Collect Cisco switch logs

This document explains how to ingest Cisco switch logs to Google Security Operations using a Bindplane agent. The parser extracts fields from SYSLOG messages, mapping them to a unified data model (UDM) based on identified patterns and keywords. It handles a wide range of events, including DHCP, SSH, login attempts, network traffic, and system status updates, categorizing them and enriching the data with relevant security details.

Before you begin

• Ensure that you have a Google SecOps instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd .
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to a Cisco switch.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Windows installation

1. Open the Command Promptor PowerShellas an administrator.

2. Run the following command:

     msiexec 
     
    / 
    i 
     
    "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
     
    / 
    quiet 
    
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

    sudo  
   sh  
   -c  
    " 
    $( 
   curl  
   -fsSlL  
   https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
    " 
     
   install_unix.sh 
   

Additional installation resources

• For additional installation options, consult this installation guide .

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   2. Open the file using a text editor (for example, nano , vi , or Notepad).

2. Edit the config.yaml file as follows:

     receivers 
    : 
     
    udplog 
    : 
     
    # Replace the port and IP address as required 
     
    listen_address 
    : 
     
    "0.0.0.0:514" 
    exporters 
    : 
     
    chronicle/chronicle_w_labels 
    : 
     
    compression 
    : 
     
    gzip 
     
    # Adjust the path to the credentials file you downloaded in Step 1 
     
    creds 
    : 
     
    '/path/to/ingestion-authentication-file.json' 
     
    # Replace with your actual customer ID from Step 2 
     
    customer_id 
    : 
     
   < customer_id 
   >  
    endpoint 
    : 
     
    malachiteingestion-pa.googleapis.com 
     
    # Add optional ingestion labels for better organization 
     
    ingestion_labels 
    : 
     
    log_type 
    : 
     
    CISCO_SWITCH 
     
    raw_log_field 
    : 
     
    body 
    service 
    : 
     
    pipelines 
    : 
     
    logs/source0__chronicle_w_labels-0 
    : 
     
    receivers 
    : 
     
    - 
     
    udplog 
     
    exporters 
    : 
     
    - 
     
    chronicle/chronicle_w_labels 
    
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

   sudo  
  systemctl  
  restart  
  bindplane-agent 
  

• To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

   net stop BindPlaneAgent && net start BindPlaneAgent 
  

Configure Syslog on a Cisco switch

1. Sign in to the Cisco Switch.

2. Escalate privileges by entering the enable command:

    Switch>  
    enable 
   Switch# 
   

3. Switch to configuration mode by entering the conf t command:

    Switch#  
   conf  
   t
   Switch ( 
   config ) 
    # 
    
   

4. Enter the following commands:

    logging  
   host  
   <bindplane-server-ip>  
   transport  
   <tcp/udp>  
   port  
   <port-number>
   logging  
   source-interface  
   <interface> 
   

   • Replace <bindplane-server-ip> with the Bindplane Agent IP address, and <port-number> with the configured port.
   • Replace <tcp/udp> with the configured listening protocol on the Bindplane Agent. (For example, udp ).
   • Replace <interface> with the Cisco interface ID.

5. Set the priority level by entering the following command:

    logging  
    trap 
     
   Informational  
   logging  
   console  
   Informational  
   logging  
   severity  
   Informational 
   

6. Set the syslog facility:

    logging  
   facility  
   local6 
   

7. Enable timestamps by entering the following command:

    service  
   timestamps  
   log  
   datetime 
   

8. Save and exit.

9. Configure the settings to survive restart by entering the following command:

    copy  
   running-config  
   startup-config 
   

UDM Mapping Table

Log field	UDM mapping	Logic
action	security_result.action_details	Value of this field is derived from the action field in the raw log.
day
description	metadata.description	Value of this field is derived from the description field in the raw log.
description	security_result.description	Value of this field is derived from the description field in the raw log.
destination_ip	target.asset.ip	Value of this field is derived from the destination_ip field in the raw log.
destination_ip	target.ip	Value of this field is derived from the destination_ip field in the raw log.
destination_port	target.port	Value of this field is derived from the destination_port field in the raw log.
device	principal.asset.hostname	Value of this field is derived from the device field in the raw log.
device	principal.hostname	Value of this field is derived from the device field in the raw log.
device	target.asset.hostname	Value of this field is derived from the device field in the raw log.
device	target.hostname	Value of this field is derived from the device field in the raw log.
device_ip	principal.asset.ip	Value of this field is derived from the device_ip field in the raw log.
device_ip	principal.ip	Value of this field is derived from the device_ip field in the raw log.
device_ip	target.asset.ip	Value of this field is derived from the device_ip field in the raw log.
device_ip	target.ip	Value of this field is derived from the device_ip field in the raw log.
facility	principal.resource.type	Value of this field is derived from the facility field in the raw log.
header_data	metadata.product_log_id	Value of this field is derived from the header_data field in the raw log.
header_data	target.asset.ip	Value of this field is derived from the header_data field in the raw log.
header_data	target.ip	Value of this field is derived from the header_data field in the raw log.
hostname	principal.asset.hostname	Value of this field is derived from the hostname field in the raw log.
hostname	principal.hostname	Value of this field is derived from the hostname field in the raw log.
ip	principal.asset.ip	Value of this field is derived from the ip field in the raw log.
ip	principal.ip	Value of this field is derived from the ip field in the raw log.
ip_address	principal.asset.ip	Value of this field is derived from the ip_address field in the raw log.
ip_address	principal.ip	Value of this field is derived from the ip_address field in the raw log.
ip_protocol	network.ip_protocol	Value of this field is derived from the ip_protocol field in the raw log.
mac	principal.mac	Value of this field is derived from the mac field in the raw log.
mnemonic	network.dhcp.opcode	Value of this field is derived from the mnemonic field in the raw log.
mnemonic	metadata.product_event_type	Value of this field is derived from the mnemonic field in the raw log.
month
p_ip	principal.asset.ip	Value of this field is derived from the p_ip field in the raw log.
p_ip	principal.ip	Value of this field is derived from the p_ip field in the raw log.
port	target.port	Value of this field is derived from the port field in the raw log.
priority
protocol	network.ip_protocol	Value of this field is derived from the protocol field in the raw log.
reason
rule	security_result.rule_id	Value of this field is derived from the rule field in the raw log.
sec_result_action	security_result.action	Value of this field is derived from the sec_result_action field in the raw log.
severity
source	principal.asset.ip	Value of this field is derived from the source field in the raw log.
source	principal.ip	Value of this field is derived from the source field in the raw log.
source_ip	network.dhcp.ciaddr	Value of this field is derived from the source_ip field in the raw log.
source_ip	principal.asset.ip	Value of this field is derived from the source_ip field in the raw log.
source_ip	principal.ip	Value of this field is derived from the source_ip field in the raw log.
source_mac	network.dhcp.chaddr	Value of this field is derived from the source_mac field in the raw log.
source_port	principal.port	Value of this field is derived from the source_port field in the raw log.
summary	security_result.summary	Value of this field is derived from the summary field in the raw log.
time
timezone
user	principal.user.userid	Value of this field is derived from the user field in the raw log.
user	target.user.userid	Value of this field is derived from the user field in the raw log.
when
year
	extensions.auth.type	MACHINE
	metadata.log_type	CISCO_SWITCH
	metadata.vendor_name	Cisco
	metadata.product_name	Cisco Switch
	network.application_protocol	DHCP
	network.dhcp.type	REQUEST

Need more help? Get answers from Community members and Google SecOps professionals.