All Apps and Add-ons

Need help for configuring the logging in Cisco core switch

faizancool85
Path Finder

Hello Guys,

I am trying to get logs like traffic logs (allowed OR blocked), ACL logs etc from Cisco core switch, But am getting only the console logs.
How can i configure Cisco device to send all logs,
alt text

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Actually you need to up the syslog logging trap level for your syslog output on your switches and IOS devices..

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configura...

Thats good walk through, depending on your requirements, INFO is default, you probably should up that to WARN or CRIT..

0 Karma

mikaelbje
Motivator

It's actually the other way around. INFORMATIONAL (6) is what you need for ACL and will include levels 6 down to EMERGENCY (0)

So

logging trap informational

Must be configured

0 Karma

faizancool85
Path Finder

Hey Mikaelbje,
Thanks for your reply.
I have enabled logging trap debugging, Still after doing that we should need to get all the logs right?
But after doing that also still getting the same logs which is shown in the image.

0 Karma

mikaelbje
Motivator

Did you do what I suggested in my answer? See the links below. You don't need debugging, you need informational, and you need to add "log" or "log-input" to the Access Control Entries (ACEs)

0 Karma

mikaelbje
Motivator

You need to suffix "log" or "log-input" to all your ACE entries to get them logged.

log-input will also give you the interface name and is the preferred. See http://www.cisco.com/web/about/security/intelligence/acl-logging.html or https://learningnetwork.cisco.com/thread/40835

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...