How to audit Cisco devices with Netwrix Auditor 8.5 and below

Event Log Management
7.0-8.5
https://kb.netwrix.com/230
Copy Article URL Copied

Note: If you have Netwrix Auditor 9.0 and above, use Netwrix Auditor Add-On for Cisco.

The Syslog – Cisco platform allows working with a single device or devices in a specified IP-address range, and importing a list of IP-addresses from a text file (Cisco Syslog ASA 8.0 specification is supported). This article provides the step-by-step instructions on how to audit Cisco devices with Netwrix Auditor:

  1. Download the Syslog pack and unzip it on the computer where Netwrix Auditor Administrator Console is installed.
Note: close Netwrix Auditor Administrator Console before you start.
  1. Review the table below and move the files and folders from unzipped Syslog pack to the following locations:
Folder/File name Computer where Netwrix Auditor Administrator Console is installed
155  
(folder)
C:ProgramDataNetwrix AuditorEvent Log ManagementSyslogRules 
Options.xml
(file)
C:ProgramDataNetwrix AuditorEvent Log ManagementSyslog
Platforms.xml
(file)
Navigate to C:ProgramDataNetwrix AuditorManagement Console and create the new folder named Platform Collection.
Cisco Syslog Pack for Netwrix AuditorReportsNetwrix Auditor for Event LogChange Reports
Copy the Implicit Folder and the following files:

  • All Events by Device.rdl
  • Auth Events by User.rdl
  • Commands executed by User.rdl
  • Configuration operations.rdl
C:ProgramDataNetwrix AuditorReportsNetwrix Auditor for Event LogChange Reports
Note: while copying, do not replace the default MessageDetails.rdl file if the file already exists on the computer where Netwrix Auditor Administrator Console is installed.
  1. Restart the following services:
  • Netwrix Auditor Archive Service
  • Netwrix Auditor Syslog Agent (for Netwrix Auditor 7.0 and 7.1) or Netwrix Auditor Syslog Audit Service (for Netwrix Auditor 8.0)
  1. Reopen Netwrix Auditor Administrator Console and create a Managed Object for auditing Event Log.

Review the following notes on Managed Object creation:

Step name Configuration Procedures
Audit Database Settings Do not select the Make audit data available via summary emails only checkbox.
Add Items to Computer Collection Click Add and add your Cisco devices to the Computer Collection. Specify the IP address (preferable) or DNS name of your device and click Next (also you can specify an IP range).
Configure Audit Archiving Filters Select only All Syslog Generic Events inclusive filter.
  1. Depending on Netwrix Auditor version, navigate to one of the following locations:
  • Netwrix Auditor 7.0: Settings -> Long-Term Archive
  • Netwrix Auditor 7.1 and above: Audit Archive -> Audit Database
Now you may configure your Cisco devices to forward syslog messages to an IP address of the computer where Netwrix Auditor Administrator Console is installed. Review the following Cisco technical article for more details.
To access Cisco reports in a web browser, do the following:
  1. Depending on Netwrix Auditor version, navigate to one of the following locations:
  • Netwrix Auditor 7.0: Settings -> Long-Term Archive
  • Netwrix Auditor 7.1 and above: Audit Archive -> Audit Database
  1. Go to your Report Manager URL. In the Home folder, navigate to Netwrix Auditor -> Netwrix Auditor for Event Logs -> Change Reports.
  2. Review available reports:
  • All Events by Device—Similar with the All Events by Computer report. The following filters are available: Device, User Name, Date From, Date To, ASA/PIX code, Severity, Class. Sort by: Date, User Name, ASA/PIX Code, Severity, Classю
  • Auth Events by User—Shows all messages of Auth class grouped by user.
  • Commands executed by Users—Shows commands executed by users.
  • Configuration operations—Shows operations with configuration such as: reading from device, writing to device, erase etc.

Note: To resolve any issues related to auditing Cisco devices with Netwrix Auditor, provide the following information to Netwrix Support team:

  •  C:ProgramDataNetwrix AuditorEvent Log ManagementSyslogJunk
  •  C:ProgramDataNetwrix AuditorEvent Log ManagementSyslogData<Managed Object><Device>
  •  C:ProgramDataNetwrix AuditorDataLogs<Managed Object><Device>
  •  Screenshot of the report with issue

How to use Syslog – Cisco platform:

The current version of the Syslog – Cisco platform implements 2 levels of events detailing:

  • Level 1: Entire syslog message is fully parsed and each parameter of the syslog message has individual cell in the database.
  • Level 2: Only the header of the syslog message is parsed, the message itself is stored unparsed as a single row.
Example: Level 1 Level 2
Syslog Message Mar 19 2013 13:45:06: %ASA-6-113004: AAA user authentication Successful : server = 10.12.34.12 : user = JohnnyCage Mar 19 2013 08:12:51: %ASA-6-716002: Group User IP <173.25.1.23> VPN session terminated: User Requested.
IS01 (time) Mar 19 2013 13:45:06 Mar 19 2013 08:12:51
IS02 (mnemonic) ASA ASA
IS03 (severity) 6 6
IS04 (class) 113 716
IS05 (code) 004 002
IS06 (message) AAA user authentication Successful : server = 10.12.34.12 : user = JohnnyCage Group User IP <173.25.1.23> VPN session terminated: User Requested.
IS07 authentication
IS08 10.12.34.12
IS09 JohnnyCage
IS10
As you can see from the example, the program does not parse the IP address and the reason is because of VPN session termination in the Level 2 message.
  1. Level 1: The current realization supports the full parsing of the following ASA classes (ASA 8.0 Specification):
  • Auth – User Authentication – ASA/PIX codes 109001-109038, 113001-113025
  • Config – Command Interface – ASA/PIX codes 111001-111010, 112001, 208005, 308001-308002
  1. Level 2: All other messages.

Notes:

  1. The syslog messages of different devices may have some differences from the official Cisco Syslog Specification. As a result, those messages can be parsed incorrectly. For example:
The event from the Cisco Syslog Specification:
%PIX|ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
The event from the real device:
%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.7.12.35 : user = SlPe2
The differences are highlighted.
To resolve any issues, the following data is required:
  • C:ProgramDataNetwrixEvent Log ManagerSyslogJunk
  • C:ProgramDataNetwrixEvent Log ManagerSyslogData<Managed Object><Device>
  • C:ProgramDataNetwrixManagement ConsoleDataLogs<Managed Object><Device>
  • Screenshot of the report with issue
  1. The Cisco – Syslog platform requires that all syslog messages contain a timestamp. For example:
Mar 19 2013 08:13:36: %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 10.7.12.35 : user = SlPe2
To enable the timestamps in the syslog messages refer to the Cisco related documentation for your device. For example: http://maddhat.com/configure-syslog-forwarding-on-asa5510
Command: logging timestamp
  1. The Cisco – Syslog platform stores 2 timestamps of the syslog message:
  • First is the time when the Syslog Agent receives the syslog message (stored in the “Events” table)
  • Second is going inside the syslog message itself (will be stored in the “Insertionstrings” table)
For the productivity reasons (the reports execution time), the filtering is enabled only for the first timestamp that does not always reflect the real event timestamp.
You may compare the original (second) timestamp with the timestamp (first) displayed in the report if you drill down to the link (in the date field of the report) to see the message details.

Links:

  1. Cisco Syslog specification 8.0:
  1. Products configuration examples:

 

Go Up