What are some logging solutions for Cisco devices

alias454

I am curious what others are doing to log information from Cisco devices? Are there any Cisco specific tools used for this or do most people roll their own with some other centralized logging solution?

Thanks for any advice.

cyberguypr

We send all our Cisco logs to Splunk.

msteinhilber

I use Graylog2 to centralize logging of our equipment, it's open source and works pretty well. You can get it as part of a turnkey appliance under the name Partylog2. It's functioning as a syslog server for all of our Juniper, Cisco and HP networking equipment as well as our ESXI hosts. In addition you can use it with nxlog and GELF to forward Windows event logs if you desire as well. I haven't played with any commercial offerings other than Junos Space which we're still not using due to management likely never approving our purchase of the virtual appliance version so I can't attest to what it has/doesn't have but if you're just looking for centralized logging that's pretty quick and easy to search through then Graylog2 would probably fit the bill.

alias454

Thanks. I have tried Splunk. I thought it was pretty versatile but expensive. I have looked at many of the opnsource offerings but have not spent the time getting something setup. Does anyone have experience using the Cisco LMS syslog collector or the Prime Infrastructure offerings? If so, how does that compare to other syslog options? We currently use Manage Engine's Eventlog Analyzer product for our servers. One thing I like about it is that we do not have to install an agent for our Windows servers and the nix setup is a quick config file edit to point at the right server.

JeanM

cyberguypr wrote: »

We send all our Cisco logs to Splunk.

Yep, at my prior job Splunk as well.

jmritenour

I don't deal with network gear anymore, but I know a couple network engineers who swear by using Elasticsearch, Logstash and Kibana in conjunction - Elasticsearch.org Overview | Elasticsearch.

The only component in the ELK stack I have personal experience with is Logstash. It's pretty good, but a PITA to get setup.

santaowns

Splunk here as well.

higherho

We use splunk but beware the licenses can be expensive. Just 5 GIG worth of logs can cost over 12k.

the_Grinch

We use Elasticsearch and I highly recommend setting up ELK for this. You'll be amazed at the queries you can write via Kibana to analyze all types of information. Just some examples of what we are able to display (not all related to Cisco):

Logins to servers
Netflow charting
File Integrity
Geolocate IPs (have them show on a map)
Protocols used
Web scans/attacks

You can pretty much do just about anything. ELK can be a bit of a pain to initially get setup, but once you learn the little things it's a dream to work with. Plus being 100% free is really a big plus Using it we are literally saving about $76000 dollars so the business types were really happy. Let me know if you have any questions, I've been through the gauntlet with ELK so I can definitely offer advice.

alias454

Thanks for the feedback @everyone. @grinch I may try to spin something up in the next few weeks. We would be loooking at about 350 servers (Windows, Linux, and UNIX), a few hundred switches, and some routers. We currently do not own enough licenses to cover everything using our existing product . Up until a year and a half ago, I had no idea how expensive good log management software was.

Regards

the_Grinch

My suggestion would be to setup OSSEC for your servers. From there you can push the logs into Logstash and parse them. In turn Elasticsearch will make them searchable and Kibana will allow you to query that data. With all of that you will have real time alerting. I will say right now we have a three node cluster (with Logstash and the OSSEC server running on the same box) handling the traffic from about 200 servers. I believe we will be able to handle 500 servers with those three nodes and perhaps handle the Netflow traffic as well.