New

The executive guide to generative AI

Read more

Cisco Nexus

edit

Version

1.2.0 (View all)

Compatible Kibana version(s)

8.11.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

Overview

edit

The Cisco Nexus integration allows users to monitor Errors and System Messages. The Cisco Nexus series switches are modular and fixed port network switches designed for the data center. All switches in the Nexus range run the modular NX-OS firmware/operating system on the fabric. NX-OS has some high-availability features compared to the well-known Cisco IOS. This platform is optimized for high-density 10 Gigabit Ethernet.

Use the Cisco Nexus integration to collect and parse data from Syslog and log files. Then visualize that data through search, correlation and visualization within Elastic Security.

Data streams

edit

The Cisco Nexus integration collects one type of data: log.

Log consists of errors and system messages. See more details about errors and system messages

Requirements

edit

Elastic Agent must be installed. For more information, refer to the link here.

The minimum kibana.version required is 8.7.0.

This module has been tested against the Cisco Nexus Series 9000, 3172T and 3048 Switches.

Setup

edit

To collect data from Cisco Nexus, follow the below steps:

edit

NOTE:

  • Configuration steps can vary from switch to switch. We have mentioned steps for the configuration of the 9K series of switches.
  • Use the Timezone Offset parameter, if the timezone is not present in the log messages.

Logs Reference

edit

Log

edit

This is the Log dataset.

Example

An example event for log looks as following:

{
    "@timestamp": "2023-04-26T09:08:48.000Z",
    "agent": {
        "ephemeral_id": "81553388-678e-4d17-8f75-7c7870f7f06c",
        "id": "45b4f828-da65-463c-980e-09ba9a67922b",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.2"
    },
    "cisco_nexus": {
        "log": {
            "description": "EARL 0  NF ASIC: Uncorrectable Parity error in Netflow Table.",
            "facility": "EARL",
            "priority_number": 187,
            "severity": 3,
            "standby": "SW2_DFC1",
            "switch_name": "switchname",
            "time": "2023-04-26T09:08:48.000Z",
            "timezone": "UTC",
            "type": "NF_PARITY_ERROR"
        }
    },
    "data_stream": {
        "dataset": "cisco_nexus.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "45b4f828-da65-463c-980e-09ba9a67922b",
        "snapshot": false,
        "version": "8.10.2"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "code": "NF_PARITY_ERROR",
        "dataset": "cisco_nexus.log",
        "ingested": "2023-10-03T09:37:59Z",
        "kind": "event",
        "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0  NF ASIC: Uncorrectable Parity error in Netflow Table.",
        "severity": 3,
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "level": "error",
        "source": {
            "address": "192.168.0.5:48836"
        },
        "syslog": {
            "facility": {
                "code": 23
            },
            "priority": 187,
            "severity": {
                "code": 3
            }
        }
    },
    "message": "EARL 0  NF ASIC: Uncorrectable Parity error in Netflow Table.",
    "observer": {
        "name": "switchname",
        "product": "Nexus",
        "type": "switches",
        "vendor": "Cisco"
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "cisco_nexus-log"
    ]
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

cisco_nexus.log.command

keyword

cisco_nexus.log.description

keyword

cisco_nexus.log.euid

keyword

cisco_nexus.log.facility

keyword

cisco_nexus.log.interface.mode

keyword

cisco_nexus.log.interface.name

keyword

cisco_nexus.log.ip_address

ip

cisco_nexus.log.line_protocol_state

keyword

cisco_nexus.log.logname

keyword

cisco_nexus.log.network.egress_interface

keyword

cisco_nexus.log.network.ingress_interface

keyword

cisco_nexus.log.operating_value

keyword

cisco_nexus.log.operational.duplex_mode

keyword

cisco_nexus.log.operational.receive_flow_control_state

keyword

cisco_nexus.log.operational.speed

keyword

cisco_nexus.log.operational.transmit_flow_control_state

keyword

cisco_nexus.log.priority_number

long

cisco_nexus.log.pwd

keyword

cisco_nexus.log.rhost

keyword

cisco_nexus.log.ruser

keyword

cisco_nexus.log.sequence_number

long

cisco_nexus.log.severity

long

cisco_nexus.log.slot_number

long

cisco_nexus.log.standby

keyword

cisco_nexus.log.state

keyword

cisco_nexus.log.switch_name

keyword

cisco_nexus.log.syslog_time

date

cisco_nexus.log.terminal

keyword

cisco_nexus.log.threshold_value

keyword

cisco_nexus.log.time

date

cisco_nexus.log.timezone

keyword

cisco_nexus.log.tty

keyword

cisco_nexus.log.type

keyword

cisco_nexus.log.uid

keyword

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

input.type

Type of Filebeat input.

keyword

log.file.device_id

ID of the device containing the filesystem where the file resides.

keyword

log.file.fingerprint

The sha256 fingerprint identity of the file when fingerprinting is enabled.

keyword

log.file.idxhi

The high-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.idxlo

The low-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.inode

Inode number of the log file.

keyword

log.file.vol

The serial number of the volume that contains a file. (Windows-only)

keyword

log.offset

Log offset.

long

log.source.address

Source address from which the log event was read / sent from.

keyword

tags

User defined tags.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

1.2.0

Enhancement (View pull request)
Allow @custom pipeline access to event.original without setting preserve_original_event.

8.11.0 or higher

1.1.1

Bug fix (View pull request)
Fix ingest pipeline warnings

8.7.0 or higher

1.1.0

Enhancement (View pull request)
Update package spec to 3.0.3.

8.7.0 or higher

1.0.1

Enhancement (View pull request)
Changed owners

8.7.0 or higher

1.0.0

Enhancement (View pull request)
Release package as GA.

8.7.0 or higher

0.21.1

Bug fix (View pull request)
Fix exclude_files pattern.

0.21.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

0.20.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

0.19.0

Enhancement (View pull request)
Adapt fields for changes in file system info

0.18.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

0.17.0

Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.

0.16.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

0.15.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

0.14.2

Bug fix (View pull request)
Remove confusing error message tag prefix.

0.14.1

Enhancement (View pull request)
Add support for new log format.

0.14.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

0.13.0

Enhancement (View pull request)
Replace RSA2ELK with Syslog integration.

0.12.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

0.11.0

Enhancement (View pull request)
Update package-spec version to 2.7.0.

0.10.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

0.9.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

0.8.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

0.7.3

Bug fix (View pull request)
Remove duplicate fields.

0.7.2

Bug fix (View pull request)
Remove duplicate field.

0.7.1

Enhancement (View pull request)
Use ECS geo.location definition.

0.7.0

Enhancement (View pull request)
Update package to ECS 8.4.0

0.6.0

Enhancement (View pull request)
Update package to ECS 8.3.0.

0.5.1

Enhancement (View pull request)
Updated readme file

0.5.0

Enhancement (View pull request)
Update to ECS 8.2.0

0.4.1

Enhancement (View pull request)
Add documentation for multi-fields

0.4.0

Enhancement (View pull request)
Update to ECS 8.0.0

0.3.1

Bug fix (View pull request)
Regenerate test files using the new GeoIP database

0.3.0

Enhancement (View pull request)
Add 8.0.0 version constraint

0.2.3

Enhancement (View pull request)
Update Title and Description.

0.2.2

Bug fix (View pull request)
Fixed a bug that prevents the package from working in 7.16.

0.2.1

Bug fix (View pull request)
Fix logic that checks for the forwarded tag

0.2.0

Enhancement (View pull request)
Update to ECS 1.12.0

0.1.0

Enhancement (View pull request)
Initial implementation for splitting Cisco nexus from Cisco package

Was this helpful?
Feedback