Mapping Cisco Log Source Names to IP Addresses

The LogLogic appliance identifies log sources by their IP addresses.

Some Cisco logs do not contain an explicit IP address but a DNS-type name instead. If you set up a special configuration file, the appliance can recognize these names and replace them with IP addresses. The effects of this can be seen in a variety of places throughout the GUI including, for example, the Source IP and Destination IP columns in Active FW Connections reports.

The appliance gets its name recognition information from a configuration file that you need to configure and upload to the appliance.

Procedure

  1. On the Cisco log source, locate the generated Cisco IP mapping.
  2. Every Cisco system can generate such a mapping file. For more information, see your Cisco documentation.
  3. In that file, search for a large number of entries of the form: 
    name 10.20.50.51 remote.lan
name 10.0.25.51 async.wan
name 10.19.50.10 nemesis-ss1-vs
name 10.19.83.1 pwddbl0c-9
  4. Copy and paste all the entries into a text file called pix_name_ip_map.txt.
  5. Copy the file (using SCP) onto the LogLogic appliance, to the directory /loglogic/conf.
    After placing this file on the LogLogic appliance, all report results containing log data from Cisco log sources which originally did not have the correct IP addresses (because they could not recognize the names) now have them.