Send SD-WAN Syslog Events to Cisco Cloud

Before you begin

This procedure assumes that you are using Cisco Cloud Service Routers (CSRv) in an SD-WAN setup that you manage using the Cisco vManage dashboard.

Review the following prerequisites before performing the procedure:

  • Ensure your SecureX and CDO accounts are merged. To know how, see Merge Your CDO and SecureX Accounts.

  • Ensure you have SecureX enabled on your CDO tenant in Settings > General Settings.

  • You should have a vSphere Client with the following specifications: 6 vCPU, 10GB of memory, and 64GB disk space.

Procedure

Step 1

Deploy an on-premises Secure Event Connector on your vSphere using a CDO Connector VM image by following the procedures in Installing an SEC Using a CDO Image.

Step 2

On your Cisco vManage, create a logging template that gets deployed to the Cloud Services Routers and a Unified Threat Defense (UTD) template that enables forwarding of events to the configured syslog server, which is the SEC in this case. For more information, see Cisco SD-WAN Systems and Interfaces Configuration Guide and Create Unified Security Policy Summary in the Cisco SD-WAN Security Configuration Guide.

Step 3

The SEC needs to be specified as a syslog server in the logging template, for it to receive events. To do this, use the CLI configuration when creating the template in vManage. For example, you can use the following commands, specifying the IP address of the SEC:

utd engine standard multi-tenancy
utd global
logging host 192.0.2.1
logging host 192.0.2.254

line vty 1
line vty 0 4
line vty 2 4

Step 4

On your SEC, set an IP table rule to redirect logs from port 514 (UDP) to port 10025 (UDP), so that the SEC receives logs from vManage:

iptables -t nat -A PREROUTING -i <interface> -p udp --dport 514
-j REDIRECT --to-port 10025

You can check if the IP table rules are updated, using the iptables -t nat -L -n -v command.

Step 5

Add the following lines of code in the configuration file — /etc/rsyslog.d/1-ftd-events.conf — for the SD-WAN events to be filtered, captured, and processed:

if ($rawmsg contains "Hostname" or $rawmsg contains "430001" or 
$rawmsg contains "430002" or $rawmsg contains "430003" or $rawmsg contains "430005" or 
$rawmsg contains "430004" or re_match($rawmsg, '(%ASA-[1-7]-[0-9]{6,7}:)') ) then {
action(name="send_to_eventsplugin" type="omfwd" action.resumeRetryCount="5" 
Target="127.0.0.1" Port="10325" Protocol="tcp" Template="CUSTOM_ForwardFormat")
stop
}

You should now start receiving SD-WAN events, which you can look at and analyze from CDO.

What to do next

Log in to your CDO tenant and navigate to Analytics > Event Logging. From the filter, select SD-WAN Events and you should now be able to see all your SD-WAN events in CDO.