Receive Syslogs from a Cisco switch

[loganterfehr]

If I wanted to receive syslogs from a Cisco switch how would I go about doing it? Right now I have the logs being forwarded to my standalone manager node at 10.0.80.225. Would I need to open the firewall host groups for syslog up for the switch address? I am just a little confused and need some clarification since what I thought does not work. Let me know if you need more information. Thanks ahead of time all!

[reyesj2]

Yes, you need to allow syslog traffic from your cisco switch to the manager. https://docs.securityonion.net/en/2.4/firewall.html#configuration

https://docs.securityonion.net/en/2.4/syslog.html#syslog

[loganterfehr]

Just confirming, just need to allow the intended switches through the firewall using hostgroups whitelist? Assuming I have the Cisco switch correctly forwarding logs to my manager address I should be all set right and see logs coming from it in Kibana? I don't need to fidget with portgroups do I? Also thanks for the quick response.

[reyesj2]

Correct, you add to syslog hostgroup, you can also hit the button at the top under 'options' labled 'synchronize grid' to apply the changes to your grid. (Otherwise it takes about 15 minutes for the next highstate to run and changes to apply in the background)

Give it a few minutes, but if the switch is sending syslog data you should see it. You can use the SOC dashboard 'Syslog' to view syslog data

[loganterfehr]

Okay yep, got them coming in now. Thanks for the help Jorge.