Cisco IOS
Copy link

Cisco IOS is one of the SIEM (InsightIDR) DHCP event sources and therefore provides data for SIEM (InsightIDR) to produce asset details, IP address history, incident details from your network, and other highly useful insights.

Before You Begin
Copy link

In order for SIEM (InsightIDR) to have the Cisco IOS data, you’ll need to turn on logging in the Cisco appliance.

Follow the directions here: https://supportforums.cisco.com/document/24661/how-configure-logging-cisco-ios.

  1. Run the following command to turn on logging: > debug ip dhcp server events
  2. Run the following command to turn on the required timestamps for the Rapid7 parser:
> service timestamps debug datetime year msec show-timezone > service timestamps log datetime year msec show-timezone

Dynamic IP assignment
Copy link

Cisco IOS devices can be used to dynamically assign IP addresses in a network; however, these devices do not log the hostname of the machine that it leased an IP address to.

In order to correlate DHCP leases with real machines within the network, the SIEM (InsightIDR) collector will make a reverse DNS request for the machine’s hostname. Because of this, in order to properly ingest Cisco IOS DHCP data, reverse DNS requests must be allowed on your network’s DNS servers.

ℹ️

DNS Configuration

Please make sure that DNS is properly configured on your collector host.

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

  1. From the left menu, go to **Data Collection **and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Cisco IOS in the event sources search bar.
    • In the Product Type filter, select DHCP.
  3. Select the Cisco IOS event source tile.
  4. Choose your collector. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure any Advanced Event Source Settings.
  8. Select a collection method.
  9. Optionally, choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  10. Click Save.

Troubleshooting
Copy link

Use one of the following solutions to resolve the Cisco IOS problem:

  • Debug Mode
  • Unable to Perform Reverse DNS Lookup

Debug Mode
Copy link

The following command ensures that the debug mode survives a server restart:

> event manager applet EnableDebugging > event syslog occurs 1 pattern "%SYS-5-RESTART" > action 1.0 cli command "enable" > action 2.0 cli command "debug ip dhcp server events"

For more information on how to enable debugging on your router, please see this article: http://blog.ipspace.net/2007/06/re-enable-debugging-on-router-reload.html.

Unable to Perform Reverse DNS Lookup
Copy link

If you are experiencing issues enabling or performing reverse DNS lookups on your Collector, it may be because SIEM (InsightIDR) cannot associate an IP address with a host, which prevents user attribution and data correlation.

To fix this problem:

  1. install the Insight Agent on all of your assets; the Insight Agent automatically reports its hostname IP address to SIEM (InsightIDR).
  2. Add the static IP addresses for your Cisco IOS box instead of as an Event Source. Do this under Settings > Static IP Ranges.

This forces the Collector to perform a reverse DNS lookup for IP addresses it cannot find via DHCP or with the Insight Agent.