Monitoring Cisco Network Devices with Wazuh: A Complete Guide
Network infrastructure is the backbone of any modern organization. To secure and monitor that infrastructure, centralized log collection is essential. In this guide, we’ll show you how to collect and analyze syslog messages from Cisco switches or routers using Wazuh, an open-source security platform.
Whether you're monitoring link status, configuration changes, or login attempts, Wazuh offers a scalable and powerful way to turn raw logs into actionable alerts.
🚀 Why Use Wazuh for Cisco Syslog?
- ✅ Centralized logging for all your switches and routers
- 🔍 Real-time monitoring of network events (e.g., interface status, login attempts)
- ⚠️ Alerting and correlation with other data sources
- 📊 Visualization through the Wazuh dashboard (Kibana)
🛠️ System Architecture
+--------------------+ +------------------------+ +---------------------+
| Cisco Switches +-------------> | Wazuh Manager +-------------> | Wazuh Rules Engine |
| (IOS/ASA/NX-OS) | (UDP/TCP 514) | (Logcollector active) | | (alerts triggered) |
+--------------------+ +-----------+------------+ +---------------------+
|
| Writes
v
+----------------------------+
| /var/ossec/logs/archives/ |
| /var/ossec/logs/alerts/ |
+-------------+--------------+
|
Parses/Forwards to (optional)
v
+------------------------------+
| Wazuh Dashboard (Kibana) |
| Visualization & Searching |
+------------------------------+
⚙️ Step-by-Step Setup
1. Configure Cisco Switch to Send Syslog
Login to the Cisco device and enter configuration mode:
conf t
logging host <WAZUH_IP> transport udp port 514
logging trap informational
service timestamps log datetime msec
exit
Adjust the transport protocol (
udp
ortcp
) and port as needed.
2. Configure Wazuh to Accept Syslog
Edit the Wazuh Manager configuration file:
<!-- /var/ossec/etc/ossec.conf -->
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.10.0/24</allowed-ips>
<local_ip>192.168.10.10</local_ip> <!-- your Wazuh interface IP -->
</remote>
Restart the Wazuh Manager:
sudo systemctl restart wazuh-manager
3. Sample Cisco Syslog Messages
<189>Jun 10 14:22:10 switch01 33953: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to up
<189>Jun 10 14:23:45 switch01 33954: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.1.50]
<190>Jun 10 14:24:30 switch01 33955: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.50)
Wazuh parses and categorizes these using built-in decoders for Cisco devices.
4. Visualizing Logs in Wazuh Dashboard
Once syslog messages are processed:
- Open Wazuh Dashboard (based on Kibana)
- Filter logs by source IP, severity, or keyword
-
Create alerts or dashboards for:
- Interface up/down events
- Failed login attempts
- Unauthorized config changes
🔒 Security Tip: Use <allowed-ips>
The <allowed-ips>
tag ensures that only trusted IPs (your Cisco devices) can send syslog messages:
<allowed-ips>192.168.10.0/24</allowed-ips>
This prevents abuse or noise from unknown sources.
✅ Final Thoughts
Integrating Cisco switches with Wazuh provides a robust and scalable approach to infrastructure monitoring and threat detection. From compliance to performance to security, you gain real-time visibility into your network’s heartbeat.
Need help writing custom rules or dashboards for your Cisco logs? Contact us or drop a comment below!
🔗 Related Resources
Get in Touch with us
Related Posts
- How to Implement Google Single Sign-On (SSO) in FastAPI
- Build Your Own Taxi Booking App with Simplico: Scalable, Secure & Ready to Launch
- Building a Scalable EV Charging Backend — For Operators, Developers, and Innovators
- How to Handle Complex Pricing for Made-to-Order Products in Odoo
- How to Build a Made-to-Order Product System That Boosts Sales & Customer Satisfaction
- Transform Your Operations with Autonomous Agentic AI
- Streamline Fiber Tester Management with a Lightweight EXFO Admin Panel
- Enhancing Naval Mission Readiness with EMI Simulation: Cost-Effective Risk Reduction Using MEEP and Python
- Strengthen Your Cybersecurity Posture with Wazuh: A Scalable, Cost-Effective SIEM Solution
- OCPP Central System + Mobile App — Customer Proposal
- How TAK Systems Are Transforming Border Security
- ChatGPT-4o vs GPT-4.1 vs GPT-4.5: Which Model Is Best for You?
- Can Clients Decrypt Server Data Without the Private Key? (Spoiler: No—and Here’s Why)
- Managing JWT Authentication Across Multiple Frameworks
- Building a Lightweight EXFO Tester Admin Panel with FastAPI and Alpine.js
- Using FastAPI to Bridge Mobile Apps with OCPP EV Charging Systems
- Simulating EMC/EMI Coupling on a Naval Top Deck Using MEEP and Python
- How the TAK System Works: A Complete Guide for Real-Time Situational Awareness
- Building an E-commerce Website & Mobile App with Smart AI Integration — The Modern Way
- Personalized Recommendations Are Here — Powered by Smart Analytics