Cisco IOS

Overview

Cisco IOS provides data for InsightOps such as asset details, IP address history, incident details from your network, and other highly useful insights.

Before You Begin

In order for InsightOps to have the Cisco IOS data, you'll need to turn on logging.

If you don't know how to turn on logging, directions can be found in this article.

  1. Run the following command to turn on logging
text
1
> debug ip dhcp server events
  1. Run the following command to turn on the required timestamps for the Rapid7 parser
text
1
> service timestamps debug datetime year msec show-timezone
2
> service timestamps log datetime year msec show-timezone

Dynamic IP assignment

Cisco IOS devices can be used to dynamically assign IP addresses in a network; however, these devices do not log the hostname of the machine that it leased an IP address to. In order to correlate DHCP leases with real machines within the network, the InsightOps collector will make a reverse DNS request for the machine's hostname. Because of this, in order to properly ingest Cisco IOS DHCP data, reverse DNS requests must be allowed on your network's DNS servers.

DNS Configuration

Please make sure that DNS is properly configured on your collector host.

How to Configure This Event Source

  1. From your InsightOps dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the DHCP icon from the User Attribution section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Cisco IOS
  6. Choose a timezone, or optionally display only US timezones
  7. Optionally choose to send unfiltered logs.
    • Note: unfiltered logs will not provide any additional data for this event source
  8. Configure inactivity timeout threshold in minutes.
  9. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Cisco IOS to "trust" each other during log forwarding.

Advanced Event Source Settings

Inactivity Timeout Threshold: specify in minutes how long the event source should be active before it enters an error state. Active Failover Partner: If you have two DHCP servers configured in an active/passive relationship, optionally specify the active partner.

Troubleshooting

The command to have debug mode survive a server restart is as follows:

text
1
> event manager applet EnableDebugging
2
> event syslog occurs 1 pattern "%SYS-5-RESTART"
3
> action 1.0 cli command "enable"
4
> action 2.0 cli command "debug ip dhcp server events"

For more information on how to enable debugging on your router, please see this article.