manish.dey@itc. Absent Member.
Absent Member.

CISCO Nexus series switch integration with ArcSight

We are trying to integrate Cisco Nexus series switches with ArcSight through syslog daemon. I could see from CiscoNXOSSyslogConfig guide that supported NX-OS versions are 4.2, 5.0, 5.2 and 6.2. But switches we procured have NX-OS versions 6.0 and 7.0. I did the configurations on switch end but not receiving logs on my smartconnector. I have 2 queries here:

1. Is it possible to receive logs from NX-OS 6.0/7.0 through syslog daemon?

2. If not, is there any other way to do the same?

Any specific reason, why support for 6.0 is not there, while the 5.2(lower) & 6.2(higher) versions are supported?

Please help!!!

Labels (1)
Tags (1)
2 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: CISCO Nexus series switch integration with ArcSight

Ok, a couple of points first:

1) When creating new parsers for log sources, the team is utterly dependent on the data from the test bed in the office and to customers who provide sample logs (even if they are cleaned). This is usually down to specific versions and platforms and its impossible to maintain a full lab of all versions, examples, platforms and products - we are over tens of thousands of combinations now and it would be impossible to manage.

2) When testing newly created parsers, we test and confirm they are working for specific versions and release from there. Most vendors (and Cisco can be one of the worst but also one of the best) maintain common methods and mechanisms across multiple versions and other than a few small feature updates, the need to update parsers between all sub-versions isnt required. As a result, updates are provided for major and significant changes only, and updates provided when this no longer works for changed log sources. Therefore you can quite easily see support for say 5.0 of a product, but that parser will be perfect for the 5.1, 5.2 and even 5.4 releases. We cant and wont release a parser for each and every sub-version.

3) When we have tested a parser that we have written or updated, we will release to that particular version. This means in this example, we had version 6.2 logs and access to equipment. We tested, build and released to this version. But it also means that we are extremely likely to support 6.0 and 6.1 also. We have to go to the latest release and provide a parser for this, since most customers will move to this version anyway.

To answer your specific points though - yes, use the Syslog SmartConnector for NX-OS logs from Cisco. As long as we support the major version of the product, it is extremely likely we will support all relevant sub-versions - both up and down - and therefore you shouldnt have an issue here. If there are any issues, its likely that they are small and related to a few unparsed events, which are likely to be fixed very shortly - check on the Marketplace for updates as needed.

manish.dey@itc. Absent Member.
Absent Member.

Re: CISCO Nexus series switch integration with ArcSight

Thanks for your update Sir. Even I was also quite sure enough that It should work with NX-OS 6.0, that's why I did the configuration but was quite disappointed when it didn't work out. Regarding unparsed events, I believe We are not receiving logs from switches at all, but as you said I will closely investigate to find out the same.

Thanks & Regards,


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.