Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Integrate Cisco network devices with SolarWinds LEM

Integrate Cisco network devices with SolarWinds LEM

Updated: September 26, 2018

Overview

This article covers the different procedures for integrating various types of Cisco devices with the LEM appliance.

Environment

All LEM versions

Steps

Integrate Cisco IOS routers and switches with SolarWinds LEM

These steps show how to configure Cisco IOS devices to log to the LEM appliance, and how to configure the Cisco PIX and IOS connector on the LEM Manager.

Configure your Cisco IOS routers and switches:

  1. Connect to your Cisco IOS device using an SSH or Telnet client.
  2. Log in using administrative credentials for the device.
  3. Enter enable.
  4. Retype the administrative password for the device.
  5. Enter configure. A message appears asking how you would like to configure. Press Enter.
  6. Enter logging LEM_IP_address.

    LEM_IP_address is the IP address of your LEM Manager.

  7. Enter logging facility local2. This defines where the LEM Manager will look for the IOS logs.
  8. Enter logging trap debug, and then enter exit to return to the previous prompt.

    The debug level is recommended to capture everything, but choose the level best suited to your environment.

  9. To reboot the device with the new configuration, enter copy run start.
  10. When prompted about the destination, press Enter.

If the customer has increased the Level of Security for the inside ports to secure, this blocks the ASA from Syslogging on Port#514, they will have to make changes or send logs out of another interface if they want but that's all up to the customer

 

Configure the Cisco PIX and IOS connector on your LEM Manager:

  1. On the LEM console toolbar, navigate to Manage > Appliances, and log on to the LEM Manager where you can configure the connector.

  2. Next to the LEM Manager, click the gear icon, and then select Connectors.
  3. In the Connector Configuration window, enter Cisco in the search box at the top of the Refine Results pane.
  4. Next to the Cisco PIX and IOS connector, click the gear icon, and then select New.
  5. Replace the Alias value with a more descriptive tool alias. 
  6. Verify the Log File value which should match the local facility in the Cisco routers and switches process.
  7. After configuring the connector, click Save. 
  8. Next to the new connector, click the gear icon, and then select Start. The Status icon turns green to indicate the connector has started.
  9. To exit the Connector Configuration window, click Close.

Once the connector starts running, you can create a filter to display all traffic from that specific device. For example:

Any Alert.ToolAlias = *IOS Switch 1*

 The asterisks serve as wildcard characters.

Integrate Cisco IDS/IPS with SolarWinds LEM

The following steps outlines the procedures in configuring a Cisco IDS/IPS user for integration with the LEM appliance, and configuring the Cisco IDS/IPS connector on the LEM appliance.

 

Configure Cisco IDS/IPS for integration with the LEM appliance:

Create a View Only user for your IDS/IPS appliance, which the LEM appliance will use to subscribe to the Cisco appliance's log data.

 

Configure the Cisco IDS/IPS connector on your LEM Manager:

  1. On the LEM console toolbar, navigate to Manage > Appliances, and then log in to your LEM Manager as an administrator.
  2. Next to your LEM Manager, click the gear icon, and then select Connectors.
  3. In the Connector Configuration window, enter Cisco in the search box at the top of the Refine Results pane, and select IDS and IPS from the Category menu.
  4. Click the gear icon next to the connector that corresponds to the version of Cisco IDS/IPS in your environment, and select New.
  5. Enter a custom Alias, or accept the default.
  6. If you are configuring the Cisco IDS/IPS v5/5.x connector, enter the URL for your IDS/IPS server in the URL field.
  7. If you are configuring the Cisco IPS 5+ (SDEE) connector, enter the IP address or host name for your IDS/IPS server in the Server field.
  8. Enter the username and password for the user created for integration with your LEM appliance.
  9. Once you have configured the connector, click Save.
  10. Next to the new connector (denoted by an icon in the Status column), click the gear icon, and then click Start.
  11. To exit the Connector Configuration window, click Close.

Integrate Cisco PIC and ASA firewalls with Solarwinds LEM

The following steps show how to configure Cisco PIX and ASA firewalls to log to the LEM appliance, and how to configure the Cisco PIX and IOS connector on the LEM Manager.

Configure your Cisco PIX or ASA firewall:

  1. Connect to your firewall using an SSH or Telnet client.
  2. Log in using administrative credentials for the firewall.
  3. Enter enable.
  4. Re-enter the administrative password for the firewall.
  5. Enter config term.
  6. Enter logging host inside LEM_IP_address.

    LEM_IP_address is the IP address of your LEM Manager.

  7. Enter logging facility 18. This defines where the LEM Manager will look for the firewall logs.
  8. Enter logging trap level.

    Note:Choose one of the logging levels listed in the Cisco PIX and ASA Trap Levels table for the level value. You can use either the Trap Level or Code for this value. We recommend using the debug logging level.

  9. To enable logging with these settings, enter logging on.
  10. To return to the previous prompt, enter exit.
  11. To check that the new configuration is in place after a firewall reboot, enter copy run start.

Configure the Cisco PIX and IOS connector on your LEM Manager:

  1. On the LEM console toolbar, navigate to Manage > Appliances, and then log on to the LEM Manager where you can configure the connector.
  2. Next to the LEM Manager, click the gear icon, and then select Connectors.
  3. In the Connector Configuration window, enter Cisco in the search box at the top of the Refine Results pane.
  4. Next to the Cisco PIX and IOS connector, click the gear icon, and then select New.
  5. Replace the Alias value with a custom alias, or accept the default. For example, PIX Firewall.
  6. Check to ensure the Log File value matches the local facility defined in the Cisco PIX or ASA Firewall procedure.
  7. Once you have configured the connector, click Save. 
  8. Next to the new connector, click the gear icon, and then select Start. The Status icon will turn green to indicate the connector has started.
  9.  To exit the Connector Configuration window, click Close.

Once the connector starts running, the default Firewall filter will begin displaying alerts from your Cisco PIX or ASA firewall. This connector will receive events from Cisco IOS operating system installed on PIX and ASA firewalls, or switches and routers with the IOS operating system.

The conditions for the default firewall filter read:

 Any Alert.ToolAlias = *Firewall*

The asterisks serve as wildcard characters. If the alias does not contain the word firewall, the default filter will not work until it has been edited to match the alias you defined.

By default, this connector will not receive TCP builds or TCP teardowns. To enable this functionality, see Enabling LEM to Track Events.

Cisco PIX and ASA Trap Levels

Trap Level

Code

Description

Emergency 0 Forwards only the highest priority messages, usually indicating failure or panic scenarios that must be addressed immediately.
Alert 1 Forwards messages that require immediate attention.
Critical 2 Forwards messages that should be reviewed as soon as possible and might be early warning signs of further problems.
Error 3 Forwards messages that might indicate a problem.
Warning 4 Forwards messages that should receive attention and might be errors.
Notification 5 Forwards messages that are considered to be important information, but that are not error conditions.
Informational 6 Forwards most messages.
Debug 7 Forwards all messages, including IDS messages.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

Last modified

Tags

Classifications

Public