Video Screencast Help

wrong user name 'cisco(R) IOS collector'

Created: 09 May 2012 | 5 comments

Hi,

log of cisco router:

May 08 17:43:22 1.1.1.1 769079: May  8 17:48:55: %PARSER-5-CFGLOG_LOGGEDCMD: User:xxxxxx  logged command:'_________command________'

bat in the event the user name is 'SESUSER'

how do i solve it ????

Comments 5 CommentsJump to latest comment

antilles's picture

Hi,

it looks that collector doesn't have parsing rule for this type of event.
Cisco devices can generate hundreds of different event types and collector is focused on security-related events.
As a result sometimes you will find few event that weren't parsed correctly or don't have some information translated.

If I remember correctly this type of event means that user made some configuration change using console interface so I think that this is somehow security-related event...

You may open a case for this, it should be simple to correct this one.

One more thing, did you run live update for Cisco IOS collector?

Regards

romio28's picture

hi,

I already updated all collector,

the same problem for this log:

%SYS-5-CONFIG_I: Configured from console by "UserName" on vty0 (10.10.10.10)

i think when some user change the router configuration is a security event !!!

i think it's simple to correct it, but how do i open a case ?

or how can I modify the collector to support this type of log ?

thanks.

 

antilles's picture

I agree with you and that's way I wrote that this kind of event should be considered as security event.

SYS-5-CONFIG_I event can be misleading because often it's created when user open and close configuration mode (conf t) event if he doesn't make any changes. Maybe newer IOS versions have different behavior but some time ago it worked like that...

You can open a case by MySupport portal: https://mysupport.symantec.com

Making changes in collector translation rules is possible by modifying xml configuration files but you need to know what to look for, it's hard to do it right and very easy to broke something.
Better way to doing this is to use Collector Studio, however... making changes in Symantec collectors isn't supported and even if you change collector, any live update may overwrite your changes.

So I recommend to contact support.

romio28's picture

thanks for help

where do i can download Collector Studio ?

I have looked everywhere, but i cant find it :( , same body can give me the link.

Avkash K's picture

Hi,

 

Collector Studio is not availabe for download to customers. This is reserved for certified partner only.

If you are a certified partner you can go here : Article URL http://www.symantec.com/docs/HOWTO42218

Regards,

Avkash K