You can configure a Cisco switch to report the logs to a remote syslog server. Depending on the model and version, you can choose the tcp/udp protocol and arbitrary port. In other cases is is only be possible to report to syslog standard port 514/udp.
In none of the cases, the logs can be tagged at the origin, so it is necessary to send them through a Devo In-house Relay that will label them as switch.cisco and forward them to Devo.
For older Cisco switches models using CatOS, you can configure the sending as it follows:
Conf CISCO CatOS
set logging server DEVO-RELAY set logging server facility local3 set logging server severity 6 set logging server enable
- Replace DEVO-RELAY with the In-house Relay IP.
- Please note that it only allows to send to syslog standard port 514/udp.
For Cisco IOS models, you can configure the sending as it follows:
CISCO IOS Conf
config terminal no service sequence-numbers logging host DEVO-RELAY transport udp port PORT logging trap informational logging facility local3 logging on
- Replace DEVO-RELAY and PORT with the In-house Relay server and port.
In case your IOS version is not up-to-date and doesn't support the sending through an arbitrary TCPand Port, the alternative is sending to syslog standard port 514/udp.
CISCO IOS old versions Conf
config terminal no service sequence-numbers logging DEVO-RELAY logging trap informational logging facility local3 logging on
Sending to Devo
You need to install an In-house Relay relay for the correct tagging of these logs.
When configuring the rule to tag the logs as switch.cisco at the relay you have the following options:
- Arbitrary port
The device allows the configuration of an arbitrary destination port. Here you should create a rule to listen the selected port (e.g. port 130003/tcp) and tag all the events coming to the port as switch.cisco.
- 514/udp port
The web device does not allow to configure a port. In this case, you should create a rule to listen on the 514/upd port and tag the events coming through the port as switch.cisco. If through that port you are also receiving events from other log sources, you can tighten the rule. For example, you can filter by the switch source IP and/or by the syslog facility where the logs will be arriving.