Critical System Protection

 View Only

  • 1.  Cisco 2960 switch logs to SCSP

    Posted Dec 14, 2011 09:37 AM

    Is there a way to send my cisco 2960 logs to the scsp server? I have a requirement to send audit logs from my switches to a syslog server. I know that SCSP is not a syslog server but is there a way to capture logs and review them?

     

    If not, does anyone know of a low cost solution (symantec) that is bare bones for network auditing. the Symantec security manager is 20k and for 3 switches, that is very pricy.

     

    I just need to capture logs and review them.

     

    V/R

     

    Thanks in advance,

     

    Derek



  • 2.  RE: Cisco 2960 switch logs to SCSP

    Posted Dec 14, 2011 01:38 PM
      |   view attached

    What you can do is set up a syslog server, and have the events from the Cisco device sent to the syslog server.  Then have the SCSP agent monitor the syslog and match event patterns within the log for certain strings which would trigger events that are sent to the SCSP manager.  You can also use variables, so you can capture non-static info like the device name if you are sending events to the syslog server from multiple devices.

    If you are using a syslog server on Windows, base your policy off the the Windows Template Policy, then add and configure a custom Text Log rule.  Use the UNIX Template Policy if you are hosting the syslog server on a UNIX machine.

    See Appendix C "Virtual Agent Examples" (Pg 265) of the Symantec™ Critical System Protection Administration Guide (attached) for details on how to set this up. 

     

    Attachment(s)

    pdf
    scspadmn.pdf   2.28 MB 1 version


  • 3.  RE: Cisco 2960 switch logs to SCSP

    Posted Dec 14, 2011 03:30 PM

    Thank you, will check this and report back.