Share via

how to forward cisco logs to Sentinel

Riadh Zehani 125 Reputation points
2023-12-05T16:30:01.6533333+00:00

As part of monitoring network equipment via MS Sentinel, we're investigating whether it's possible to redirect logs from Cisco ws-c3850-24xu switches to a syslog server housing an OMS agent to convert the logs into CEF format for MS Sentinel. This is due to the absence of a specific connector for the Cisco ws-c3850-24xu switches.

Microsoft Security | Microsoft Sentinel
Accepted answer
  1. David Broggy 6,371 Reputation points MVP Volunteer Moderator
    2023-12-06T01:41:32.5133333+00:00

    Hi Riadh,

    There's no need to convert logs to CEF.

    The OMS agent by default accepts any syslog format.

    There is a CEF process you can also apply if you are receiving logs that support CEF.

    In your case, Catalyst logs are just basic syslog format.

    So if you already have a syslog server with the OMS agent, and you've configured a Data Collection Rule in Azure to collect syslog, then you're set.

    Just make your your DCR has the appropriate facility checked off - eg. if you're sending the logs with Facility 7, then the DCR also needs to be configured to receive Facility 7.

    References:

    https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_01101.html

    https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog

    User's image

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.