How to audit Cisco devices with Netwrix Auditor 6.5 and below

Email It to Me Print this Page

The Syslog – Cisco platform allows working with a single device or devices in a specified IP-address range, and importing a list of IP-addresses from a text file (Cisco Syslog ASA 8.0 specification is supported). This article provides the step-by-step instructions on how to audit Cisco devices with Netwrix Auditor:

  1. Download the Syslog pack and unzip it on the computer where Netwrix Auditor console is installed.
Note: close Netwrix Auditor console before you start.
  1. Review the table below and move the files and folders from unzipped Syslog pack to the following locations:
Folder/File nameComputer where Netwrix Auditor console is installed
155  
(folder)
C:\ProgramData\Netwrix\Event Log Manager\Syslog\Rules 
Options.xml 
(file)
C:\ProgramData\Netwrix\Event Log Manager\Syslog\
Platforms.xml
(file) 
C:\ProgramData\NetWrix\Management Console\Platform Collection
Cisco_Syslog_Platform\Cisco Syslog Pack for Netwrix Auditor\Reports\NetWrix Event Log Manager\Best Practice Reports\Syslog\Cisco
Copy all files in this folder.
C:\Program Files(x86)\Netwrix\Event Log Manager\Reports\Netwrix Event Log Manager\Change Reports
Cisco_Syslog_Platform\Cisco Syslog Pack for Netwrix Auditor\Reports\NetWrix Event Log Manager\Implicit Folder
Copy the entire folder.
C:\Program Files(x86)\Netwrix\Event Log Manager\Reports\Netwrix Event Log Manager\Change Reports
  1. Restart the Netwrix Syslog Agent service.
  2. Reopen Netwrix Auditor console and create a Managed Object for auditing Event Log.
           Review the following notes on Managed Object creation:
Step Configuration Procedures
Configure Reports SettingsEnable Reports functionality
Add Items to Computer CollectionClick Add and add your Cisco devices to the Computer Collection. Specify the IP address (preferable) or DNS name of your device and click Next (also you can specify an IP range).
Configure Audit Archiving FiltersSelect only All Syslog Generic Events inclusive filter.
  1. In Netwrix Auditor console, navigate to Settings -> Audit Archive.
  2. Go to your Report Manager URL. In the Home folder, navigate to Netwrix Auditor -> Netwrix Auditor for Event Logs -> Change Reports. Hit the arrow next to the All Events by Device report and select Security.
User-added image
  1. Select a custom data source
Note: your data source may vary slightly, but the default database name should be the same.
  1. Make sure that the Windows Integrated Security is selected and click Test Connection
  2. Perform the steps 6 — 8 for the following reports:
  • Auth Events by User
  • Commands Executed by User
  • Configuration operations
Now you may configure your Cisco devices to forward syslog messages to an IP address of the computer where Netwrix Auditor Administrator Console is installed. Review the following Cisco technical article for more details. 

To access Cisco reports in a web browser, do the following:
  1. In Netwrix Auditor console, navigate to Settings -> Audit Archive.
  2. Go to your Report Manager URL. In the Home folder, navigate to Netwrix Auditor -> Netwrix Auditor for Event Logs -> Change Reports
  3. Review available reports:
  • All Events by Device—Similar with the All Events by Computer report. The following filters are available: Device, User Name, Date From, Date To, ASA/PIX code, Severity, Class. Sort by: Date, User Name, ASA/PIX Code, Severity, Classю
  • Auth Events by User—Shows all messages of Auth class grouped by user.
  • Commands executed by Users—Shows commands executed by users.
  • Configuration operations—Shows operations with configuration such as: reading from device, writing to device, erase etc.
Note: To resolve any issues related to auditing Cisco devices with Netwrix Auditor, provide the following information to Netwrix Support team:
  • C:\ProgramData\Netwrix\Event Log Manager\Syslog\Junk
  • C:\ProgramData\Netwrix\Event Log Manager\Syslog\Data\<Managed Object>\<Device>
  • C:\ProgramData\NetWrix\Management Console\Data\Logs\<Managed Object>\<Device>
  • Screenshot of the report with issue

How to use Syslog – Cisco platform:

The current version of the Syslog – Cisco platform implements 2 levels of events detailing:
  • Level 1: Entire syslog message is fully parsed and each parameter of the syslog message has individual cell in the database.
  • Level 2: Only the header of the syslog message is parsed, the message itself is stored unparsed as a single row.
Example:Level 1Level 2
Syslog MessageMar 19 2013 13:45:06: %ASA-6-113004: AAA user authentication Successful : server = 10.12.34.12 : user = JohnnyCageMar 19 2013 08:12:51: %ASA-6-716002: Group User IP <173.25.1.23> VPN session terminated: User Requested.
IS01 (time)Mar 19 2013 13:45:06Mar 19 2013 08:12:51
IS02 (mnemonic)ASAASA
IS03 (severity)66
IS04 (class)113716
IS05 (code)004002
IS06 (message)AAA user authentication Successful : server = 10.12.34.12 : user = JohnnyCageGroup User IP <173.25.1.23> VPN session terminated: User Requested.
IS07authentication-
IS0810.12.34.12-
IS09JohnnyCage-
IS10--
As you can see from the example, the program does not parse the IP address and the reason is because of VPN session termination in the Level 2 message.
  1. Level 1: The current realization supports the full parsing of the following ASA classes (ASA 8.0 Specification):
  • Auth – User Authentication – ASA/PIX codes 109001-109038, 113001-113025
  • Config – Command Interface – ASA/PIX codes 111001-111010, 112001, 208005, 308001-308002
  1. Level 2: All other messages.

Notes:

  1. The syslog messages of different devices may have some differences from the official Cisco Syslog Specification. As a result, those messages can be parsed incorrectly. For example:
The event from the Cisco Syslog Specification:
%PIX|ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
The event from the real device:
%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.7.12.35 : user = SlPe2
The differences are highlighted.
To resolve any issues, the following data is required:
  • C:\ProgramData\Netwrix\Event Log Manager\Syslog\Junk
  • C:\ProgramData\Netwrix\Event Log Manager\Syslog\Data\<Managed Object>\<Device>\
  • C:\ProgramData\Netwrix\Management Console\Data\Logs\<Managed Object>\<Device>\
  • Screenshot of the report with issue
  1. The Cisco – Syslog platform requires that all syslog messages contain a timestamp. For example:
Mar 19 2013 08:13:36: %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.7.12.35 : user = SlPe2
To enable the timestamps in the syslog messages refer to the Cisco related documentation for your device. For example: http://maddhat.com/configure-syslog-forwarding-on-asa5510
Command: logging timestamp
  1. The Cisco – Syslog platform stores 2 timestamps of the syslog message:
  • First is the time when the Syslog Agent receives the syslog message (stored in the “Events” table)
  • Second is going inside the syslog message itself (will be stored in the “Insertionstrings” table)
For the productivity reasons (the reports execution time), the filtering is enabled only for the first timestamp that does not always reflect the real event timestamp.
You may compare the original (second) timestamp with the timestamp (first) displayed in the report if you drill down to the link (in the date field of the report) to see the message details.

Links:

  1. Cisco Syslog specification 8.0:
  1. Products configuration examples:
 
Was this information helpful?