On This Page
Configuring Cisco Syslogs
This section contains the following topics:
Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device - see Sending Additional Information via Syslog.
Cisco-Specific Syslog Notes
-
For switches, SecureTrack associates syslogs with their source device only by IP address. Therefore, accountability information for switches will be incorrect if the syslogs are sent from an IP address other than the one monitored by SecureTrack.
-
For Cisco devices, a logging string is used to map a syslog message to a Device ID. If the logging string is not mapped, there is a fallback mechanism that maps the log message to the source IP of the packet. This mechanism does not work if the log message is sent via a syslog server because the syslog source-IP would be that of the syslog server and not that of the monitored device.
-
If the logging string is changed from “A” to “B”, SecureTrack cannot recognize logs by their contents until a new revision is received. During the period of time before the new revision arrives, the source-IP fallback allows SecureTrack to correctly recognize the device that sent the logs, provided that the syslog server is not used.
-
To use syslog server forwarding, ensure the following:
- The syslog server does not modify the message content
- The device is configured with the logging host
- A revision has been received by the current logging host