Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Configure LEM to track Cisco buildup and teardown events

Configure LEM to track Cisco buildup and teardown events

Updated: September 15, 2017

You can enable LEM to track buildup and tear-down events that occur on your network.

To monitor accepted traffic, use the log target in your accepted ACLs instead of the buildup logging. This lets you control the accepted traffic that will generate an alert. To monitor the information about the actual NAT, consider the event load this will create. Plan a test phase where you turn it on and determine if it is valuable to you for further investigation.

If you need to monitor unmodified log data (versus the normalized data), consider the nDepth original log message store. Remember that this process requires additional disk space.

Also, consider whether you need both buildups and tear-downs, or just buildup messages. The tear-down NAT messages include the same information as the built messages, along with some duration and size information that may or may not be useful. Colleges and universities that use the built messages do not rely on the tear-down messages. They only need to know a connection was established for verification, analysis, and correlation.

Be sure to check your syslog data to determine and enable only those buildup or teardown events are of use.

Tracking Buildup Events

LEM is preconfigured to capture Cisco events 302003, 302009, and 603108.

You can configure LEM to capture Cisco firewall buildup events as well. The primary buildup event to use for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303, 305009, 305011, and 609011. Check the description of these events in the Cisco System Log Messages Guide located on the Cisco website to ensure you need to capture these events.

Tracking tear-down Events

Out of the box, LEM captures Cisco event 603019.

You can also enable LEM to capture Cisco firewall tear-down NAT events. The teardown sibling to buildup even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. You can see description of these events in the Cisco System Log Messages Guide to make sure they are ones you want to capture.

Enabling LEM to track buildup and teardown events

  1. Ensure that your firewalls are sending log events to LEM, and that the appropriate LEM connector is monitoring your firewall data.
  2. Access the firewalls that contain the buildup and tear-down messages you need to monitor and adjust the severity level of those events from 6 (the default) to 0.

    For more information, see the Changing the Severity Level of a Syslog Message section in the Monitoring the Security Appliance page on the Cisco site.

Last modified

Tags

Classifications

Public