cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
0
Helpful
2
Replies

Cisco Stealthwatch Syslog Issue| destination ip address : 0.0.0.0

shrinad
Level 1
Level 1

Hello Team,

I have a Cisco SNA deployment which is running on 7.4.0, now when the event trafficlogs are forwarded to any of the syslog or siem servers example IBMQradar / Syslog-ng i see the destination ip address coming as 0.0.0.0 which is kind of not helping the SOC team to analyze the logs as they do actually take the action afteranalysis which they do using the correlation from the SIEM itself. 

Is this an expected outcome or there is a resolution to it?? I have seen the same query in one of the other threads but i really dont see any resolution to it!! https://community.cisco.com/t5/security-analytics/stealthwatch-logs-missing-destination-ip-destination-port/td-p/4048567

Can someone help on this!!

2 Replies 2

srigovi2
Cisco Employee
Cisco Employee

Hi Shrinad  ,


I am able to understand that you are sending the log events from SNA SMC to the SIEM server.


I am sharing the resource document includes the steps for integrating Cisco Stealthwatch to SIEM for sending the event logs. 
Please check whether all settings match on both the SNA and Syslog servers.

                                                       Link -  https://cisco.bravais.com/s/Z6wUC3OO5TDalcCJQsAi

 

After checking on both ends if the issue still persists then suggest you take TCPdump on the SMC CLI and check whether SMC sends the Syslog
with the correct destination IP . If there is an issue then you need to check the SNA Syslog format.
If there is no issue on the SNA side then we need to check the packet capture on the SIEM tool end.
But on doing that you can take the TAC support for taking TCP dump on both ends.
I am suggesting you use the latest patch for the SMC mgmt console (7.4.1 )  better check this also with the TAC team.

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Network Analytics (formerly known as Stealthwatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Thanks,
G.Srinivasan
 

mattrobb
Cisco Employee
Cisco Employee

IP address 0.0.0.0 in Syslog is used as a placeholder to indicate there are multiple IP addresses. You should look the alarm in SNA to see what events and IPs fed into the alarm. 

-Matthew Robbins

SNA TAC