Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1886
Views
0
Helpful
2
Replies

Centralized Reporting for TrustSec SGACLs

Go to solution
brentpavlovich
Level 1
Level 1

‎04-20-2021 07:15 AM

Is anyone familiar with a way to centralize the reporting of TrustSec events on switches and routers? Specifically SGACL drop messages. Our network topology consists of around 150 switches (mostly 9200/9300s) and 100 routers (all 4331s or 4431s). Right now the only way we have to tell if traffic is being blocked because of TrustSec is to individually log into each router and switch and look at the log messages. Not only is this not a feasible solution for 250 devices, it doesn't provide long term historical records to look back upon when issues are reported. 

 

Since the log messages are type 6 they dont make it to our logging server so running reports off that isn't an option (unless there is a way to change the message type so the router/switch send it to our remote syslog server???) 

Netflow doesn't seem to contain any useful information in it that can distinguish normal traffic from blocked traffic caused by SGACL drops. I've read a few articles about being able to use netflow to determine this, but seems its only available on 6500 switches. 

 

Just wondering if anyone out there has a good solution for this problem. I single pane of glass sort of speak into TrustSec enforcement. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-20-2021 04:34 PM

This is a pain to do on IOS/IOS-XE compared to the way we can modify each logs severity level on the ASA. You can potentially handle this through a tcl script to rewrite the severity level to 5, or another value of your choosing. 

See this page for more information on the process. 
https://flylib.com/books/en/2.286.1/modifying_log_messages.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-20-2021 04:34 PM

This is a pain to do on IOS/IOS-XE compared to the way we can modify each logs severity level on the ASA. You can potentially handle this through a tcl script to rewrite the severity level to 5, or another value of your choosing. 

See this page for more information on the process. 
https://flylib.com/books/en/2.286.1/modifying_log_messages.html

0 Helpful

Go to solution
brentpavlovich
Level 1
Level 1
In response to Damien Miller

‎04-21-2021 10:43 AM

That worked quite well thanks for the suggestion. A little disappointing though there isn't more native built in tools to monitor a TrustSec environment. But this will do for now. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents