Cisco Nexus

LogZilla App Store application: Cisco Nexus

Overview

Cisco Nexus is a family of data center switches running the NX-OS operating system. These switches provide high-performance Layer 2 and Layer 3 switching for enterprise networks and cloud environments.

App Function

  • Parse NX-OS events including authentication, system, network, and security
  • Extract metadata tags for filtering and analysis
  • Map security events to MITRE ATT&CK techniques
  • Provide security-focused dashboard and triggers

Vendor Documentation

Device Configuration

Configure the Nexus switch to send syslog messages to LogZilla:

text
configure terminal
logging server <logzilla-ip> 5 facility local0
logging level authpriv 5
logging level stp 5
logging level ethport 5
copy running-config startup-config

Incoming Log Format

NX-OS messages follow standard Cisco syslog format with mnemonics:

text
%FACILITY-SEVERITY-MNEMONIC: Message text

Parsed Metadata Fields

TagExampleDescription
VendorCiscoDevice vendor
ProductNexusProduct line
Event ClassauthEvent classification (auth, security, network, system)
cisco_mnemonicSTP-2-BRIDGE_ASSURANCE_BLOCKNX-OS syslog mnemonic (set by base Cisco app)
MitreIdT1110MITRE ATT&CK technique ID
MITRE TacticCredential AccessMITRE ATT&CK tactic
UseradminUsername
SrcIP192.168.1.100Source IP address
InterfaceEthernet1/1Network interface

Log Examples

Authentication Failure

text
Feb 14 00:12:34 nexus-core : 2024 Feb 14 00:12:34 UTC: pam_aaa:Authentication
failed for user admin from 192.168.1.100

Bridge Assurance Block

text
%STP-2-BRIDGE_ASSURANCE_BLOCK: Bridge Assurance blocking port Ethernet1/1
VLAN 100

System Restart

text
%SYSTEM-5-RESTART: System restarted

MITRE ATT&CK Mapping

Event TypeTechniqueTactic
Authentication failuresT1110Credential Access
ACL denies (scanning)T1046Discovery
DHCP snooping/DAI violationsT1557Credential Access
Port security violationsT1200Initial Access
STP BPDU GuardT1499Impact
Config changesT1562Defense Evasion

Dashboards

DashboardDescription
Cisco Nexus: SecurityAuth failures, port security, DHCP snooping, MITRE mapping
Cisco Nexus: NetworkInterface events, VPC status, STP events
Cisco Nexus: SystemHardware health, service crashes, config changes

Triggers

TriggerDescription
Cisco Nexus: MITRE ATT&CK Threat DetectedEvents with MITRE technique mapping
Cisco Nexus: Authentication FailureFailed authentication attempts
Cisco Nexus: BPDU Guard ViolationSTP BPDU guard blocking port
Cisco Nexus: Port Security ViolationMAC address security violations
Cisco Nexus: System Critical EventCritical system events
Cisco Nexus: Interface DownInterface state changes
Cisco Nexus | LogZilla Documentation