Cisco IOS is one of the InsightIDR DHCP event sources and therefore provides data for InsightIDR to produce asset details, IP address history, incident details from your network, and other highly useful insights.
Before You Begin
In order for InsightIDR to have the Cisco IOS data, you'll need to turn on logging in the Cisco appliance.
Follow the directions here: https://supportforums.cisco.com/document/24661/how-configure-logging-cisco-ios.
- Run the following command to turn on logging:
> debug ip dhcp server events
- Run the following command to turn on the required timestamps for the Rapid7 parser:
1> service timestamps debug datetime year msec show-timezone2> service timestamps log datetime year msec show-timezone
Dynamic IP assignment
Cisco IOS devices can be used to dynamically assign IP addresses in a network; however, these devices do not log the hostname of the machine that it leased an IP address to.
In order to correlate DHCP leases with real machines within the network, the InsightIDR collector will make a reverse DNS request for the machine's hostname. Because of this, in order to properly ingest Cisco IOS DHCP data, reverse DNS requests must be allowed on your network's DNS servers.
Please make sure that DNS is properly configured on your collector host.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the DHCP icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure any Advanced Event Source Settings.
- Select a collection method.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Use one of the following solutions to resolve the Cisco IOS problem:
- Debug Mode
- Unable to Perform Reverse DNS Lookup
The following command ensures that the debug mode survives a server restart:
1> event manager applet EnableDebugging2> event syslog occurs 1 pattern "%SYS-5-RESTART"3> action 1.0 cli command "enable"4> action 2.0 cli command "debug ip dhcp server events"
For more information on how to enable debugging on your router, please see this article: http://blog.ipspace.net/2007/06/re-enable-debugging-on-router-reload.html.
Unable to Perform Reverse DNS Lookup
If you are experiencing issues enabling or performing reverse DNS lookups on your Collector, it may be because InsightIDR cannot associate an IP address with a host, which prevents user attribution and data correlation.
To fix this problem:
- install the Insight Agent on all of your assets; the Insight Agent automatically reports its hostname IP address to InsightIDR.
- Add the static IP addresses for your Cisco IOS box instead of as an Event Source. Do this under Settings > Static IP Ranges.
This forces the Collector to perform a reverse DNS lookup for IP addresses it cannot find via DHCP or with the Insight Agent.