Documentation Center
AlienVault® USM Anywhere™

Cisco Nexus

When you configure Cisco Nexus integration to send log data to USM Anywhere, you can use the Cisco Nexus plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Cisco
Device type Switch
Connection type syslog
Vendor link http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/
system_management/502_n1_1/b_Cisco_n5k_system_mgmt_cg_rel_502_n1_1/Cisco_n5k_system_mgmt_cg_rel_502_n1_1_chapter9.html

Integrating Cisco Nexus

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure Cisco Nexus to send log data to USM Anywhere

  1. Enter configuration mode:
  2. switch# configure terminal

  3. Configure the host to receive syslog messages:
  4. switch(config)# logging server {hostname|IPv4|IPv6} [severity-level[use-vrf vrf-name[facility facility-type]]]

    Where:

    • hostname|IPv4|IPv6 identifies either the host IP, or the IPv4 or IPv6 address of the syslog server host.
    • severity-level limits the logging of syslog server messages to a specified level. Severity levels range from 0 to 7.
    • vrf-name identifies the default or management values for the VRF name.

      If a specific VRF is not identified, management is the default.

      Note: If management is configured, it does not appear in the output of the show-running command, because it is the default. If a specific VRF is configured, the show-running command output lists the VRF for each server.

      Important: The current CFS distribution does not support VRF. If CFS distribution is enabled, then the logging server configured with the default VRF will be distributed as the management VRF.

  1. (Optional) Remove the logging server for the specified host.
  2. switch(config)# no logging server host

  3. (Optional) Display the syslog server configuration.
  4. switch# show logging server

  5. (Optional) Copy the running configuration to the startup configuration
  6. switch# copy running-config startup-config

Example

switch# configure terminal

switch(config)# logging server 172.28.254.254 5 use-vrf mgmt0 facility local3

If you have a UNIX or Linux system, see the vendor documentation Configuring syslog on a UNIX or Linux System.

Plugin Enablement

The Cisco Nexus plugin automatically processes all messages whose syslog tag matches the regular expression:

"(#|%)(AAA|AAM|ACL|ACLLOG|ACLMGR|ACLQOS|ACLTCAM|AM|ARP|ASCII|ATIMERS|BGP|BIOS_DAEMON|BOOTUP_TEST|BOOTVAR|CALLHOME|CDP|CERT_ENROLL|CFS|CIMSRVPROV|CLIS|CLOUD|CLUSTER|CMPPROXY|COPP|CORE|CREDITMON|CTS|DEBUGPROXY|DEVICE|DEVICE_TEST|DEV_LOG|DFTM|DHCP_SNOOP|DIAGCLIENT|DIAGMGR|DIAG_PORT_LB|DMM|DOT1X|DPP_DEBUG|DPVM|DSTATS|EIGRP|ELTM|ELTMC|EOU|EPP|ETH|ETHPORT|ETH_PORT_CHANNEL|ETH_PORT_SEC|EUREKA_USD|EVMC|EVMS|EXCEPTIONLOG|FC|FCC|FCC_LC|FCD|FCDD|FCDDH|FCDOMAIN|FCFWD|FCNS|FCS|FCSP|FDMI|FEATURE|FICON|FLOGI|FS|FSCM|FSPF|FWM|GLBP|HEAP|HSRP_ENGINE|ICMPv6|IGMP|IKE|ILC|ILC_HELPER|IM|IMAGE_DNLD|IMAGE_UPGRADE|INTERFACE_VLAN|IOA_LC|IP|IPACL|IPFC|IPQOSMGR|IPS|IPSEC|IPS_SB_MGR|IPv6|IPV6|ISAPI|ISIS|ISNS|IVR|KSINK|L2FM|L2FMC|L2MCAST|L3VM|LACP|LC|LC_CFG|LC_PORT_CHANNEL|LC_PORT_MGR|LC_RDL|LIBBASE_SVC|LIBGD|LICMGR|LLDP|M6RIB|MAC|MCAST|MCECTEST|MCM|MFDM|MODULE|MONITOR|MRIB|MSDP|NFM|NFP|NPC|NPV|NTP|NVP|OC_USD|ORI_MAC|OSPF|OTM|PHY_USD|PIM|PIM6|PIXM|PIXMC|PLATFORM|PLOG|PLOG_SUP|PM|PMALLOC|PORT|PORT_CHANNEL|PORTPROFILE|PORT_SECURITY|PPM|PRIVATE_VLAN|PROC_MGR|PSS|PT|QOS|RADIUS|RDL|REGEX|RES_MGR|RIB|RIP|RLIR|RM|RPM|RSCN|SAL|SAN_EXT_TUNER|SCHEDULER|SCSI|SDV|SECURITYD|SENSOR_USD|SESSION|SFC|SFM|SKSD|SKT_USD|SLAB_LIB|SME_CPP|SMM|SNMPD|SPAN|SPI|STP|SVC|SVC_BATTERY|SYSLOG|SYSMGR|SYSTEMHEALTH|SYSWRAP_LIB|TACACS|TCAP|TCP|TLPORT|TPC|TSP|TTYD|TUNNEL|TX|U6RIB|UDLD|UFDM|URIB|VDC_MGR|VEC|VEDB_MGR|VES|VFC|VIM|VLAN_MGR|VNI|VOMD|VPC|VPM|VRRP|VRRP_CFG|VRRP_ENG|VSAN|VSD|VSHD|WWN|XBAR|XBAR_CLIENT|XMLMA|XMLSA|ZONE)"

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • destination_address
  • destination_port
  • event_description
  • event_name
  • source_address
  • source_port
  • source_username

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide