Cisco Switches & Routers
Overview
Cisco IOS, IOS-XE, and NX-OS devices generate syslog messages for security events, configuration changes, interface state, AAA authentication, and port-security violations. KYRA MDR collects these logs via syslog forwarding to monitor network infrastructure security, detect unauthorized access, and track configuration drift.
Prerequisites
- KYRA MDR account (MDR tier or above)
- KYRA Collector installed and reachable from the Cisco device management network
- Cisco IOS 15.x, IOS-XE 16.x/17.x, or NX-OS 7.x/9.x
- Privileged EXEC (enable) access to the device CLI
Configuration
Step 1: Configure Syslog on IOS / IOS-XE
Enter global configuration mode and set up syslog forwarding:
enableconfigure terminal
! Enable logginglogging on
! Send logs to KYRA Collector via TCP (reliable delivery)logging host <COLLECTOR_IP> transport tcp port 514
! Set severity level (0=emergencies through 7=debugging, 6=informational recommended)logging trap informational
! Set facility for syslog categorizationlogging facility local7
! Use a stable source interface for consistent source IPlogging source-interface Loopback0
! Enable millisecond timestamps with timezoneservice timestamps log datetime msec localtime show-timezone
! Set logging buffer size (local buffer for fallback)logging buffered 65536 informational
! Enable sequence numbers for log correlationservice sequence-numbers
endwrite memoryStep 2: Configure Syslog on NX-OS
configure terminal
! Enable syslog server with severity levellogging server <COLLECTOR_IP> 6 port 514 use-vrf management
! Source interfacelogging source-interface mgmt0
! Enable millisecond timestampslogging timestamp milliseconds
! Set logging level for specific facilitieslogging level authpriv 6logging level security 6
endcopy running-config startup-configStep 3: Enable AAA Accounting for Authentication Events
Track login, command execution, and privilege escalation:
! IOS / IOS-XEconfigure terminal
aaa new-modelaaa authentication login default localaaa accounting exec default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting system default start-stop group tacacs+
! Log successful and failed login attemptslogin on-failure loglogin on-success log
endwrite memoryStep 4: Enable Port-Security Logging
Detect unauthorized devices connecting to switch ports:
configure terminal
interface range GigabitEthernet0/1 - 24 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security aging time 60 switchport port-security mac-address sticky
! Enable SNMP trap for port-security violationssnmp-server enable traps port-security
endwrite memoryPort-security violation modes and their syslog behavior:
| Mode | Action | Syslog Message |
|---|---|---|
protect | Drops traffic silently | No syslog generated |
restrict | Drops traffic, sends syslog | %PORT_SECURITY-2-PSECURE_VIOLATION |
shutdown | Disables port, sends syslog | %PM-4-ERR_DISABLE |
Step 5: Enable Configuration Change Notifications
configure terminal
! Archive configuration change loggingarchive log config logging enable logging size 500 notify syslog contenttype plaintext hidekeys
endwrite memoryStep 6: Configure SNMP Traps (Optional)
Forward SNMP traps to the KYRA Collector for additional event types:
configure terminal
snmp-server community <COMMUNITY_STRING> ROsnmp-server host <COLLECTOR_IP> version 2c <COMMUNITY_STRING>snmp-server enable traps snmp authentication linkdown linkupsnmp-server enable traps configsnmp-server enable traps envmonsnmp-server enable traps mac-notification
! Enable MAC address table change notificationsmac address-table notification changemac address-table notification change interval 60
endwrite memoryStep 7: Verify Configuration
! Verify logging configurationshow logging
! Check syslog server statusshow logging | include Logging to
! View recent log buffershow logging | tail 20
! Verify port-security statusshow port-security
! Verify SNMP trap configurationshow snmp hostVerify on KYRA Collector
kyra-collector statuskyra-collector logs --source cisco --tail 10Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| AAA Events | Login success/failure, privilege escalation, command authorization | Access control monitoring |
| Port Security | MAC address violations, unauthorized device connections | Rogue device detection |
| Configuration Changes | Config archive, SYS-5-CONFIG_I notifications | Change management |
| Interface State | Link up/down, error-disable, SFP changes | Network availability |
| Spanning Tree | Topology changes, root bridge elections, BPDU guard | Network integrity |
| SNMP Authentication | SNMP community string failures | Management plane security |
| DHCP Snooping | Untrusted DHCP server detection | MITM prevention |
| ACL Matches | Access list deny log matches | Firewall policy monitoring |
Key Cisco Syslog Facility Codes
| Facility | Message Example | Description |
|---|---|---|
%SEC-6-IPACCESSLOGP | ACL deny/permit match with logging | Access list event |
%AUTHMGR-5-START/FAIL/SUCCESS | 802.1X authentication result | NAC event |
%PORT_SECURITY-2-PSECURE_VIOLATION | Unauthorized MAC address detected | Port security violation |
%SYS-5-CONFIG_I | Configuration changed from terminal | Config change notification |
%LINK-3-UPDOWN | Interface state change | Link status |
%STP-2-ROOTGUARD_BLOCK | STP root guard triggered | Spanning tree attack |
%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT | Rogue DHCP server detected | DHCP spoofing |
Troubleshooting
- No syslog output: Verify
logging onis configured and the Collector IP is correct. Useshow logging | include Logging toto confirm the remote host. - Missing timestamps: Ensure
service timestamps log datetime msec localtime show-timezoneis configured. Without this, logs lack parseable timestamps. - UDP packet loss: Switch from UDP to TCP with
logging host <IP> transport tcp port 514. TCP provides reliable delivery with flow control. - High volume from ACL logging: ACL logging with
logkeyword on high-traffic ACEs generates excessive syslog. Uselog-inputonly on critical deny rules, not on permit rules. - NX-OS VRF issues: On NX-OS, syslog server must specify the correct VRF with
use-vrf managementoruse-vrf defaultdepending on the management connectivity. - Port-security not logging: Verify the violation mode is
restrictorshutdown, notprotect. Theprotectmode silently drops packets without generating syslog.
Contact kyra@seekerslab.com for integration support.