Accenture MDR Quick Start Guide for Cisco IOS® Devices

Owned by Sekar Venkataramani
Last updated: Jan 12, 2024 by KS
6 min read

This quick start guide will help Accenture MDR customers configure Cisco® IOS or Cisco VPN Concentrator or Cisco SDWAN devices to send logs to the Log collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Cisco IOS

LCP

514 (UDP) or

601 (TCP)

Default port

Configuring Cisco IOS

To configure Cisco IOS Routers/Switches to send event logs to the LCP, follow the steps given below: 

  1. Go to Configuration mode by following the steps below: 

a. Login to the Cisco device command prompt and type the following command: enable

b. Enter your privileged command mode password.

c. At the new prompt, type the following command: configure terminal

2. Enable syslog logging and specify the IP address of the LCP by entering the command:

logging <lcp_ip_address>

3. Set the internal log buffer to 10,000 bytes for debug output (newer messages overwrite older messages) by entering the command: logging buffered 10000 informational

4. Set syslog logging facility to INFORMATIONAL by entering the command: logging trap informational

5. To enable login failed and success events, type the following commands: 

a. login on-failure log​ ​

b. login on-success log​ ​

 Note: When you configure Cisco IOS devices to forward logs to the LCP through ArcSight SmartConnector, you need to run the following commands to include the IP address of Cisco IOS in the syslog message.

a. logging source-interface <name of the interface with a valid ip address>

b. logging origin-id ip​

6. To enable debug timestamps, type the following commands:

a. service timestamps debug datetime msec localtime show-timezone

b. service timestamps log datetime msec localtime show-timezone

7. To disable console logging, type the following command: no logging console

Type the following command to verify that console logging is disabled: show logging

The example given below shows console logging is disabled:

Syslog logging: enabled (0 messages dropped, 1 flush, 0 overruns)

Console logging: disabled

Monitor logging: level informational, 0 messages logged

Buffer logging: level informational, 912 messages logged

Trap logging: level informational, 45 message lines logged

​Configuring Cisco VPN Concentrator

To configure Cisco VPN Concentrator to send event logs to the LCP, follow the steps given below: 

  1. Open your browser and login to the Cisco VPN 3000 Concentrator Series Manager.

  2. From the tree on the left, select Configuration > System > Events > General.

  3. In the Syslog format field, select Cisco IOS Compatible.

  4. Click Apply.

Configuring Cisco SDWAN

To configure the Cisco SDWAN, follow the below steps

Configuring Cisco SDWAN

  1. Log in Cisco vManage menu, navigate to Configuration > Templates.

  2. Click Feature and click Add Template.

  3. From Select Devices, choose the device for which you wish to create a template.

  4. To create a template for logging, select Cisco Logging.

    a) The Cisco Logging template form appears. This form contains fields for naming the template, and fields for defining the Logging parameters.

b) Click a tab or the plus sign (+) to display other fields.

c) When you first open a feature template, the scope is set to Default for those parameters that have a default value.

d) The default setting or value appears next to a parameter.

e) To change the default or to enter a value, click the Scope drop-down list to the left of the parameter field.

5. Enter a name for the template in Template Name.

Note : The name may contain up to 128 alphanumeric characters.

6. Enter a description of the template in Template Description.

Note : The name may contain up to 2048 alphanumeric characters.

7. Enter the LCP IP address in Hostname/IPv4 Address.

8. Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached. VPN ID Range: 0-65530

9. Enter the interface to use for outgoing system log messages in Source Interface.

Note: The interface must be located in the same VPN as the syslog server. Otherwise, the configuration of syslog servers will be ignored. If you configure multiple syslog servers, the source interface must be same for all of them.

10. Choose a severity of the syslog message to be saved in Priority field.

Configuring Remote Syslog logging for TLS for SDWAN

  1. Enter the LCP IP address in Hostname/IPv4 Address.

  2. Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached. VPN ID Range: 0-65530

  3. Enter the interface to use for outgoing system log messages in Source Interface.

Note: The interface must be located in the same VPN as the syslog server. Otherwise, the configuration of syslog servers will be ignored. If you configure multiple syslog servers, the source interface must be same for all of them.

4. Choose a severity of the syslog message to be saved in Priority field.

5. For Cisco IOS XE SD-WAN devices, click On to enable syslog over TLS.

6. For Cisco IOS XE SD-WAN devices, click On to enable choosing a TLS profile, or click Off to disable choosing a TLS profile.

7. For Cisco IOS XE SD-WAN devices, choose a TLS profile that you have created for server or mutual authentication in IPv4 or IPv6 server configuration.

Configure Policy for Firewall High-Speed Logging :

  1. From the Cisco vManage menu, choose Configuration > Security.

  2. Click Add Security Policy.

  3. Enter a name for the security policy.

  4. Enter a description for the security policy.

  5. Enter the following details of the Syslog server :

    1. In the VPN field, enter the VPN where the server located in.

    2. In the Server IP field, enter the IP address of the LCP IP address server.

    3. In the Port field, enter the UDP/514 port on which the server is listening.

  6. If you configured an application firewall policy, uncheck the Bypass firewall policy and allow all Internet traffic to/from VPN 0 check box in the Additional Security Policy Settings area.

  7. To configure an audit trail, enable the Audit Trail option. This option is only applicable for rules with an Inspect action.

  8. Click Save Policy to save the security policy. Attach the policy to the device.

Using CLI to configure HSL to an external Syslog Server

Device# configure terminal Device(config)# parameter-map type inspect-global Device(config-profile)# log dropped-packets Device(config-profile)# log flow-export v9 udp destination *LCP-IP* 514 Device(config-profile)# log flow-export template timeout-rate 5000 Device(config-profile)# end

Configure Policy for Web Filter and UTD :

Create a security policy using cisco vMange and then apply the security Policy. Configure syslog same as mentioned above.

For creating security policy, please find the below link to apply :

URL filtering :

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/url-filtering.html

UTD :

Security Configuration Guide: Unified Threat Defense - Configuring Multi-Tenancy for Unified Threat Defense [Cisco 4000 Series Integrated Services Routers] - Cisco

Configure Cisco NCS

Pre-requisite:

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guide(System Monitoring Command Reference) include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your administrator for assistance.

  1. Log in to Cisco IOS XR command line interface and execute the below command.

Router# configure Router(config)# logging <LCP IP Address> vrf <VRF Name> facility local7 hostnameprefix '<NCS Device IP Address> CISCO-IOS-XR' severity info port 514 Router(config)# service timestamps log datetime localtime msec show-timezone Router(config)# ssh server logging Router(config)# commit

From the above command,

a. Replace <LCP IP Address> with actual IP address of the LCP.

b. Replace <VRF Name> with the actual VRF name, example: default/management.

c. Replace <NCS Device IP Address> with the actual IP address of the NCS device.

Example Command: logging 10.1.1.100 vrf management facility local7 hostnameprefix '10.1.1.4 CISCO-IOS-XR' severity info port 514

Configure Cisco Cisco Catalyst 9800 Series Wireless Controller

  1. Log in to Controller device command line interface and execute below commands.

Device# configure terminal Device(config)# logging host <LCP IP Address> Device(config)# logging facility local7 Device(config)# logging trap 6 Device(config)# end

LCP Configuration Parameters

Table 1-2: The Cisco IOS event collector (Syslog -3126) properties to be configured by MDR are given in the table.

Property

Default Value

Description

Protocol                      

UDP

The default protocol  for syslog. The collector can also accept logs in TCP.

IPAddress

Cisco IOS Interface IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team.

Port Number

514

The default port for UDP. For TCP, the default port is 601.

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security MDR onboarding team if this is a requirement.

Signatures    

%PARSER-,%LINEPROTO-,%AUTH-,%CONFIG-,%EVENT-,%GRE-,%HTTP-,%IKE-,%IKEDBG-,%PPP-,%PSH-,%PSOS-,%REBOOT-,%TELNET-,%WEBVPN-,NAT ,NAT:,NAT*:,%SYS-,%IPV6,ICMPv6-ND,%FWSM-,%IPS-,%IDS-,%FW-,%SEC-,%SEC_,%URLF-,%SSH-,%IP-,%LINK-,%HWVPN-,%ALARM-,%AAA-,%ACL-,%APF-,%AUTOINST-,%AVL-,%BASE-,%BCAST-,%BOOTP-,%BUFF-,%CAPWAP-,%CCX-,%CDP-,%CIDS-,%CLI-,%CLIWEB-,%CNFGR-,%DAPI-,%DEBUG-,%DHCP-,%DOT1D-,%DOT1Q-,%DOT1X-,%DOT3AD-,%DTL-,%DTLS-,%EAP-,%EMT-,%EMWEB-,%ETHOIP-,%FDB-,%FIPS-,%HIFN-,%HREAP-,%IAPP-,%IDMGR-,%INIT-,%IOS-,%IPSTAT-,%L7API-,%L7COMM-,%LAG-,%LIC_AGENT-,%LICENSE-,%LICENSE_IMAGE_APPLICATION-,%LOCP-,%LOG-,%LRADSIM-,%LWAPP-,%MIRROR-,%MM-,%MMC-,%NIM-,%NMSP-,%NULL-,%OSAPI-,%PEM-,%PKTDEBUG-,%PMALLOC-,%POE-,%POLICY-,%POWER-,%PPTP-,%RBCP-,%RF-,%RFID-,%RMGR-,%RRM-,%SIM-,%SNMP-,%SNMPUTIL-,%SNTP-,%SOCKET_TASK-,%SSHPM-,%SYSNET-,%SYSTEM-,%TFTP-,%TOOL-,%TRAPMGR-,%UPDATE-,%USMDB-,%WCP-,%WEB-,%WPS-,SEV=,%ETHPORT-,%ETH_PORT_CHANNEL-,%IPNAT-,%SSLVPN-,%DHCPD-,%SMART_LIC,%DMI-,%OSPF-,%Cisco-,%SELINUX-,%UTD-,CISCO-IOS-XR

MDR recommended signatures processed by the Cisco IOS event collector.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.