Enable syslog logging and specify the IP address of the LCP by entering the command:
logging <lcp_ip_address>
3. Set the internal log buffer to 10,000 bytes for debug output (newer messages overwrite older messages) by entering the command: logging buffered 10000 informational
4. Set syslog logging facility to INFORMATIONAL by entering the command: logging trap informational
5. To enable login failed and success events, type the following commands:
a. login on-failure log
b. login on-success log
Note: When you configure Cisco IOS devices to forward logs to the LCP through ArcSight SmartConnector, you need to run the following commands to include the IP address of Cisco IOS in the syslog message.
a. logging source-interface <name of the interface with a valid ip address>
b. logging origin-id ip
6. To enable debug timestamps, type the following commands:
a. service timestamps debug datetime msec localtime show-timezone
b. service timestamps log datetime msec localtime show-timezone
7. To disable console logging, type the following command: no logging console
Type the following command to verify that console logging is disabled: show logging
The example given below shows console logging is disabled:
Syslog logging: enabled (0 messages dropped, 1 flush, 0 overruns)
Console logging: disabled
Monitor logging: level informational, 0 messages logged
Buffer logging: level informational, 912 messages logged
Trap logging: level informational, 45 message lines logged
Configuring Cisco VPN Concentrator
To configure Cisco VPN Concentrator to send event logs to the LCP, follow the steps given below:
Open your browser and login to the Cisco VPN 3000 Concentrator Series Manager.
From the tree on the left, select Configuration > System > Events > General.
In the Syslog format field, select Cisco IOS Compatible.
Click Apply.
Configuring Cisco SDWAN
To configure the Cisco SDWAN, follow the below steps
Log in Cisco vManage menu, navigate to Configuration > Templates.
Click Feature and click Add Template.
From Select Devices, choose the device for which you wish to create a template.
To create a template for logging, select Cisco Logging.
a) The Cisco Logging template form appears. This form contains fields for naming the template, and fields for defining the Logging parameters.
b) Click a tab or the plus sign (+) to display other fields.
c) When you first open a feature template, the scope is set to Default for those parameters that have a default value.
d) The default setting or value appears next to a parameter.
e) To change the default or to enter a value, click the Scope drop-down list to the left of the parameter field.
5. Enter a name for the template in Template Name.
Note : The name may contain up to 128 alphanumeric characters.
6. Enter a description of the template in Template Description.
Note : The name may contain up to 2048 alphanumeric characters.
7. Enter the LCP IP address in Hostname/IPv4 Address.
8. Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached. VPN ID Range: 0-65530
9. Enter the interface to use for outgoing system log messages in Source Interface.
Note: The interface must be located in the same VPN as the syslog server. Otherwise, the configuration of syslog servers will be ignored. If you configure multiple syslog servers, the source interface must be same for all of them.
10. Choose a severity of the syslog message to be saved in Priority field.
Configuring Remote Syslog logging for TLS for SDWAN
Enter the LCP IP address in Hostname/IPv4 Address.
Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached. VPN ID Range: 0-65530
Enter the interface to use for outgoing system log messages in Source Interface.
Note: The interface must be located in the same VPN as the syslog server. Otherwise, the configuration of syslog servers will be ignored. If you configure multiple syslog servers, the source interface must be same for all of them.
4. Choose a severity of the syslog message to be saved in Priority field.
5. For Cisco IOS XE SD-WAN devices, click On to enable syslog over TLS.
6. For Cisco IOS XE SD-WAN devices, click On to enable choosing a TLS profile, or click Off to disable choosing a TLS profile.
7. For Cisco IOS XE SD-WAN devices, choose a TLS profile that you have created for server or mutual authentication in IPv4 or IPv6 server configuration.
Configure Policy for Firewall High-Speed Logging :
From the Cisco vManage menu, choose Configuration > Security.
Click Add Security Policy.
Enter a name for the security policy.
Enter a description for the security policy.
Enter the following details of the Syslog server :
In the VPN field, enter the VPN where the server located in.
In the Server IP field, enter the IP address of the LCP IP address server.
In the Port field, enter the UDP/514 port on which the server is listening.
If you configured an application firewall policy, uncheck the Bypass firewall policy and allow all Internet traffic to/from VPN 0 check box in the Additional Security Policy Settings area.
To configure an audit trail, enable the Audit Trail option. This option is only applicable for rules with an Inspect action.
Click Save Policy to save the security policy. Attach the policy to the device.
Using CLI to configure HSL to an external Syslog Server
Device# configure terminal
Device(config)# parameter-map type inspect-global
Device(config-profile)# log dropped-packets
Device(config-profile)# log flow-export v9 udp destination *LCP-IP* 514
Device(config-profile)# log flow-export template timeout-rate 5000
Device(config-profile)# end
Configure Policy for Web Filter and UTD :
Create a security policy using cisco vMange and then apply the security Policy. Configure syslog same as mentioned above.
For creating security policy, please find the below link to apply :
URL filtering :
UTD :
Configure Cisco NCS
Pre-requisite:
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guide(System Monitoring Command Reference) include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your administrator for assistance.
Log in to Cisco IOS XR command line interface and execute the below command.
Router# configure
Router(config)# logging <LCP IP Address> vrf <VRF Name> facility local7 hostnameprefix '<NCS Device IP Address> CISCO-IOS-XR' severity info port 514
Router(config)# service timestamps log datetime localtime msec show-timezone
Router(config)# ssh server logging
Router(config)# commit
From the above command,
a. Replace <LCP IP Address>
with actual IP address of the LCP.
b. Replace <VRF Name>
with the actual VRF name, example: default/management.
c. Replace <NCS Device IP Address>
with the actual IP address of the NCS device.
Example Command: logging 10.1.1.100 vrf management facility local7 hostnameprefix '10.1.1.4 CISCO-IOS-XR' severity info port 514
Configure Cisco Cisco Catalyst 9800 Series Wireless Controller
Log in to Controller device command line interface and execute below commands.
Device# configure terminal
Device(config)# logging host <LCP IP Address>
Device(config)# logging facility local7
Device(config)# logging trap 6
Device(config)# end
LCP Configuration Parameters
Table 1-2: The Cisco IOS event collector (Syslog -3126) properties to be configured by MDR are given in the table.
Property | Default Value | Description |
Protocol | UDP | The default protocol for syslog. The collector can also accept logs in TCP. |
IPAddress | Cisco IOS Interface IP Address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team. |
Port Number | 514 | The default port for UDP. For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security MDR onboarding team if this is a requirement. |
Signatures | %PARSER-,%LINEPROTO-,%AUTH-,%CONFIG-,%EVENT-,%GRE-,%HTTP-,%IKE-,%IKEDBG-,%PPP-,%PSH-,%PSOS-,%REBOOT-,%TELNET-,%WEBVPN-,NAT ,NAT:,NAT*:,%SYS-,%IPV6,ICMPv6-ND,%FWSM-,%IPS-,%IDS-,%FW-,%SEC-,%SEC_,%URLF-,%SSH-,%IP-,%LINK-,%HWVPN-,%ALARM-,%AAA-,%ACL-,%APF-,%AUTOINST-,%AVL-,%BASE-,%BCAST-,%BOOTP-,%BUFF-,%CAPWAP-,%CCX-,%CDP-,%CIDS-,%CLI-,%CLIWEB-,%CNFGR-,%DAPI-,%DEBUG-,%DHCP-,%DOT1D-,%DOT1Q-,%DOT1X-,%DOT3AD-,%DTL-,%DTLS-,%EAP-,%EMT-,%EMWEB-,%ETHOIP-,%FDB-,%FIPS-,%HIFN-,%HREAP-,%IAPP-,%IDMGR-,%INIT-,%IOS-,%IPSTAT-,%L7API-,%L7COMM-,%LAG-,%LIC_AGENT-,%LICENSE-,%LICENSE_IMAGE_APPLICATION-,%LOCP-,%LOG-,%LRADSIM-,%LWAPP-,%MIRROR-,%MM-,%MMC-,%NIM-,%NMSP-,%NULL-,%OSAPI-,%PEM-,%PKTDEBUG-,%PMALLOC-,%POE-,%POLICY-,%POWER-,%PPTP-,%RBCP-,%RF-,%RFID-,%RMGR-,%RRM-,%SIM-,%SNMP-,%SNMPUTIL-,%SNTP-,%SOCKET_TASK-,%SSHPM-,%SYSNET-,%SYSTEM-,%TFTP-,%TOOL-,%TRAPMGR-,%UPDATE-,%USMDB-,%WCP-,%WEB-,%WPS-,SEV=,%ETHPORT-,%ETH_PORT_CHANNEL-,%IPNAT-,%SSLVPN-,%DHCPD-,%SMART_LIC,%DMI-,%OSPF-,%Cisco-,%SELINUX-,%UTD-,CISCO-IOS-XR | MDR recommended signatures processed by the Cisco IOS event collector. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.