Monitoring Cisco Network Devices with Wazuh: A Complete Guide
Network infrastructure is the backbone of any modern organization. To secure and monitor that infrastructure, centralized log collection is essential. In this guide, we’ll show you how to collect and analyze syslog messages from Cisco switches or routers using Wazuh, an open-source security platform.
Want hands-on cybersecurity skills? Learn how to simulate attacks, monitor threats, and build a real-world defense lab using free tools like GNS3, Wazuh, and Docker.
🔧 Build Your Own Cybersecurity Lab with GNS3 + Wazuh + Docker – Train, Detect, and Defend in One Platform
Looking for an affordable SIEM that actually works? Discover how Wazuh helps companies monitor, detect, and respond to threats—without breaking the bank.
🛡️ Strengthen Your Cybersecurity Posture with Wazuh – A Scalable & Cost-Effective SIEM Solution
Before you deploy Wazuh, get to know how it works. This deep-dive explains Wazuh’s internal architecture, key use cases, and how to apply it in real-world scenarios.
📚 Understanding Wazuh: Architecture, Use Cases, and Real-World Applications
Whether you’re monitoring link status, configuration changes, or login attempts, Wazuh offers a scalable and powerful way to turn raw logs into actionable alerts.
🚀 Why Use Wazuh for Cisco Syslog?
- ✅ Centralized logging for all your switches and routers
- 🔍 Real-time monitoring of network events (e.g., interface status, login attempts)
- ⚠️ Alerting and correlation with other data sources
- 📊 Visualization through the Wazuh dashboard (Kibana)
🛠️ System Architecture
+--------------------+ +------------------------+ +---------------------+
| Cisco Switches +-------------> | Wazuh Manager +-------------> | Wazuh Rules Engine |
| (IOS/ASA/NX-OS) | (UDP/TCP 514) | (Logcollector active) | | (alerts triggered) |
+--------------------+ +-----------+------------+ +---------------------+
|
| Writes
v
+----------------------------+
| /var/ossec/logs/archives/ |
| /var/ossec/logs/alerts/ |
+-------------+--------------+
|
Parses/Forwards to (optional)
v
+------------------------------+
| Wazuh Dashboard (Kibana) |
| Visualization & Searching |
+------------------------------+⚙️ Step-by-Step Setup
1. Configure Cisco Switch to Send Syslog
Login to the Cisco device and enter configuration mode:
conf t
logging host <WAZUH_IP> transport udp port 514
logging trap informational
service timestamps log datetime msec
exitAdjust the transport protocol (
udportcp) and port as needed.
2. Configure Wazuh to Accept Syslog
Edit the Wazuh Manager configuration file:
<!-- /var/ossec/etc/ossec.conf -->
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.10.0/24</allowed-ips>
<local_ip>192.168.10.10</local_ip> <!-- your Wazuh interface IP -->
</remote>Restart the Wazuh Manager:
sudo systemctl restart wazuh-manager3. Sample Cisco Syslog Messages
<189>Jun 10 14:22:10 switch01 33953: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/24, changed state to up
<189>Jun 10 14:23:45 switch01 33954: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.1.50]
<190>Jun 10 14:24:30 switch01 33955: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.50)Wazuh parses and categorizes these using built-in decoders for Cisco devices.
4. Visualizing Logs in Wazuh Dashboard
Once syslog messages are processed:
- Open Wazuh Dashboard (based on Kibana)
- Filter logs by source IP, severity, or keyword
-
Create alerts or dashboards for:
- Interface up/down events
- Failed login attempts
- Unauthorized config changes
🔒 Security Tip: Use <allowed-ips>
The <allowed-ips> tag ensures that only trusted IPs (your Cisco devices) can send syslog messages:
<allowed-ips>192.168.10.0/24</allowed-ips>This prevents abuse or noise from unknown sources.
✅ Final Thoughts
Integrating Cisco switches with Wazuh provides a robust and scalable approach to infrastructure monitoring and threat detection. From compliance to performance to security, you gain real-time visibility into your network’s heartbeat.
Need help writing custom rules or dashboards for your Cisco logs? Contact us or drop a comment below!
🔗 Related Resources
Get in Touch with us
Chat with Us on LINE
iiitum1984
Related Posts
- Building a SOC from Scratch: A Real-World Wazuh + IRIS-web Field Report
- 中国品牌出海东南亚:支付、物流与ERP全链路集成技术方案
- 再生资源工厂管理系统:中国回收企业如何在不知不觉中蒙受损失
- 如何将电商平台与ERP系统打通:实战指南(2026年版)
- AI 编程助手到底在用哪些工具?(Claude Code、Codex CLI、Aider 深度解析)
- 使用 Wazuh + 开源工具构建轻量级 SOC:实战指南(2026年版)
- 能源管理软件的ROI:企业电费真的能降低15–40%吗?
- The ROI of Smart Energy: How Software Is Cutting Costs for Forward-Thinking Businesses
- How to Build a Lightweight SOC Using Wazuh + Open Source
- How to Connect Your Ecommerce Store to Your ERP: A Practical Guide (2026)
- What Tools Do AI Coding Assistants Actually Use? (Claude Code, Codex CLI, Aider)
- How to Improve Fuel Economy: The Physics of High Load, Low RPM Driving
- 泰国榴莲仓储管理系统 — 批次追溯、冷链监控、GMP合规、ERP对接一体化
- Durian & Fruit Depot Management Software — WMS, ERP Integration & Export Automation
- 现代榴莲集散中心:告别手写账本,用系统掌控你的生意
- The Modern Durian Depot: Stop Counting Stock on Paper. Start Running a Real Business.
- AI System Reverse Engineering:用 AI 理解企业遗留软件系统(架构、代码与数据)
- AI System Reverse Engineering: How AI Can Understand Legacy Software Systems (Architecture, Code, and Data)
- 人类的优势:AI无法替代的软件开发服务
- The Human Edge: Software Dev Services AI Cannot Replace
