Accenture MDR Quick Start Guide for Cisco® Nexus™ and Cisco® APIC™

Owned by KS
Last updated: Oct 25, 2023
4 min read

This quick start guide will help Accenture MDR customers configure Cisco® Nexus™ to send logs to the Log collection Platform (LCP).

 

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Cisco Nexus

LCP

514 (UDP)

Default port

Cisco APIC

LCP

6514 (TCP) or

514 (UDP) or

601 (TCP)

Default port

Configuring Cisco Nexus

To configure Cisco Nexus to send syslog messages to the LCP, follow the steps below.

 Note: You can configure up to three syslog servers to forward logs to remote systems.

Connect the Virtual Device Context (VDC).

  1. Login to the CLI.

  2. To view all the VDCs, enter the command: show vdc

  3. To view the existing VDC, enter the command: show vdc current-vdc

  4. To change the VDC, enter the command: switchto vdc

 

Configure Cisco Nexus in CLI.

  1. Login to the CLI.

  2. Enter the following commands in the same sequence:

switch# configure terminal

switch(config)# logging server <lcp_ip_address> <severity-level> use-vrf <vrf-name> facility <local7>

switch# copy running-config startup-config 

Note:

  • Please refer the vendor documentation for more information on severity levels.

  • The use vrf vrf-name keyword argument identifies the default or management values for the VRF name. If a specific VRF is not identified, management is the default value. However, if management is configured, it will not be listed in the output of the show-running command because it is the default value. If a specific VRF is configured, the show-running command output will list the VRF for each server.

 Note:

  • Cisco Nexus configuration does not provide any option to configure logging through TCP and/or a non-standard port even though collector support has been provided.

  • When Cisco Nexus is configured to forward logs to the LCP through ArcSight SmartConnector, the logging device IP is the IP of the ArcSight SmartConnector.

  • When multiple Cisco Nexus switches forward logs through the same ArcSight SmartConnector, the logs gathered from all the switches will have the IP of ArcSight SmartConnector as the logging device IP.

  • The Cisco Nexus collector supports log forwarding from ArcSight Smart connector. Please contact a Accenture MDR onboarding engineer if you need assistance with the configuration.

Device configuration for Cisco APIC

  1. Creating a Syslog Destination and Destination Group:

    1. In the menu bar, click Admin.

    2. In the submenu bar, click External Data Collectors.

    3. In the Navigation pane, expand Monitoring Destinations.

    4. Right-click Syslog and choose Create Syslog Monitoring Destination Group.

    5. In the Create Syslog Monitoring Destination Group dialog box, perform the following actions:

      1. In the group and profile Name field, enter a name for the monitoring destination group and profile.

      2. In the group and profile Format field, choose the format for Syslog messages. The default value is “aci”, you need to use the default value.

      3. Enable "Show Milliseconds in Timestamp" and "Show time Zone in Timestamp".

      4. In the group and profile Admin State drop-down list, choose enabled.

      5. To enable sending of syslog messages to a local file, choose enabled from the Local File Destination Admin State drop-down list and choose a minimum severity from the Local File Destination Severity drop-down list. Choose severity as “Information”.

      6. To enable sending of syslog messages to the console, choose enabled from the Console Destination Admin State drop-down list and choose a minimum severity from the Console Destination Severity drop-down list. Choose severity as “Alerts“.

      7. Click Next.

  1. In the Create Syslog Remote Destination dialog box, perform the following actions:

    1. In the Host field, enter an “LCP IP” or a fully qualified domain name for the destination host.

    2. (Optional) In the Name field, enter a name for the destination host.

    3. In the Admin State field, click the enabled radio button.

    4. Select severity as “warning”.

    5. Select transport as ssl

    6. Select port as 6514

Note - You can use transport as tcp, have to mention port as 601 and use transport as UDP, have to mention port as 514.

g. Select Forwarding Facility as local7.

h. Select Management EPG as default(out-of-band).

i. Click OK & Finish.

j. Path to upload certificate - Admin > AAA > Security > Public Key Management > Certificate Authorities, then Actions > Create Certificate Authority

 

  1. Creating a Syslog Source:

    1. Under Fabric > Fabric Policies > Monitoring Policies > Common Policy

    2. Under the Common policy, click Callhome/Smart Callhome/SNMP/Syslog

    3. In the Work pane, choose Syslog from the Source Type drop-down list.

    4. From the Monitoring Object list, select “All

    5. In a tenant monitoring policy, select “All

    6. Click + to create a syslog source.

    7. Enter a name for the syslog source.

    8. Select the minimum severity as “Warning” from drop-down list.

    9. Select all type of messages to sent to syslog server(Audit logs, Events, Faults, Session logs).

    10. Select Dest Group which you have created in step 1 & 2.

    11. Click Submit.

LCP Configuration Parameters 

Table 1-2: The Cisco Nexus and Cisco APCI event collector (Syslog -3734) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

UDP

The default protocol for syslog. 

Note: Cisco Nexus does not support TCP. Enable the TCP port only if CISCO APIC logs receiving in TCP port.

IP Address

Cisco Nexus and Cisco APIC Interface IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

 

Signatures

%LOG_LOCAL,%STM,%IGMP,%FWM,%VPC,%VTP,%VLAN_MGR,%PVLAN,%SVI,%FCS,%SFP,%GLBP,%HSRP,%VRRP_CFG,%VRRP-
NG,%VRRP_MGR,%VRRP_ENG,%EIGRP,%OSPF,%BGP,%PIM,%MSDP,%SSM,%AAA,%ACL,%
CLTCAM,%ACLQOS,%ACLLOG,%ACLMGR,%DHCP_SNOOP,%ARP,%RADIUS,%TACACS,%DO
1X,%IPACL,%SSH,%DIAGMGR,%SNMP,%SNMPD,%CTS,%MPLS,%ISSU,%SYSMGR,%CMPPR
XY,%EOBC,%EPLD_UPGRADE,%PSS,%CFS,%MTS,%VSAN,%CDP,%SPAN,%STP,%NPV,%FC
E_MGR,%FCOE,%QoS,%VEM_MGR,%VMS,%VEM,%BFDC,%BFD,%CERT_ENROLL,%PORT,%
THPORT,%ASSOC_MGR,%CALL_HOME,%LLDP,%USER,%AUTH,%LOCAL7,%LICMGR,%MCAS
FWD,%SECURITYD,%MONITOR,%KERN,%FEX,%UDLD,%PLATFORM,%IM,%CARDCLIENT,%M
DULE,%BIOS_DAEMON,%PIXM,%VDC_MGR,%ISIS_FABRICPATH,%ASCII,%ETH_PORT_CHAN
EL,%AMM,%NETSTACK,%FEATURE,%PFMA,%SENSOR,%CALLHOME,%VSHD_SYSLOG_CON
IG_I,%AUTHPRIV,%DAEMON,%BOOTVAR,%L3VM,%SYSLOG,%NOHMS,%SATCTRL

MDR recommended signatures processed by the Cisco Nexus event collector.

Port Number

514

The default port for UDP. 

Note: 

  1. Cisco Nexus supports only 514 to send logs.

  2. Cisco APIC supports bith TCP and UDP.

 

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.