Configuring Cisco Syslogs

To monitor with full accountability, your Cisco devices must send syslogs to SecureTrack. To do this, define SecureTrack as a syslog server for each monitored Cisco switch, router, and firewall.

Syslog traffic must be configured to arrive to the SecureTrack server that monitors the device (Central Server, Distribution Server or Remote Collector Server) from the IP and/or host name of the device.

For more information see Sending Additional Information via Syslog.

Certain devices can also use syslogs to collect traffic information that you can use for the Automatic Policy Generator (APG).

The firewalls in the organization must be configured to allow the relevant traffic.

For switches, SecureTrack associates syslogs with their source device only by IP address. Therefore, accountability information for switches will be incorrect if the syslogs are sent from an IP address other than the one monitored by SecureTrack.

For Cisco devices, a logging string is used to map a syslog message to a Device ID. If the logging string is not mapped, there is a fallback mechanism that maps the log message to the source IP of the packet. This mechanism does not work if the log message is sent via a syslog server because the syslog source-IP would be that of the syslog server and not that of the monitored device.

If the logging string is changed from “A” to “B”, SecureTrack cannot recognize logs by their contents until a new revision is received. During the period of time before the new revision arrives, the source-IP fallback allows SecureTrack to correctly recognize the device that sent the logs, provided that the syslog server is not used.

To use syslog server forwarding, ensure the following:

• The syslog server does not modify the message content
• The device is configured with the logging host
• A revision has been received by the current logging host