Documentation Center
AlienVault® USM Anywhere™

Cisco ASR

When you configure Cisco ASR Router integration to send log data to USM Anywhere, you can use the Cisco ASR plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Cisco
Device type Router
Connection type syslog
Resource link http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/configuration/xe-16/esm-xe-16-book/esm-syslog.html

Integrating the Cisco ASR Router

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure the Cisco ASR Router to send log data over syslog to USM Anywhere

  1. Enable privileged EXEC mode.

    Device> enable

  2. Provide your login credentials, if prompted.
  3. Enter global configuration mode.

    Device# configure terminal

  4. Specify one or more syslog filter modules you want applied to generated system logging messages.

    Device(config)# logging filter <filter-url> [position] [args <filter-arguments>]

    Note: Repeat this command for every syslog filter you intend to use.

    Where:

    • The filter-url variable is the Cisco IOS File System location of the syslog filter module (script). The location can be in local memory or a remote server, using tftp:, ftp:, or rcp:.
    • The optional position argument specifies the order in which the syslog filter modules should run. If this argument is omitted, the specified module runs last in the chain of modules. Filters can be reordered quickly by again entering the logging filter command and specifying a different position.
    • The optional args filter-arguments syntax can be added to pass one or multiple arguments to the specified filter.

      The number and type of arguments should be defined in the syslog filter module. For example, if the syslog filter module is designed to accept a specific e-mail address as an argument, you could pass the e-mail address using the args [email protected] syntax.

      Note: To delimit multiple arguments, use spaces.

    • To remove a module from the list of modules to be executed, use the no form of this command.
  5. Specify the USM Anywhere Sensor for ESM-filtered syslog output by entering one of the following:

    Device(config)# logging host {<ip-address> | <hostname>} filtered [stream <stream-id>].

    Where:

    • The stream tag allows you to specify a remote host destination, based on the type of message.
    • The stream <stream-id> syntax allows you to configure the ESM to send only messages that have a specified stream value to a certain host. The stream value is applied to messages by the configured syslog filter modules. For example, all Severity 5 messages could have a stream tag of 20.
  6. Repeat the previous step for each desired logging destination.

    By repeating the step, you can configure messages at different severity levels to be sent to USM Anywhere. For example, you may want to display only important messages to the screen at your network operations center (NOC).

    You can also this to configure sending data to multiple targets for multiple system logging streams.

  7. (Optional) Specify the source interface for syslog messages sent to USM Anywhere.

    Device (config)# logging source-interface <interface_type-number>

    Normally, a syslog message sent to remote hosts uses any interface available at the time of message generation. This command forces the device to send syslog messages to remote hosts only from the specified interface.

  8. End the configuration session and return to privileged EXEC mode.

    Device(config)# end

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • destination_address

  • destination_port

  • event_description

  • event_name

  • event_severity

  • source_address

  • source_port

  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

Cisco IOS XR Troubleshooting Guide for the Cisco ASR 9000 Aggregation Services Router (pdf)