Video Screencast Help

Cisco syslog incidents are not creating in SSIM

Created: 03 Sep 2013 | 4 comments

HI,

Recently we implemented KIWI Syslog server with SSIM .

Syslog server contains logs of all routers and switchs. We are able to see the events in ssim with severity id "1 Information".

But incidents are not creating for that syslogs.

Pl suggerst which rules are refers to create incidents in ssim for CISCO Router logs.

Thanks.

Operating Systems:

Comments 4 CommentsJump to latest comment

lukaszfr's picture

Hi,

If you want to correlate events from Cisco devices you need to use Event Collector for Cisco IOS or other collector that offers detailed parsing for Cisco syslog messages.
Are you using Event Collector for Kiwi now?

Regards

Murali krishna's picture

Hi 

Is ssim can correlate the logs like below

Sep 4 12:03:15 10.2.154.3 Kiwi_Syslog_Server Original Address=10.x.x.x 75498: Sep 4 11:52:35 IST: %BGP-3-NOTIFICATION: received from neighbor 10.x.x.x 2/3 (BGP identifier wrong) 0 bytes
 
Sep 4 12:03:15 10.2.0.29 Kiwi_Syslog_Server Original Address=10.x.x.x 581: 02:27:02: %AUTHMGR-5-START: Starting 'dot1x' for client (4061.8629.10b1) on Interface Fa0/1
 
Sep 4 12:03:15 10.1.120.19 Kiwi_Syslog_Server Original Address=10.x.x.x 370: Sep 4 06:22:36.807: %DOT1X-5-FAIL: Authentication failed for client (6431.50b9.c6f4) on Interface Fa0/22 AuditSessionID 0A017813000000010000ACD9
 
Sep 4 12:03:15 10.1.29.19 Kiwi_Syslog_Server Original Address=10.x.x.x 4232: Sep 4 06:22:34.891: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.732e.9983) on Interface Fa0/23
 
Sep 4 12:03:15 10.1.24.19 Kiwi_Syslog_Server Original Address=10.x.x.x 2391: 06:31:31: %ENVIRONMENT-3-RPS_FAILED: Faulty internal power supply detected
Avkash K's picture

SSIM will correlate the logs based on the correlation rules written by you.

As suggested by antilles, plz use relevant collector if available for parsing the logs.

If not available you need to write correlation rules as per your need using syslog message only.

Regards,

Avkash K