Cisco IOS integration - no logs

[W00glin]

Version

2.4.141

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

64GB

Storage for /

128GB

Storage for /nsm

3TB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Good afternoon all,

A few weeks back, I spun up a SecurityOnion (SO) standalone instance on an older Dell PowerEdge I had. The installation and configuration occurred with no issues. As I began to understand the tool more, I tried installing and configuring different integrations for testing and better visibility. One of them being the Cisco IOS integration.

I have an older Cisco WS-C3850-48P and I wanted to sends its logs into SO for retention and review. Its IP address is 192.168.1.2 and my security onions IP address is 192.168.0.121. From my switch I am able to ping my SO server and vice-versa.

I downloaded, installed and configured the Cisco IOS integration and deployed it to my standalone nodes policy (so-grid-nodes_general). I have it configured to listen on port 9002 via UDP and on interface 0.0.0.0. You can view the integration config in the attached screenshot to confirm.

I have my Cisco switch configured to send syslogs via UDP on port 9002 and to the SO server (192.168.0.121). You can see its configuration below -

Homelab-Switch#show logging 
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 209 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 526 message lines logged
        Logging to 192.168.0.121  (udp port 9002, audit disabled,
              link up),
              180 message lines logged, 
              0 message lines rate-limited, 
              0 message lines dropped-by-MD, 
              xml disabled, sequence number disabled
              filtering disabled
        Logging Source-Interface:       VRF Name:
          
Log Buffer (32768 bytes):

I did not include the log buffer since it has a bunch of test messages I sent.

If my understanding of the config on both sides is correct, I should be seeing some syslogs from my switch in SO. However, when I search in Kibana and look in the dashboard I do not see anything. I tried searching for answers and found a similar thread here #12055 but the answer is not super clear to me. But running the commands outlined in that post, I find similar results -

ss -tulpn | grep 9002
udp   UNCONN 0      0                   *:9002             *:*  

Then iptables which does not look like it is working -

sudo iptables --list -n | grep 9002
[user@node ~]$ 

Then I tried the tcpdump option to see if packets are actually flowing to the interface. I tried sending more syslogs and those do not appear in the tcpdump , but when I tried pinging from the switch, I saw that traffic reflected in the tcpdump. You can see the output here -

udo tcpdump -i eno1 -nnn -A host 192.168.1.2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes

^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[user@node ~]$ sudo tcpdump -i eno1 -nnn -A host 192.168.1.2 -v
dropped privs to tcpdump
tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:08:02.331014 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.121 tell 192.168.1.2, length 46
........p...4q.............y..................
20:08:04.335953 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.121 tell 192.168.1.2, length 46
........p...4q.............y..................
20:08:06.349955 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.121 tell 192.168.1.2, length 46
........p...4q.............y..................
20:08:08.426928 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.121 tell 192.168.1.2, length 46
........p...4q.............y..................
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

So there definitely is some network connectivity but I'm not sure why the syslogs are not showing up.

Next I tried following the documentation in the discussion (it is for PFSense so slightly different) - https://docs.securityonion.net/en/2.4/pfsense.html#elastic-integration-for-pfsense and in another similar discussion #12152

In the SOC webUI I selected Admin -> Configuration -> Firewall -> Hostgroups ->syslog and then added the range of IP addresses for my home network. You can see the config in the screenshot below -

So I'm at a bit of a loss of what I should try next, or if someone might be able to help me understand what I am doing wrong. Any help would be appreciated.

Update - 2025/06/17 5:41PM EST:
To add a bit more info, I did try running a different tcpdump command and I was able to see the syslogs reaching the SO interface -

sudo tcpdump -i eno1 -n port 9002 -v
[sudo] password for user: 
dropped privs to tcpdump
tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:28:51.943563 IP (tos 0x0, ttl 253, id 345, offset 0, flags [none], proto UDP (17), length 158)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 130
21:28:53.522373 IP (tos 0x0, ttl 253, id 346, offset 0, flags [none], proto UDP (17), length 158)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 130
21:28:53.522494 IP (tos 0x0, ttl 253, id 347, offset 0, flags [none], proto UDP (17), length 158)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 130
21:28:54.688599 IP (tos 0x0, ttl 253, id 348, offset 0, flags [none], proto UDP (17), length 158)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 130
21:28:54.688700 IP (tos 0x0, ttl 253, id 349, offset 0, flags [none], proto UDP (17), length 158)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 130
21:28:56.830577 IP (tos 0x0, ttl 253, id 350, offset 0, flags [none], proto UDP (17), length 158)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 130
^C
6 packets captured
7 packets received by filter
0 packets dropped by kernel

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

You can move them to customhostgroup0, then add the port to customportgroup0. Then under Firewall > role select the role of the server you are sending to and add customportgoup0 to firewall > role > manager > chain > DOCKER-USER > hostgroups > customhostgroup0 > portgroups [adv] (using the manager as the role as an example.

Also see https://docs.securityonion.net/en/2.4/firewall.html#creating-a-custom-host-group-with-a-custom-port-group

[cm-ops]

If you don't see an index created they are not making it to the container. If you see them hitting the management interface, try adding an IPTABLES allow in the INPUT chain as well, same location as the above screenshot, except in the INPUT chain. Then run the highstate or apply the firewall state.

[W00glin]

Yes. I am seeing them hit the management interface but not making it to the container. My evidence is from the tcpdumps I completed earlier for troubleshooting. I do not see the index anywhere in Kibana. No Cisco datasets in any dashboards or in the Dataview menu in Kibana Discover.

I went ahead and tried adding it to the INPUT chain as you mentioned - firewall > role > standalone > chain > INPUT > hostgroups > customhostgroup0 > portgroups [adv] .

Next I hit synchronize grid and checked both the SOC syslog dashboard, Kibana dashboard and dataview. Still not seeing the logs.

[cm-ops]

What are you seeing when you tcpdump the interface?

[W00glin]

Took me some time to get back to this. But here is the output you asked for. On my security onion server I ran sudo tcpdump -i eno1 -n port 9002 -v since this is the interface the logs should be sending to. While on my homelab switch I ran send log "Direct syslog test to port 9002".

Security Onion -

sudo tcpdump -i eno1 -n port 9002 -v
dropped privs to tcpdump
tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:15:22.330376 IP (tos 0x0, ttl 253, id 683, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:24.220056 IP (tos 0x0, ttl 253, id 684, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:24.220114 IP (tos 0x0, ttl 253, id 685, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:25.564787 IP (tos 0x0, ttl 253, id 686, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:25.564865 IP (tos 0x0, ttl 253, id 687, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:26.698600 IP (tos 0x0, ttl 253, id 688, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:26.698659 IP (tos 0x0, ttl 253, id 689, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:27.760427 IP (tos 0x0, ttl 253, id 690, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131
01:15:27.760597 IP (tos 0x0, ttl 253, id 691, offset 0, flags [none], proto UDP (17), length 159)
    192.168.1.1.50959 > 192.168.0.121.dynamid: UDP, length 131

On my switch -

Homelab-Switch>enable
Password: 
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"
Homelab-Switch#send log "Direct syslog test to port 9002"

So as far as I can tell it looks as though the syslogs from my test message are hitting the management interface.

[cm-ops]

If the host firewall settings are in place and you see the UDP traffic hitting the management interface, next check Logstash for any issues with the logs coming in. /opt/so/log/logstash/logstash.log