You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Cisco Nexus

Collect logs from Cisco Nexus with Elastic Agent.

What is an Elastic integration?
Version
1.1.1 (View all)
Compatible Kibana version(s)
8.7.0 or higher
Supported Serverless project types

What's this?
Security
Observability
Subscription level
What's this?
Basic
Level of support
What's this?
Elastic

Overview

The Cisco Nexus integration allows users to monitor Errors and System Messages. The Cisco Nexus series switches are modular and fixed port network switches designed for the data center. All switches in the Nexus range run the modular NX-OS firmware/operating system on the fabric. NX-OS has some high-availability features compared to the well-known Cisco IOS. This platform is optimized for high-density 10 Gigabit Ethernet.

Use the Cisco Nexus integration to collect and parse data from Syslog and log files. Then visualize that data through search, correlation and visualization within Elastic Security.

Data streams

The Cisco Nexus integration collects one type of data: log.

Log consists of errors and system messages. See more details about errors and system messages

Requirements

Elastic Agent must be installed. For more information, refer to the link here.

The minimum kibana.version required is 8.7.0.

This module has been tested against the Cisco Nexus Series 9000, 3172T and 3048 Switches.

Setup

To collect data from Cisco Nexus, follow the below steps:

NOTE:

  • Configuration steps can vary from switch to switch. We have mentioned steps for the configuration of the 9K series of switches.
  • Use the Timezone Offset parameter, if the timezone is not present in the log messages.

Logs Reference

Log

This is the Log dataset.

Example

An example event for log looks as following:

{
    "@timestamp": "2023-04-26T09:08:48.000Z",
    "agent": {
        "ephemeral_id": "81553388-678e-4d17-8f75-7c7870f7f06c",
        "id": "45b4f828-da65-463c-980e-09ba9a67922b",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.2"
    },
    "cisco_nexus": {
        "log": {
            "description": "EARL 0  NF ASIC: Uncorrectable Parity error in Netflow Table.",
            "facility": "EARL",
            "priority_number": 187,
            "severity": 3,
            "standby": "SW2_DFC1",
            "switch_name": "switchname",
            "time": "2023-04-26T09:08:48.000Z",
            "timezone": "UTC",
            "type": "NF_PARITY_ERROR"
        }
    },
    "data_stream": {
        "dataset": "cisco_nexus.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "45b4f828-da65-463c-980e-09ba9a67922b",
        "snapshot": false,
        "version": "8.10.2"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "code": "NF_PARITY_ERROR",
        "dataset": "cisco_nexus.log",
        "ingested": "2023-10-03T09:37:59Z",
        "kind": "event",
        "original": "<187>switchname: 2023 Apr 26 09:08:48 UTC: %EARL-SW2_DFC1-3-NF_PARITY_ERROR: EARL 0  NF ASIC: Uncorrectable Parity error in Netflow Table.",
        "severity": 3,
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "level": "error",
        "source": {
            "address": "192.168.0.5:48836"
        },
        "syslog": {
            "facility": {
                "code": 23
            },
            "priority": 187,
            "severity": {
                "code": 3
            }
        }
    },
    "message": "EARL 0  NF ASIC: Uncorrectable Parity error in Netflow Table.",
    "observer": {
        "name": "switchname",
        "product": "Nexus",
        "type": "switches",
        "vendor": "Cisco"
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "cisco_nexus-log"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cisco_nexus.log.command
keyword
cisco_nexus.log.description
keyword
cisco_nexus.log.euid
keyword
cisco_nexus.log.facility
keyword
cisco_nexus.log.interface.mode
keyword
cisco_nexus.log.interface.name
keyword
cisco_nexus.log.ip_address
ip
cisco_nexus.log.line_protocol_state
keyword
cisco_nexus.log.logname
keyword
cisco_nexus.log.network.egress_interface
keyword
cisco_nexus.log.network.ingress_interface
keyword
cisco_nexus.log.operating_value
keyword
cisco_nexus.log.operational.duplex_mode
keyword
cisco_nexus.log.operational.receive_flow_control_state
keyword
cisco_nexus.log.operational.speed
keyword
cisco_nexus.log.operational.transmit_flow_control_state
keyword
cisco_nexus.log.priority_number
long
cisco_nexus.log.pwd
keyword
cisco_nexus.log.rhost
keyword
cisco_nexus.log.ruser
keyword
cisco_nexus.log.sequence_number
long
cisco_nexus.log.severity
long
cisco_nexus.log.slot_number
long
cisco_nexus.log.standby
keyword
cisco_nexus.log.state
keyword
cisco_nexus.log.switch_name
keyword
cisco_nexus.log.syslog_time
date
cisco_nexus.log.terminal
keyword
cisco_nexus.log.threshold_value
keyword
cisco_nexus.log.time
date
cisco_nexus.log.timezone
keyword
cisco_nexus.log.tty
keyword
cisco_nexus.log.type
keyword
cisco_nexus.log.uid
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.file.device_id
ID of the device containing the filesystem where the file resides.
keyword
log.file.fingerprint
The sha256 fingerprint identity of the file when fingerprinting is enabled.
keyword
log.file.idxhi
The high-order part of a unique identifier that is associated with a file. (Windows-only)
keyword
log.file.idxlo
The low-order part of a unique identifier that is associated with a file. (Windows-only)
keyword
log.file.inode
Inode number of the log file.
keyword
log.file.vol
The serial number of the volume that contains a file. (Windows-only)
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
tags
User defined tags.
keyword

Changelog

VersionDetailsKibana version(s)

1.1.1

Bug fix View pull request
Fix ingest pipeline warnings

8.7.0 or higher

1.1.0

Enhancement View pull request
Update package spec to 3.0.3.

8.7.0 or higher

1.0.1

Enhancement View pull request
Changed owners

8.7.0 or higher

1.0.0

Enhancement View pull request
Release package as GA.

8.7.0 or higher

0.21.1

Bug fix View pull request
Fix exclude_files pattern.

0.21.0

Enhancement View pull request
ECS version updated to 8.11.0.

0.20.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

0.19.0

Enhancement View pull request
Adapt fields for changes in file system info

0.18.0

Enhancement View pull request
ECS version updated to 8.10.0.

0.17.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

0.16.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

0.15.0

Enhancement View pull request
Update package to ECS 8.9.0.

0.14.2

Bug fix View pull request
Remove confusing error message tag prefix.

0.14.1

Enhancement View pull request
Add support for new log format.

0.14.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

0.13.0

Enhancement View pull request
Replace RSA2ELK with Syslog integration.

0.12.0

Enhancement View pull request
Update package to ECS 8.8.0.

0.11.0

Enhancement View pull request
Update package-spec version to 2.7.0.

0.10.0

Enhancement View pull request
Update package to ECS 8.7.0.

0.9.0

Enhancement View pull request
Update package to ECS 8.6.0.

0.8.0

Enhancement View pull request
Update package to ECS 8.5.0.

0.7.3

Bug fix View pull request
Remove duplicate fields.

0.7.2

Bug fix View pull request
Remove duplicate field.

0.7.1

Enhancement View pull request
Use ECS geo.location definition.

0.7.0

Enhancement View pull request
Update package to ECS 8.4.0

0.6.0

Enhancement View pull request
Update package to ECS 8.3.0.

0.5.1

Enhancement View pull request
Updated readme file

0.5.0

Enhancement View pull request
Update to ECS 8.2.0

0.4.1

Enhancement View pull request
Add documentation for multi-fields

0.4.0

Enhancement View pull request
Update to ECS 8.0.0

0.3.1

Bug fix View pull request
Regenerate test files using the new GeoIP database

0.3.0

Enhancement View pull request
Add 8.0.0 version constraint

0.2.3

Enhancement View pull request
Update Title and Description.

0.2.2

Bug fix View pull request
Fixed a bug that prevents the package from working in 7.16.

0.2.1

Bug fix View pull request
Fix logic that checks for the 'forwarded' tag

0.2.0

Enhancement View pull request
Update to ECS 1.12.0

0.1.0

Enhancement View pull request
Initial implementation for splitting Cisco nexus from Cisco package

On this page