How to audit Cisco devices with Netwrix Auditor 7.0 and above

This article explains how to configure Netwrix Auditor to audit Cisco devices and access Cisco reports in a web browser.
KB1717 | Last review: May 27, 2016 | Netwrix Auditor for Windows Server | Netwrix Auditor 7.0 and above

The Syslog – Cisco platform allows working with a single device or devices in a specified IP-address range, and importing a list of IP-addresses from a text file (Cisco Syslog ASA 8.0 specification is supported). This article provides the step-by-step instructions on how to audit Cisco devices with Netwrix Auditor:

  1. Download the Syslog pack and unzip it on the computer where Netwrix Auditor Administrator Console is installed.
Note: close Netwrix Auditor Administrator Console before you start.
  1. Review the table below and move the files and folders from unzipped Syslog pack to the following locations:
Folder/File nameComputer where Netwrix Auditor Administrator Console is installed
155  
(folder)
C:\ProgramData\Netwrix Auditor\Event Log Management\Syslog\Rules 
Options.xml
(file)
C:\ProgramData\Netwrix Auditor\Event Log Management\Syslog
Platforms.xml
(file) 
Navigate to C:\ProgramData\Netwrix Auditor\Management Console and create the new folder named Platform Collection.
Cisco Syslog Pack for Netwrix Auditor\Reports\Netwrix Auditor for Event Log\Change Reports
Copy the Implicit Folder and the following files:
  • All Events by Device.rdl
  • Auth Events by User.rdl
  • Commands executed by User.rdl
  • Configuration operations.rdl
C:\ProgramData\Netwrix Auditor\Reports\Netwrix Auditor for Event Log\Change Reports
Note: while copying, do not replace the default MessageDetails.rdl file if the file already exists on the computer where Netwrix Auditor Administrator Console is installed. 
  1. Restart the following services:
  • Netwrix Auditor Archive Service
  • Netwrix Auditor Syslog Agent (for Netwrix Auditor 7.0 and 7.1) or Netwrix Auditor Syslog Audit Service (for Netwrix Auditor 8.0)
  1. Reopen Netwrix Auditor Administrator Console and create a Managed Object for auditing Event Log.
           Review the following notes on Managed Object creation:
Step nameConfiguration Procedures
Audit Database Settings Do not select the Make audit data available via summary emails only checkbox.
Add Items to Computer CollectionClick Add and add your Cisco devices to the Computer Collection. Specify the IP address (preferable) or DNS name of your device and click Next (also you can specify an IP range).
Configure Audit Archiving FiltersSelect only All Syslog Generic Events inclusive filter.
  1. Depending on Netwrix Auditor version, navigate to one of the following locations:
  • Netwrix Auditor 7.0: Settings -> Long-Term Archive
  • Netwrix Auditor 7.1 and above: Audit Archive -> Audit Database
Now you may configure your Cisco devices to forward syslog messages to an IP address of the computer where Netwrix Auditor Administrator Console is installed. Review the following Cisco technical article for more details. 
 
To access Cisco reports in a web browser, do the following:
  1. Depending on Netwrix Auditor version, navigate to one of the following locations:
  • Netwrix Auditor 7.0: Settings -> Long-Term Archive
  • Netwrix Auditor 7.1 and above: Audit Archive -> Audit Database
  1. Go to your Report Manager URL. In the Home folder, navigate to Netwrix Auditor -> Netwrix Auditor for Event Logs -> Change Reports
  2. Review available reports:
  • All Events by Device—Similar with the All Events by Computer report. The following filters are available: Device, User Name, Date From, Date To, ASA/PIX code, Severity, Class. Sort by: Date, User Name, ASA/PIX Code, Severity, Classю
  • Auth Events by User—Shows all messages of Auth class grouped by user.
  • Commands executed by Users—Shows commands executed by users.
  • Configuration operations—Shows operations with configuration such as: reading from device, writing to device, erase etc.
Note: To resolve any issues related to auditing Cisco devices with Netwrix Auditor, provide the following information to Netwrix Support team:
  •  C:\ProgramData\Netwrix Auditor\Event Log Management\Syslog\Junk
  •  C:\ProgramData\Netwrix Auditor\Event Log Management\Syslog\Data\<Managed Object>\<Device>\
  •  C:\ProgramData\Netwrix Auditor\Data\Logs\<Managed Object>\<Device>\
  •  Screenshot of the report with issue

How to use Syslog – Cisco platform:

The current version of the Syslog – Cisco platform implements 2 levels of events detailing:
  • Level 1: Entire syslog message is fully parsed and each parameter of the syslog message has individual cell in the database.
  • Level 2: Only the header of the syslog message is parsed, the message itself is stored unparsed as a single row.
Example:Level 1Level 2
Syslog MessageMar 19 2013 13:45:06: %ASA-6-113004: AAA user authentication Successful : server = 10.12.34.12 : user = JohnnyCageMar 19 2013 08:12:51: %ASA-6-716002: Group User IP <173.25.1.23> VPN session terminated: User Requested.
IS01 (time)Mar 19 2013 13:45:06Mar 19 2013 08:12:51
IS02 (mnemonic)ASAASA
IS03 (severity)66
IS04 (class)113716
IS05 (code)004002
IS06 (message)AAA user authentication Successful : server = 10.12.34.12 : user = JohnnyCageGroup User IP <173.25.1.23> VPN session terminated: User Requested.
IS07authentication-
IS0810.12.34.12-
IS09JohnnyCage-
IS10--
As you can see from the example, the program does not parse the IP address and the reason is because of VPN session termination in the Level 2 message.
  1. Level 1: The current realization supports the full parsing of the following ASA classes (ASA 8.0 Specification):
  • Auth – User Authentication – ASA/PIX codes 109001-109038, 113001-113025
  • Config – Command Interface – ASA/PIX codes 111001-111010, 112001, 208005, 308001-308002
  1. Level 2: All other messages.

Notes:

  1. The syslog messages of different devices may have some differences from the official Cisco Syslog Specification. As a result, those messages can be parsed incorrectly. For example:
The event from the Cisco Syslog Specification:
%PIX|ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
The event from the real device:
%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.7.12.35 : user = SlPe2
The differences are highlighted.
To resolve any issues, the following data is required:
  • C:\ProgramData\Netwrix\Event Log Manager\Syslog\Junk
  • C:\ProgramData\Netwrix\Event Log Manager\Syslog\Data\<Managed Object>\<Device>\
  • C:\ProgramData\Netwrix\Management Console\Data\Logs\<Managed Object>\<Device>\
  • Screenshot of the report with issue
  1. The Cisco – Syslog platform requires that all syslog messages contain a timestamp. For example:
Mar 19 2013 08:13:36: %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.7.12.35 : user = SlPe2
To enable the timestamps in the syslog messages refer to the Cisco related documentation for your device. For example: http://maddhat.com/configure-syslog-forwarding-on-asa5510
Command: logging timestamp
  1. The Cisco – Syslog platform stores 2 timestamps of the syslog message:
  • First is the time when the Syslog Agent receives the syslog message (stored in the “Events” table)
  • Second is going inside the syslog message itself (will be stored in the “Insertionstrings” table)
For the productivity reasons (the reports execution time), the filtering is enabled only for the first timestamp that does not always reflect the real event timestamp.
You may compare the original (second) timestamp with the timestamp (first) displayed in the report if you drill down to the link (in the date field of the report) to see the message details.

Links:

  1. Cisco Syslog specification 8.0:
  1. Products configuration examples:
 
 
Was this information helpful?