About Collection Jobs
A collection job describes what task a Cisco Crosswork Data Gateway is expected to perform. Applications request data collection via collection jobs. Cisco Crosswork then assigns these collection jobs to a Cisco Crosswork Data Gateway to serve the request.
You can collect more than one type of data at a time by using separate collection jobs.
For each collection job you create, Cisco Crosswork Data Gateway executes the collection request and deposits the collected data in the preferred data destination(s).
Cisco Crosswork Data Gateway lets you create following types of collection jobs:
Note |
|
Smart Licensing for Active Collection Jobs
To be able to create collection jobs that can forward data to third-party destinations, ensure that the following Smart Licensing requirements are met:
-
From the main menu, go to Administration > Application Management > Smart License and select the Cisco Crosswork application.
-
Ensure that the status is as follows:
-
Registration Status - Registered
Indicates that you have registered with Cisco Smart Software Manager (CSSM) and are authorized to use the reserved licensed features.
-
License Authorization Status - Authorized (In Compliance).
Indicates you have not exceeded the device count in the external collection jobs
-
In the Evaluation period (Registration Status is Unregistered and the License Authorization Status is Evaluation mode), you will be able to create collection jobs until the evaluation period expires. After this, you must register with Cisco Smart Software Manager (CSSM) to use licensed features. See Section: Manage Licenses for more information.
If you do not register with Cisco Smart Software Manager (CSSM) after the Evaluation period has expired, you will not be able to create collection jobs. However, you can still view and delete any collection jobs.
CLI Collection Job
Cisco Crosswork Data Gateway supports CLI-based data collection from the network devices. Only show commands are supported for this type of collection job.
Note |
|
Following is a sample of CLI collection job. For more information, see API documentation on Cisco DevNet.
{
"collection_job": {
"application_context": {
"context_id": "collection-job1",
"application_id": "APP1"
},
"collection_mode": {
"lifetime_type": "APPLICATION_MANAGED",
"collector_type": "CLI_COLLECTOR"
},
"job_device_set": {
"device_set": {
"devices": {
"device_ids": [
"658adb03-cc61-448d-972f-4fcec32cbfe8"
]
}
}
},
"sensor_input_configs": [
{
"sensor_data": {
"cli_sensor": {
"command": "show platform"
}
},
"cadence_in_millisec": "tel:60000"
}
],
"sensor_output_configs": [
{
"sensor_data": {
"cli_sensor": {
"command": "show platform"
}
},
"destination": {
"destination_id": "1e71f2fb-ea65-4242-8efa-e33cec71b369",
"context_id": "topic1"
}
}
]
}
}
SNMP Collection Job
Cisco Crosswork Data Gateway supports SNMP-based data collection based on the OIDs supported on the devices.
The SNMP collector makes a poll request to Cisco Crosswork to get its configuration profile (a list of MIB objects to collect and a list of devices to fetch from). It determines the corresponding OIDs by looking up the pre-packaged list of MIB modules or the custom list of MIB modules.
Note |
Cisco Crosswork Data Gateway enables SNMP polling on third party devices for standard MIBs already included in the system. Proprietary MIBs are required only if the collection request references MIB TABLE names or SCALAR names from a proprietary MIB. However, if the requests are OID-based, then MIBs are not required. |
Once the OIDs are resolved, they are provided as input to the SNMP collectors.
The device packages can be imported into the Crosswork Data Gateway VM as described in Section Add a Custom Software Package.
The following SNMP versions are supported:
-
SNMPv1
-
SNMPv2c
-
SNMPv3
The table below lists supported privacy protocols and the value that needs to be given in the collection payload for SNMP and SNMP Trap collection jobs:
Protocol |
SNMP Collection Payload |
SNMP Trap Collection Payload |
---|---|---|
aes |
AES |
N/A |
des56 |
DES |
N/A |
3des |
3DES |
N/A |
aes 128 |
AES128 |
N/A |
aes 192 |
AES192 or CiscoAES192(Cisco specific) |
N/A |
aes 256 |
AES256 or CiscoAES256(Cisco specific) |
N/A |
Note |
|
Sample Configurations on Device:
Version |
Command |
To... |
---|---|---|
V1 |
|
Define the SNMP version, user/user group details. |
For example,
|
Define the destination to which trap data must be forwarded. |
|
|
Enable traps to notify link status. |
|
V2c |
|
Define the SNMP version, user/user group details. |
|
Define the destination to which trap data must be forwarded. |
|
|
Enable traps to notify link status. |
|
V3 |
|
Define the SNMP version, user/user group details. |
|
Define the destination to which trap data must be forwarded. |
|
|
Enable traps to notify link status. |
The SNMP Collector supports the following operations:
-
SCALAR
-
TABLE
-
MIB_WALK
-
TRAP
-
DEVICE_PACKAGE
These operations are defined in the sensor config (see payload sample below).
Note |
There is an optional deviceParams attribute snmpRequestTimeoutMillis (not shown in the sample payloads) that should be used if the device response time is very high. It’s not recommended to use snmpRequestTimeoutMillis unless you are absolutely certain that your device response time is very high. The value for snmpRequestTimeoutMillis should be specified in milliseconds: Default value is 1500 milliseconds Minimum value is 1500 milliseconds However, there is no limitation on the maximum value of this attribute. |
Following is an SNMP collection job sample:
{
"collection_job": {
"application_context": {
"context_id": "collection-job1",
"application_id": "APP1"
},
"collection_mode": {
"lifetime_type": "APPLICATION_MANAGED",
"collector_type": "SNMP_COLLECTOR"
},
"job_device_set": {
"device_set": {
"devices": {
"device_ids": [
"c70fc034-0cbd-443f-ad3d-a30d4319f937",
"8627c130-9127-4ed7-ace5-93d3b4321d5e",
"c0067069-c8f6-4183-9e67-1f2e9bf56f58"
]
}
}
},
"sensor_input_configs": [
{
"sensor_data": {
"snmp_sensor": {
"snmp_mib": {
"oid": "1.3.6.1.2.1.1.3.0",
"snmp_operation": "SCALAR"
}
}
},
"cadence_in_millisec": "60000"
},
{
"sensor_data": {
"snmp_sensor": {
"snmp_mib": {
"oid": "1.3.6.1.2.1.31.1.1",
"snmp_operation": "TABLE"
}
}
},
"cadence_in_millisec": "60000"
}
],
"sensor_output_configs": [
{
"sensor_data": {
"snmp_sensor": {
"snmp_mib": {
"oid": "1.3.6.1.2.1.1.3.0",
"snmp_operation": "SCALAR"
}
}
},
"destination": {
"destination_id": "4c2ab662-2670-4b3c-b7d3-b94acba98c56",
"context_id": "topic1_461cb8aa-a16a-44b8-b79f-c3daf3ea925f"
}
},
{
"sensor_data": {
"snmp_sensor": {
"snmp_mib": {
"oid": "1.3.6.1.2.1.31.1.1",
"snmp_operation": "TABLE"
}
}
},
"destination": {
"destination_id": "4c2ab662-2670-4b3c-b7d3-b94acba98c56",
"context_id": "topic2_e7ed6300-fc8c-47ee-8445-70e543057f8a"
}
}
]
}
}
SNMP Traps Collection Job
SNMP traps are handled in a similar manner. Trap listeners listen on a port and then dispatch data to recipients (based on their topic of interest).
Cisco Crosswork Data Gateway supports three types of non-yang/OID based traps:
sensor path | purpose |
---|---|
* | To get all the traps pushed from the device without any filter. |
MIB level traps |
OID of one MIB notifications (Ex: 1.3.6.1.2.1.138.0 to get all the isis-mib level traps) |
Specific trap |
OID of the specific trap (Ex: 1.3.6.1.6.3.1.1.5.4 to get the linkUp trap) |
Note |
|
On receiving a trap, Cisco Crosswork Data Gateway does the following validations:
-
Check if any collection job is created for the device.
-
Checks the trap version and community string.
-
For SNMP v3, validates for user auth and priv protocol and credentials.
Cisco Crosswork Data Gateway filters the traps based on the trap OID mentioned in the sensor path and sends only those requested.
Cisco Crosswork Data Gateway supports the following YANG paths:
sensor path | purpose |
---|---|
snmp-trap-raw-oper:traps/data | To get all the traps pushed from the device without any filter. |
IF-MIB:notifications | To get all the IF-MIB notifications (ex: linkUp, linkDown, etc.) |
ISIS-MIB:notifications | To get all the ISIS-MIB notifications. |
SNMPv2-MIB:notifications | To get all the snmpV2 Mib notifications. |
Following is an SNMP-Trap collection job sample:
{
"collection_job": {
"application_context": {
"context_id": "collection-job1",
"application_id": "APP1"
},
"collection_mode": {
"lifetime_type": "APPLICATION_MANAGED",
"collector_type": "TRAP_COLLECTOR"
},
"job_device_set": {
"device_set": {
"devices": {
"device_ids": [
"a9b8f43d-130b-4866-a26a-4d0f9e07562a",
"8c4431a0-f21d-452d-95a8-84323a19e0d6",
"eaab2647-2351-40ae-bf94-6e4a3d79af3a"
]
}
}
},
"sensor_input_configs": [
{
"sensor_data": {
"trap_sensor": {
"path": "1.3.6.1.6.3.1.1.4"
}
},
"cadence_in_millisec": "60000"
}
],
"sensor_output_configs": [
{
"sensor_data": {
"trap_sensor": {
"path": "1.3.6.1.6.3.1.1.4"
}
},
"destination": {
"destination_id": "4c2ab662-2670-4b3c-b7d3-b94acba98c56",
"context_id": "topic1_696600ae-80ee-4a02-96cb-3a01a2415324"
}
}
]
}
}
Enabling Traps forwarding to external applications
As per the current implementation, in case of an SNMP Trap collection job, all traps are sent to the specified data destination even if the SNMP Trap OID is not provided in the sensor path.
Note |
It is also recommended to selectively enable on the device only those traps that are needed by Crosswork. |
To identify the type of trap from the data received on the destination, look for oid (OBJECT_IDENTIFIER, for example, 1.3.6.1.6.3.1.1.4.1.0
) and strValue associated to the oid in the OidRecords (application can match the OID of interest to determine the kind of trap).
Below are some sample values and a sample payload:
-
Link up
1.3.6.1.6.3.1.1.4.1.0 = 1.3.6.1.6.3.1.1.5.4
-
Link Down
1.3.6.1.6.3.1.1.4.1.0 = 1.3.6.1.6.3.1.1.5.3
-
Syslog
1.3.6.1.6.3.1.1.4.1.0 = 1.3.6.1.4.1.9.9.41.2.0.1
-
Cold Start
1.3.6.1.6.3.1.1.4.1.0 = 1.3.6.1.6.3.1.1.5.1
{
"nodeIdStr": "BF5-XRV9K1.tr3.es",
"nodeIdUuid": "C9tZ5lJoSJKf5OZ67+U5JQ==",
"collectionId": "133",
"collectionStartTime": "1580931985267",
"msgTimestamp": "1580931985267",
"dataGpbkv": [
{
"timestamp": "1580931985267",
"name": "trapsensor.path",
"snmpTrap": {
"version": "V2c",
"pduType": "TRAP",
"v2v3Data": {
"agentAddress": "172.70.39.227",
"oidRecords": [
{
"oid": "1.3.6.1.2.1.1.3.0",
"strValue": "7 days, 2:15:17.02"
},
{
"oid": "1.3.6.1.6.3.1.1.4.1.0", // This oid is the Object Identifier.
"strValue": "1.3.6.1.6.3.1.1.5.3" // This is the value that determines the kind of trap.
},
{
"oid": "1.3.6.1.2.1.2.2.1.1.8",
"strValue": "8"
},
{
"oid": "1.3.6.1.2.1.2.2.1.2.8",
"strValue": "GigabitEthernet0/0/0/2"
},
{
"oid": "1.3.6.1.2.1.2.2.1.3.8",
"strValue": "6"
},
{
"oid": "1.3.6.1.4.1.9.9.276.1.1.2.1.3.8",
"strValue": "down"
}
]
}
}
}
],
"collectionEndTime": "1580931985267",
"collectorUuid": "YmNjZjEzMTktZjFlOS00NTE5LWI4OTgtY2Y1ZmQxZDFjNWExOlRSQVBfQ09MTEVDVE9S",
"status": {
"status": "SUCCESS"
},
"modelData": {},
"sensorData": {
"trapSensor": {
"path": "1.3.6.1.6.3.1.1.5.4"
}
},
"applicationContexts": [
{
"applicationId": "APP1",
"contextId": "collection-job-snmp-traps"
}
]
}
MDT Collection Job
Crosswork Data Gateway supports data collection from network devices using Model-driven Telemetry (MDT) to consume telemetry streams directly from devices (for IOS-XR based platforms only).
Note |
|
It supports data collection for the following transport mode:
-
MDT TCP Dial-out Mode
Following is a sample of MDT collection payload:
{
"collection_job": {
"job_device_set": {
"device_set": {
"device_group": "mdt"
}
},
"sensor_output_configs": [{
"sensor_data": {
"mdt_sensor": {
"path": "Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters"
}
},
"destination": {
"context_id": "cw.mdt_sensor.cisco-ios-xr-infra-statsd-oper.gpb",
"destination_id": "c2a8fba8-8363-3d22-b0c2-a9e449693fae"
}
},
{
"sensor_data": {
"mdt_sensor": {
"path": "Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/data-rate"
}
},
"destination": {
"context_id": "cw.mdt_sensor.cisco-ios-xr-infra-statsd-oper.gpb",
"destination_id": "c2a8fba8-8363-3d22-b0c2-a9e449693fae"
}
}
],
"sensor_input_configs": [{
"sensor_data": {
"mdt_sensor": {
"path": "Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/data-rate"
}
},
"cadence_in_millisec": "70000"
}, {
"sensor_data": {
"mdt_sensor": {
"path": "Cisco-IOS-XR-infra-statsd-oper:infra-statistics/interfaces/interface/latest/generic-counters"
}
},
"cadence_in_millisec": "70000"
}
],
"application_context": {
"context_id": "c4",
"application_id": "a4-mdt"
},
"collection_mode": {
"lifetime_type": "APPLICATION_MANAGED",
"collector_type": "MDT_COLLECTOR"
}
}
}
gNMI Collection Job
Cisco Crosswork supports gRPC Network Management Interface (gNMI) based telemetry data collection via Cisco Crosswork Data Gateway. It supports only gNMI Dial-In (gRPC Dial-In) streaming telemetry data based on subscription and relaying subsequent subscription response(notifications) to requested destinations.
Note |
gNMI collection is supported as long as the models are supported by the target device platform. gNMI must be configured on devices before you can submit gNMI collection jobs. Check platform-specific documentation. |
For sample device configuration, see Sample Device Configuration - gNMI.
In gNMI, both secure and insecure mode can co-exist on the device. Cisco Crosswork gives preference to secure mode over insecure mode based on the information passed in the inventory.
If device reloads, gNMI collector ensures that the existing subscriptions are re-subscribed to the device.
gNMI specification does not have a way to mark end of message. Hence, Destination/Dispatch cadence is not supported in gNMI collector.
Cisco Crosswork Data Gateway supports all types of stream-based subscriptions:
-
SAMPLE : Cadence-based collection.
-
ON_CHANGE: First response include the state of all the elements for the subscribed path, followed by subsequent updates to the changes leaf values.
-
TARGET_DEFINED: Router/Device choses the mode of subscription on a per-leaf basis based on the subscribed path (i.e. one of SAMPLE or ON_CHANGE)
Note |
|
Following is a sample gNMI collection payload:
{
"collection_job": {
"job_device_set": {
"device_set": {
"device_group": "gnmi"
}
},
"sensor_input_configs": [
{
"sensor_data": {
"gnmi_sensor": {
"path":{
"origin":"",
"elem":[
{
"name":"interfaces"
},
{
"name":"interface",
"key":{
"name":"GigabitEthernet0/0/0/4"
}
}
]
},
"mode" : "SAMPLE"
}
},
"cadence_in_millisec": "30000"
}
],
"sensor_output_configs": [
{
"sensor_data": {
"gnmi_sensor": {
"path":{
"origin":"",
"elem":[
{
"name":"interfaces"
},
{
"name":"interface",
"key":{
"name":"GigabitEthernet0/0/0/4"
}
}
]
},
"mode" : "SAMPLE"
}
},
"destination": {
"context_id": "topic_gnmi",
"destination_id": "c2a8fba8-8363-3d22-b0c2-a9e449693fae"
}
}
],
"application_context": {
"context_id": "gnmi_test_context",
"application_id": "gnmi"
},
"collection_mode": {
"lifetime_type": "APPLICATION_MANAGED",
"collector_type": "GNMI_COLLECTOR"
}
}
}
Sample Device Configuration - gNMI
Cisco IOS XR devices
-
Enable gRPC over an HTTP/2 connection.
Router#configure Router(config)#grpc Router(config-grpc)#port <port-number>
The port number ranges from 57344 to 57999. If a port number is unavailable, an error is displayed.
-
Set the session parameters.
Router(config)#grpc{ address-family | dscp | max-request-per-user | max-request-total | max-streams | max-streams-per-user | no-tls | service-layer | tls-cipher | tls-mutual | tls-trustpoint | vrf }
where:
-
address-family:
set the address family identifier type -
dscp:
set QoS marking DSCP on transmitted gRPC -
max-request-per-user:
set the maximum concurrent requests per user -
max-request-total:
set the maximum concurrent requests in total -
max-streams:
set the maximum number of concurrent gRPC requests. The maximum subscription limit is 128 requests. The default is 32 requests -
max-streams-per-user:
set the maximum concurrent gRPC requests for each user. The maximum subscription limit is 128 requests. The default is 32 requests -
no-tls:
disable transport layer security (TLS). The TLS is enabled by default. -
service-layer:
enable the grpc service layer configuration -
tls-cipher:
enable the gRPC TLS cipher suites -
tls-mutual:
set the mutual authentication -
tls-trustpoint:
configure trustpoint -
server-vrf:
enable server vrf
-
-
Enable TPA (Traffic Protection for Third-Party Applications).
tpa vrf default address-family ipv4 default-route mgmt update-source dataports MgmtEth0/RP0/CPU0/0
The following example shows how to enable the gNMI server in insecure mode:
Device# configure terminal
Device(config)# gnmi-yang
Device(config)# gnmi-yang server
Device(config)# gnmi-yang port 50000 <The default port is 50052.>
Device(config)# end
Device
The following example shows how to enable the gNMI server in secure mode:
Certs and trustpoint are only required for secure gNMI servers.
Device# configure terminal
Device(config)# gnmi-yang server
Device(config)# gnmi-yang secure-server
Device(config)# gnmi-yang secure-trustpoint trustpoint1
Device(config)# gnmi-yang secure-client-auth
Device(config)# gnmi-yang secure-port 50001 <The default port is 50051.>
Device(config)# end
Device
Certs and trustpoint are only required for secure gNMI servers.
Creating Certs with OpenSSL on Linux
The following example shows how to create Certs with OpenSSL on a Linux machine:
# Setting up a CA
openssl genrsa -out rootCA.key 2048
openssl req -subj /C=/ST=/L=/O=/CN=rootCA -x509 -new -nodes -key rootCA.key -sha256 -out rootCA.pem
# Setting up device cert and key
openssl genrsa -out device.key 2048
openssl req -subj /C=/ST=/L=/O=/CN=<hostnameFQDN> -new -key device.key -out device.csr
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -sha256
# Encrpyt device key - needed for input to IOS
openssl rsa -des3 -in device.key -out device.des3.key -passout pass:<password - remember this for later>
# Setting up client cert and key
openssl genrsa -out client.key 2048
openssl req -subj /C=/ST=/L=/O=/CN=gnmi_client -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -sha256
Installing Certs on a Cisco IOS XR Device
To install certs on Cisco IOS XR, replace files in the following path:
-
Login into XR machine.
-
Type run command on terminal prompt.
RP/0/RP0/CPU0:xrvr-7.2.1#run
-
Navigate to the following directory:
cd /misc/config/grpc
-
Replace the content of the following files:
-
replace contents of ems.pem with device.crt
-
replace contents of ems.key with device.key
-
replace contents of ca.cert with rootCA.pem
-
Installing Certs on a Cisco IOS XE Device
The following example shows how to install certs on a Cisco IOS XE device:
# Send:
Device# configure terminal
Device(config)# crypto pki import trustpoint1 pem terminal password password1
# Receive:
% Enter PEM-formatted CA certificate.
% End with a blank line or "quit" on a line by itself.
# Send:
# Contents of rootCA.pem, followed by newline + 'quit' + newline:
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
quit
# Receive:
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
# Send:
# Contents of device.des3.key, followed by newline + 'quit' + newline:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D954FF9E43F1BA20
<snip>
-----END RSA PRIVATE KEY-----
quit
# Receive:
% Enter PEM-formatted General Purpose certificate.
% End with a blank line or "quit" on a line by itself.
# Send:
# Contents of device.crt, followed by newline + 'quit' + newline:
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
quit
# Receive:
% PEM files import succeeded.
Device(config)#
# Send:
Device(config)# crypto pki trustpoint trustpoint1
Device(ca-trustpoint)# revocation-check none
Device(ca-trustpoint)# end
Device#
Enable Secure gNMI communication between Device and Crosswork Data Gateway
Secure gNMI set up workflow:
-
Upload the trust chain to the Crosswork Certificate Management UI in Cisco Crosswork. See Configure gNMI Certificate.
-
Update device configuration with secure gNMI port details from Cisco Crosswork UI. See Device Configuration from Cisco Crosswork UI
Configure gNMI Certificate
Crosswork Data Gateway acts as the gNMI client while the device acts as gNMI server. Crosswork Data Gateway validates the device using a trust chain. It is expected that you have a global trust chain for all the devices. If you have multiple trust chains, add all the device trust chains (single or multiple vendors) in a single .pem file and upload this .pem file to the Crosswork Certificate Management UI. For sample device configuration to configure trust point on devices, see Sample Device Configuration - gNMI.
Note |
You can upload only one gNMI Certificate to Crosswork. |
To configure the gNMI Certificate:
Procedure
Step 1 |
From the Cisco Crosswork UI, go to Administration > Certificate Management. |
||
Step 2 |
Click the + icon to add certificate. |
||
Step 3 |
In Add Certificate window, enter the following details:
|
||
Step 4 |
Click Save. |
The gNMI Certificate is listed in the configured certificates once it has been added successfully.
Device Configuration from Cisco Crosswork UI
Once you have configured the gNMI certificate in the Crosswork UI, update the device with secure protocol details.
-
From the Cisco Crosswork UI, navigate to Device Management > Network Devices
-
Select the device and click Edit to update the Protocol field with the details as:
Protocol for secure communication : GNMI_SECURE Port.
Syslog Collection Job
Cisco Crosswork Data Gateway supports Syslog-based events collection from devices. Following Syslog formats are supported:
-
RFC5424 syslog format
-
RFC3164 syslog format
Note |
Syslog must be configured on devices before you can submit Syslog collection jobs. Please refer to the platform-specific documentation. |
For sample device configuration, see Configure Syslog in RFC3164/RFC5424 format.
Following is a sample Syslog collection payload:
{
"collection_job": {
"job_device_set": {
"device_set": {
"devices": {
"device_ids": [
"c6f25a33-92e6-468a-ba0d-15490f1ce787"
]
}
}
},
"sensor_output_configs": [
{
"sensor_data": {
"syslog_sensor": {
"pris": {
"facilities": [0, 1, 3, 23,4],
"severities": [0, 4, 5, 6, 7]
}
}
},
"destination": {
"context_id": "syslogtopic",
"destination_id": "c2a8fba8-8363-3d22-b0c2-a9e449693fae"
}
}
],
"sensor_input_configs": [
{
"sensor_data": {
"syslog_sensor": {
"pris": {
"facilities": [0,1, 3, 23,4],
"severities": [0,4, 5, 6, 7]
}
}
},
"cadence_in_millisec": "60000"
}
],
"application_context": {
"context_id": "demomilesstone2syslog",
"application_id": "SyslogDemo2"
},
"collection_mode": {
"lifetime_type": "APPLICATION_MANAGED",
"collector_type": "SYSLOG_COLLECTOR"
}
}
}
Based on the facilities and severities mentioned in the payload, matching Syslog events will be sent to the specified destination. All other non-matching syslog events will be dropped.
Configure Syslog in RFC3164/RFC5424 format
This section lists sample configuration to configure syslog in the RFC3164 or RFC5424 format on the device. The same configuration can also be used for non-secure syslog configuration on the device.
Configure RFC3164 Syslog format
Note |
The configuration highlighted in the code below is required to avoid formatting issues in the parsed output. |
For Cisco IOS XR devices:
logging <server 1> port 9514 OR logging <server 1> vrf <vrfname> port 9514
logging trap [severity]
logging facility [facility value]
logging suppress duplicates
service timestamps log datetime msec show-timezone year
logging hostnameprefix <some host related prefix e.g.iosxrhost2>
For Cisco IOS XE Devices:
no logging message-counter syslog
logging trap <serverity>
logging facility <facility>
logging host 172.29.194.174 transport tcp port 9898 session-id string <sessionidstring> --> To use TCP channel
OR
logging host 172.29.194.174 transport udp port 9514 session-id string <sessionidstring> ---> To use UDP channel
OR
logging host <cdg ip> vrf Mgmt-intf transport udp port 9514 session-id string <sessionidstring> --> To use UDP via vrf
service timestamps log datetime msec year show-timezone
Configure RFC5424 Syslog format
For Cisco IOS XR devices:
logging <server 1> port 9514 OR logging <server 1> vrf <vrfname> port 9514
logging trap [severity]
logging facility [facility value]
logging suppress duplicates
service timestamps log datetime msec show-timezone year
logging hostnameprefix <some host related prefix e.g.iosxrhost2>
logging format rfc5424
For Cisco IOS XE Devices:
no logging message-counter syslog
logging trap <serverity>
logging facility <facility>
logging host 172.29.194.174 transport tcp port 9898 session-id string <sessionidstring> --> To use TCP channel
OR
logging host 172.29.194.174 transport udp port 9514 session-id string <sessionidstring> ---> To use UDP channel
OR
logging host <cdg ip> vrf Mgmt-intf transport udp port 9514 session-id string <sessionidstring> --> To use UDP via vrf
service timestamps log datetime msec year show-timezone
logging trap syslog-format 5424 --> if applicable
Configure Secure Syslog on Device
Follow these steps to establish a secure syslog communication to the device.
-
Download the Crosswork trust chain from the Certificate Management UI page in Cisco Crosswork.
-
Configure devices with the Crosswork trust chain for syslog configuration.
Download Syslog Certificates
-
In the Cisco Crosswork UI, go to Administration > Certificate Management
-
Click i in the 'device-syslog' row as shown in the image below
-
Click Export All to download the certificates.
The following files are downloaded to your system.
Syslog Configuration on Device
Sample XR Device Configuration to enable TLSRP/0/RSP0/CPU0:ASR9k(config)#crypto ca trustpoint syslog-root
RP/0/RSP0/CPU0:ASR9k(config-trustp)#enrollment terminal
RP/0/RSP0/CPU0:ASR9k(config-trustp)#crl optional
RP/0/RSP0/CPU0:ASR9k(config-trustp)#commit
RP/0/RSP0/CPU0:ASR9k(config-trustp)#end
RP/0/RSP0/CPU0:ASR9k#
RP/0/RSP0/CPU0:ASR9k#crypto ca authenticate syslog-root
Fri Jan 22 11:07:41.880 GMT
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIGKzCCBBOgAwIBAgIRAKfyU89yjmrXVDRKBWuSGPgwDQYJKoZIhvcNAQELBQAw
bDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEa
................................................................
................................................................
jPQ/UrO8N3sC1gGJX7CIIh5cE+KIJ51ep8i1eKSJ5wHWRTmv342MnG2StgOTtaFF
vrkWHD02o6jRuYXDWEUptDOg8oEritZb+SNPXWUc/2mbYog6ks6EeMC69VjkZPo=
-----END CERTIFICATE-----
Read 1583 bytes as CA certificate
Serial Number : A7:F2:53:CF:72:8E:6A:D7:54:34:4A:05:6B:92:18:F8
Subject:
CN=Crosswork Device Root CA,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Issued By :
CN=Crosswork Device Root CA,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Validity Start : 02:37:09 UTC Sat Jan 16 2021
Validity End : 02:37:09 UTC Thu Jan 15 2026
SHA1 Fingerprint:
209B3815271C22ADF78CB906F6A32DD9D97BBDBA
Fingerprint: 2FF85849EBAAB9B059ACB9F5363D5C9CDo you accept this certificate? [yes/no]: yes
RP/0/RSP0/CPU0:ASR9k#config
RP/0/RSP0/CPU0:ASR9k(config)#crypto ca trustpoint syslog-inter
RP/0/RSP0/CPU0:ASR9k(config-trustp)#enrollment terminal
RP/0/RSP0/CPU0:ASR9k(config-trustp)#crl optional
RP/0/RSP0/CPU0:ASR9k(config-trustp)#commit
RP/0/RSP0/CPU0:ASR9k#crypto ca authenticate syslog-inter
Fri Jan 22 11:10:30.090 GMT
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIGFDCCA/ygAwIBAgIRAkhqHQXcJzQzeQK6U2wn8PIwDQYJKoZIhvcNAQELBQAw
bDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEa
................................................................
................................................................
5lBk617z6cxFER5c+/PmJFhcreisTxXg1aJbFdnB5C8f+0uUIdLghykQ/zaZGuBn
AAB70c9r9OeKGJWzvv1e2U8HH1pdQ/nd
-----END CERTIFICATE-----
Read 1560 bytes as CA certificate
Serial Number : 02:48:6A:1D:05:DC:27:34:33:79:02:BA:53:6C:27:F0:F2
Subject:
CN=device-syslog,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Issued By :
CN=Crosswork Device Root CA,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Validity Start : 02:37:11 UTC Sat Jan 16 2021
Validity End : 02:37:11 UTC Mon Jan 16 2023
SHA1 Fingerprint:
B06F2BFDE95413A8D08A01EE3511BC3D42F01E59
CA Certificate validated using issuer certificate.
RP/0/RSP0/CPU0:ASR9k#show crypto ca certificates
Fri Jan 22 15:45:17.196 GMT
Trustpoint : syslog-root
==================================================
CA certificate
Serial Number : A7:F2:53:CF:72:8E:6A:D7:54:34:4A:05:6B:92:18:F8
Subject:
CN=Crosswork Device Root CA,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Issued By :
CN=Crosswork Device Root CA,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Validity Start : 02:37:09 UTC Sat Jan 16 2021
Validity End : 02:37:09 UTC Thu Jan 15 2026
SHA1 Fingerprint:
209B3815271C22ADF78CB906F6A32DD9D97BBDBA
Trustpoint : syslog-inter
==================================================
CA certificate
Serial Number : 02:48:6A:1D:05:DC:27:34:33:79:02:BA:53:6C:27:F0:F2
Subject:
CN=device-syslog,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Issued By :
CN=Crosswork Device Root CA,O=CISCO SYSTEMS INC,L=San Jose,ST=CA,C=US
Validity Start : 02:37:11 UTC Sat Jan 16 2021
Validity End : 02:37:11 UTC Mon Jan 16 2023
SHA1 Fingerprint:
B06F2BFDE95413A8D08A01EE3511BC3D42F01E59
RP/0/RSP0/CPU0:ASR9k(config)#logging tls-server syslog-tb131
RP/0/RSP0/CPU0:ASR9k(config-logging-tls-peer)#tls-hostname 10.13.0.159
RP/0/RSP0/CPU0:ASR9k(config-logging-tls-peer)#trustpoint syslog-inter
RP/0/RSP0/CPU0:ASR9k(config-logging-tls-peer)#severity debugging
RP/0/RSP0/CPU0:ASR9k(config-logging-tls-peer)#vrf default
RP/0/RSP0/CPU0:ASR9k(config-logging-tls-peer)#commit
RP/0/RSP0/CPU0:ASR9k(config-logging-tls-peer)#exit
RP/0/RSP0/CPU0:ASR9k(config)#exit
RP/0/RSP0/CPU0:ASR9k#exit
RP/0/RSP0/CPU0:ASR9k#show running-config logging
Fri Jan 22 11:17:19.385 GMT
logging tls-server syslog-tb131
vrf default
severity debugging
trustpoint syslog-inter
tls-hostname <CDG Southbound IP>
!
logging trap debugging
logging format rfc5424
logging facility user
logging hostnameprefix ASR9k
logging suppress duplicates
RP/0/RSP0/CPU0:ASR9k#
Sample XE Device Configuration to enable TLS
csr8kv(config)#crypto pki trustpoint syslog-root
csr8kv(ca-trustpoint)#enrollment terminal
csr8kv(ca-trustpoint)#revocation-check none
csr8kv(ca-trustpoint)#chain-validation stop
csr8kv(ca-trustpoint)#end
csr8kv(config)#crypto pki authenticate syslog-root
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIFPjCCAyYCCQCO6pK5AOGYdjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCE1pbHBpdGFzMQ4wDAYDVQQKDAVDaXNj
................................................................
................................................................
JbimOpXAncoBLo14DXOJLvMVRjn1EULE9AXXCNfnrnBx7jL4CV+qHgEtF6oqclFW
JEA=
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: D88D6D8F E53750D4 B36EB498 0A435DA1
Fingerprint SHA1: 649DE822 1C222C1F 5101BEB8 B29CDF12 5CEE463B
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
csr8kv(config)#crypto pki trustpoint syslog-intermediate
csr8kv(ca-trustpoint)#enrollment terminal
csr8kv(ca-trustpoint)#revocation-check none
csr8kv(ca-trustpoint)#chain-validation continue syslog-root
csr8kv(ca-trustpoint)#end
csr8kv(config)#crypto pki authenticate syslog-intermediate
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIFfTCCA2WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXDELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExDjAMBgNVBAoMBUNpc2NvMQ4wDAYDVQQLDAVT
................................................................
................................................................
Nmz6NQynD7bxdQa9Xq9kyPuY3ZVKXkf312IRH0MEy2yFX/tAen9JqOeZ1g8canmw
TxsWA5TLzy1RmxqQh88f0CM=
-----END CERTIFICATE-----
Trustpoint 'syslog-intermediate' is a subordinate CA.
but certificate is not a CA certificate.
Manual verification required
Certificate has the following attributes:
Fingerprint MD5: FE27BDBE 9265208A 681670AC F59A2BF1
Fingerprint SHA1: 03F513BD 4BEB689F A4F4E001 57EC210E 88C7BD19
csr8kv(config)#logging host <CDG Southbound IP> transport tls port 6514
csr8kv(config)#logging trap informational syslog-format rfc5424
csr8kv(config)#logging facility user
csr8kv(config)#service timestamps log datetime msec year show-timezone
csr8kv(config)#logging tls-profile tlsv12
Syslog Collection Job Output
When you add a device from Cisco Crosswork UI (Device Management > Network Devices > Device Details), the value you choose in the Syslog Format field configures the format in which syslog events received from the device should be parsed by the Syslog Collector. You can choose either UNKNOWN, RFC5424 or RFC3164.
Following is the sample output for each of the options:
-
UNKNOWN - Syslog Collection Job output contains the syslog event as received from device.
Note
If the device is configured to generate syslog events in RFC5424/RFC3164 format but no format is specified in the Syslog Format field, by default this is considered as UNKNOWN.
Sample output: node_id_str: "xrv9k-VM8" node_id_uuid: ":i\300\216>\366BM\262\270@\337\225\2723&" collection_id: 1056 collection_start_time: 1616711596200 msg_timestamp: 1616711596201 data_gpbkv { timestamp: 1616711596201 name: "syslogsensor.path" fields { name: "RAW" string_value: "<6>1 Mar 25 15:34:41.321 PDT - SSHD_ 69570 - - 98949: RP/0/RP0/CPU0:SSHD_[69570]: %SECURITY-SSHD-6-INFO_SUCCESS : Successfully authenticated user \'admin\' from \'40.40.40.116\' on \'vty0\'(cipher \'aes128-ctr\', mac \'hmac-sha1\') \n" } fields { name: "DEVICE_IP" string_value: "40.40.40.30" } } collection_end_time: 1616711596200 collector_uuid: "17328736-b726-4fe3-b922-231a4a30a54f:SYSLOG_COLLECTOR" status { status: SUCCESS } model_data { } sensor_data { syslog_sensor { pris { facilities: 0 facilities: 3 facilities: 4 facilities: 23 severities: 0 severities: 5 severities: 6 severities: 7 } } } application_contexts { application_id: "SyslogApp-xr-8-job1" context_id: "xr-8-job1" } version: "1"
-
RFC5424 - If the device is configured to generate syslog events in RFC5424 format and the RFC5424 format is selected in the Syslog Format field, the Syslog Job Collection output contains syslog events as received from device ((raw) and the RFC5424 best-effort parsed syslog event from the device.
Note
The syslog collector will parse the syslog event(best effort parsing) as per the following Java RegEx pattern:
Sample output:
.... .... collection_start_time: 1596307542398 msg_timestamp: 1596307542405 data_gpbkv { timestamp: 1596307542405 name: "syslogsensor.path" fields { name: "RAW" string_value: "<13>1 2020 Aug 1 12:03:32.461 UTC: iosxr254node config 65910 - - 2782: RP/0/RSP0/CPU0:2020 Aug 1 12:03:32.461 UTC: config[65910]: %MGBL-SYS-5-CONFIG_I : Configured from console by admin on vty0 (10.24.88.215) \n" } fields { name: "RFC5424" string_value: "pri=13, severity=5, facility=1, version=1, date=2020-08-01T12:03:32.461, remoteAddress=/172.28.122.254, host=\'iosxr254node\', message=\'2782: RP/0/RSP0/CPU0:2020 Aug 1 12:03:32.461 UTC: config[65910]: %MGBL-SYS-5-CONFIG_I : Configured from console by admin on vty0 (10.24.88.215) \', messageId=null, processName=config, structuredDataList=null" } fields { name: "DEVICE_IP" string_value: "172.28.122.254" } } collection_end_time: 1596307542404 collector_uuid: "ac961b09-8f67-4c93-a99a-31eef50f7fa9:SYSLOG_COLLECTOR" status { status: SUCCESS } ... ...
-
RFC3164 - If the device is configured to generate syslog events in RFC3164 format and the RFC3164 format is selected in Syslog Format field, the Syslog Job Collection output contains both raw (as received from device) syslog event and the RFC3164 best-effort parsed syslog event from the device.
Note
The syslog collector will parse the syslog event(best effort parsing) as per the following Java RegEx pattern:
Sample output: .... ..... collection_id: 20 collection_start_time: 1596306752737 msg_timestamp: 1596306752743 data_gpbkv { timestamp: 1596306752743 name: "syslogsensor.path" fields { name: "RAW" string_value: "<14>2020 Aug 1 11:50:22.799 UTC: iosxr254node 2756: RP/0/RSP0/CPU0:2020 Aug 1 11:50:22.799 UTC: config[65910]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user \'admin\'. Use \'show configuration commit changes 1000000580\' to view the changes. \n" } fields { name: "RFC3164" string_value: "pri=14, severity=6, facility=1, version=null, date=2020-08-01T11:50:22.799, remoteAddress=/172.28.122.254, host=\'iosxr254node\', message=\'RP/0/RSP0/CPU0:2020 Aug 1 11:50:22.799 UTC: config[65910]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user \'admin\'. Use \'show configuration commit changes 1000000580\' to view the changes. \', tag=2756" } fields { name: "DEVICE_IP" string_value: "172.28.122.254" } } collection_end_time: 1596306752742 collector_uuid: "ac961b09-8f67-4c93-a99a-31eef50f7fa9:SYSLOG_COLLECTOR" status { status: SUCCESS } .... ....
If the Syslog Collector is unable to parse the syslog events according to the format specified in the Syslog Format field, then the Syslog Collection Job output contains the syslog events as received from device.